Is there a way to ignore a specific route from Envoy Filter ?
In my case, i don’t want to protect /status to perform healthchecks.
My filter :
{{- if eq .Values.auth.enabled "true" }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: {{ .Values.componentId }}-oauth2
spec:
workloadSelector:
labels:
app: {{ .Values.componentId }}
configPatches:
- applyTo: CLUSTER
match:
cluster:
service: oauth
patch:
operation: ADD
value:
name: oauth
dns_lookup_family: V4_ONLY
type: LOGICAL_DNS
connect_timeout: 10s
lb_policy: ROUND_ROBIN
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: {{ .Values.lb_identera.hostname }}
load_assignment:
cluster_name: oauth
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: {{ .Values.lb_identera.hostname }}
port_value: 443
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3alpha.OAuth2
config:
token_endpoint:
cluster: oauth
uri: https://{{ .Values.lb_identera.hostname }}/auth/realms/{{ .Values.auth.kc_realm }}
timeout: 3s
authorization_endpoint: https://{{ .Values.lb_identera.hostname }}/auth/realms/{{ .Values.auth.kc_realm }}
redirect_uri: "https://%REQ(:authority)%/_oauth2_callback"
redirect_path_matcher:
path:
exact: /_oauth2_callback
signout_path:
path:
exact: /signout
credentials:
client_id: {{ .Values.auth.kc_client_id }}
token_secret:
name: token
sds_config:
path: "/etc/istio/config/token-secret.yaml"
hmac_secret:
name: hmac
sds_config:
path: "/etc/istio/config/hmac-secret.yaml"
{{- end }}
Any workaround will be apprecied.