OK, I’ve got it working, but only in a very specific state. Using the following command I was able to verify the applied config:
istioctl proxy-config listener istio-ingressgateway-N -n istio-system -o json
Working config:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tagger
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.ip_tagging
config:
request_type: INTERNAL
ip_tags:
- ip_tag_name: GOTCHA
ip_list:
- address_prefix: 0.0.0.1
It seems I have to pick either envoy.router, envoy.cors and envoy.fault. I’m not able to INSERT_AFTER envoy.router and ADD just doesn’t work.
This seems really strange!