Request Header propagation transparently from service A to service B using Envoy filter

Networking
1

I have a Envoy Lua HTTP filter at SIDECAR_INBOUND. The filter received the token in Authorization header and does the signVerify and checks claim. The filter will further generate a new token e.g. sesson-token to be passed to next service in call chain if any. E.g. talking of bookinfo example:
Request(Auth token)-> Istio Ingressgateway -> Filter at productpage ->(new token “session-token”) -> filter at details

The application code at details relies on the new token ( session token) to allow code execution. Even though this is service-to-service communication, I need to have either the original authorization header or the newly generated header session-token to be available to next service in call chain.

I tried using dynamica metadata api of Envoy Lua also but it just forwards the header added in request-handle to make it available in
response_handle only. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#dynamic-metadata-object-api

I am looking for some Envoy Lua filter mechanism to transparently propagate custom headers from service to service without the application code modification.

2

Are you sure that the header is making it through ingress gateway? Meaning is the header getting stripped by ingress gateway before the EnvoyFilter at productpage can copy it to a new value? Please share your Lua Filter if possible

3

Yes. I can see that header in Productpage filter…
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: custom-auth-productpage
namespace: default
spec:
workloadSelector:
labels:
app: productpage
version: v1
configPatches:
# The first patch adds the lua filter to the listener/http connection manager

  • applyTo: HTTP_FILTER
    match:
    context: SIDECAR_INBOUND
    listener:
    # portNumber: 9080
    filterChain:
    filter:
    name: “envoy.http_connection_manager”
    subFilter:
    name: “envoy.filters.http.wasm”
    patch:
    operation: INSERT_AFTER # Make it AFTER, if forwardOriginalToken: false in gatewsay jwt
    value: # lua filter specification
    name: envoy.lua
    typed_config:
    @type”: “type.googleapis.com/envoy.config.filter.http.lua.v2.Lua
    inlineCode: |
    uuid = (loadfile “/var/lib/lua/uuid.lua”)() – one-time load of the routines
    kjwt = (loadfile “/var/lib/lua/kjwt.lua”)() – “var.lib.lua.kjwt”
    function envoy_on_request(request_handle)
    local headers = request_handle:headers()
    local auth = headers:get(“Authorization”)
    end