Internal auth with lua filter

Hi everyone,
I’m running Istio 1.7.4 and faced with an unexpected behavior while calling the internal auth service in order to validate jwt token.
I applied lua filter to all inbound HTTP traffic and calling auth service within a mesh, but got 403 w/o any errors/warnings in istio-gateway log (request reached the auth service sidecar)
EnvoyFilter:

apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
      name: jwt-filter
      namespace: istio-system
    spec:
      workloadSelector:
    labels:
      app: istio-ingressgateway
      configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.lua # MUST NOT CHANGE
          typed_config:
            "@type": type.googleapis.com/envoy.config.filter.http.lua.v2.Lua
            inlineCode: |
              function envoy_on_request(request_handle)
                local jwtServiceHeaders = {
                    [":method"] = "POST",
                    [":path"] = "/filter",
                    [":authority"] = "jwt-token"
                }
                for key, value in pairs(request_handle:headers()) do
                  jwtServiceHeaders[key] = value
                  request_handle:logInfo("headers " .. key .. ' --> ' .. value)
                end 
                
                
                local headers, body = request_handle:httpCall(
                  "outbound|80||auth-srv.auth.svc.cluster.local",
                  jwtServiceHeaders,
                  "",
                  2000)
                request_handle:logInfo("response status " .. headers[":status"])
                if headers[":status"] ~= "200" then
                  request_handle:logErr("Auth failed: status=" .. headers[":status"] )
                  request_handle:respond(
                                  {[":status"] = headers[":status"]},
                                  response_body
                          )
                  return
                end
              end

VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: auth-virtualservice
  namespace: auth
spec:
  hosts:
  - auth-srv.auth.svc.cluster.local
  http:
  - name: "api-gateway"
    route:
    - destination:
        host: auth-srv.auth.svc.cluster.local
        port:
          number: 80
  exportTo:
    - "*"

Did I miss something? Would appreciate any comments/suggestion.

1 Like