Istio custom authorizationPolicy retry config

We are currently using the ext_authz filter with opa in order to secure access to our system. We would like to move to authorizationPolicy so that we can stop maintaining our filter for ongoing envoy versions.

What I couldn’t find and would need in order to migrate is configuration for retry parameters. In the past we found that adjusting these greatly increased the reliability of the system under conditions like node terminations.

Is there a workaround or have I missed something here?

What I couldn’t find and would need in order to migrate is configuration for retry parameters.
Could you clarify a little bit what retry parameter you are referring to? AFAIK, the ext_authz filter does not support the retry in its API?

We use a filter configured like so:

         value:
           name: "envoy.filters.http.ext_authz"
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                transport_api_version: V3
                grpc_service:
                  envoy_grpc:
                    cluster_name: ''
                  timeout: 15.000s
                  initial_metadata:
                    - key: x-envoy-retry-on
                      value: "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,5xx,retriable-status-codes"
                    - key: x-envoy-max-retries
                      value: "5"
                    - key: x-envoy-upstream-rq-per-try-timeout-ms
                      value: "7000"

Ah, I see, that’s an interesting configuration, the retry is supported by core Envoy instead of inside the ext-authz filter itself: Router — envoy 1.19.0-dev-a058c6 documentation

Unfortunately this is currently not supported for configuring the initial_metadata field from the extension provider. One workaround is to use EnvoyFilter to manually set it, this is obviously a workaround but note it is still much simpler than adding a full ext-authz filter with EnvoyFilter.

You only need to configure the specific initial_metadata field in the EnvoyFilter, the ext-authz filter and other fields can still be configured by the extension provider.

See HTTP body missing from gRPC ExternalAuthorization provider CheckRequest · Issue #31182 · istio/istio · GitHub for an example of this.