Hi everyone,
I’m running Istio 1.7.4 and faced with an unexpected behavior while calling the internal auth service in order to validate jwt token.
I applied lua filter to all inbound HTTP traffic and calling auth service within a mesh, but got 403 w/o any errors/warnings in istio-gateway log (request reached the auth service sidecar)
EnvoyFilter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: jwt-filter
namespace: istio-system
spec:
workloadSelector:
labels:
app: istio-ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua # MUST NOT CHANGE
typed_config:
"@type": type.googleapis.com/envoy.config.filter.http.lua.v2.Lua
inlineCode: |
function envoy_on_request(request_handle)
local jwtServiceHeaders = {
[":method"] = "POST",
[":path"] = "/filter",
[":authority"] = "jwt-token"
}
for key, value in pairs(request_handle:headers()) do
jwtServiceHeaders[key] = value
request_handle:logInfo("headers " .. key .. ' --> ' .. value)
end
local headers, body = request_handle:httpCall(
"outbound|80||auth-srv.auth.svc.cluster.local",
jwtServiceHeaders,
"",
2000)
request_handle:logInfo("response status " .. headers[":status"])
if headers[":status"] ~= "200" then
request_handle:logErr("Auth failed: status=" .. headers[":status"] )
request_handle:respond(
{[":status"] = headers[":status"]},
response_body
)
return
end
end
VirtualService:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: auth-virtualservice
namespace: auth
spec:
hosts:
- auth-srv.auth.svc.cluster.local
http:
- name: "api-gateway"
route:
- destination:
host: auth-srv.auth.svc.cluster.local
port:
number: 80
exportTo:
- "*"
Did I miss something? Would appreciate any comments/suggestion.