Alternatively using envoy filter approach I was not able to make it work . Can someone please suggest if with istio 1.9.8 or any other latest version will envoy filter works and any other links for the same.
Below is the envoy filter i am using . It’s not able to extract claims and returns with “LUA claims” log. Please let me know if envoy filter is correct ?
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: lua-filter
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.jwt_authn"
patch:
operation: INSERT_AFTER
value:
name: envoy.filters.http.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request)
local ok, message = pcall(handle_request, request)
if not ok then
request:logInfo(" pcall ")
request:logWarn(message)
end
request:logInfo("Exit handle request OK")
end
function handle_request(request)
request:logInfo("Enter handle request")
local meta = request:streamInfo():dynamicMetadata()
if not meta then
request:logInfo("meta")
return
end
local jwt_filter_meta = meta:get("envoy.filters.http.jwt_authn")
if not jwt_filter_meta then
request:logInfo("jwt_filter_meta")
return
end
local claims = jwt_filter_meta["https://<keycloak domain>/identity/connect/auth/realms/<realm>"] # issuer
if not claims then
request:logInfo("LUA claims")
return
end
local iss = claims["iss"]
if not iss then
request:logInfo("iss")
return
end
request:headers():add("ISS", iss)
request:logInfo("**********************LUA Exit handle_request")
end
@jnitin we did exactly this, see below for how we figured it out:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: extract-jwt-info
namespace: istio-config
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- getting jwt metadata
local meta = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn")
local claim_table = {}
-- setting ping and auth0 tokens and setting claim
claim_table["https://sso.xxxxxx.com/"] = "https://ql.custom.openid.com/client_name"
claim_table["https://api.xxxxx.xxxxx.xxxxx"] = "client_id"
claim_table["https://sso.xxxxx.xxxx.com/"] = "https://ql.custom.openid.com/client_name"
claim_table["https://sso.xxxxx.xxxxx.com/"] = "https://ql.custom.openid.com/client_name"
claim_table["https://api.xxxx.xxxxx-np.xx.xx"] = "client_id"
claim_table["https://api.xxxx.xxxx-np.xxx.xx"] = "client_id"
-- searching for metadata
for k, v in pairs(claim_table) do
if meta then
if meta[k] ~= nil then
local claims = meta[k]
local jwt_client_name_value = claims[v]
-- setting found jwt_client_name in dynamicmetadata to be consumed by metrics/logs
request_handle:streamInfo():dynamicMetadata():set("envoy.filters.http.lua", "jwt_client_name", jwt_client_name_value)
break
end
end
end
end
I then log it in envoy by adding this to the IstioOperator object: