Virtual service request header addition size limit

1

I’m trying to raise the following virtual service

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: example-virtual-service
  namespace: example
spec:
  gateways:
  - istio-system/istio-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /app/
    rewrite:
      uri: /
    route:
    - destination:
        host: example-host
        port:
          number: 8000
      headers:
        request:
          add:
            X-SSL-Client-Certificate: '-----BEGIN%20CERTIFICATE-----%0AMIIC1..........%0A-----END%20CERTIFICATE-----%0A'

Without the header I can easily curl to my application but with the certificate as an header it fails.
If I change the value from the encoded certificate to example for example I get the value successfully in my logs Request has env of HTTP_X: HTTP_X_SSL_CLIENT_CERTIFICATE with value: example. I also get this warning that I bet it is related but it is an warning to an error: warning envoy config gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: field '20CERTIFICATE-----' not supported as custom header.

I need to pass the certificate as an header. Anyway to do so?

2

I have the same issue. If the header is too long, the virtual service is not activated.

I have noticed that if I change the header to a value that is too long, the active virtual service is what was configured previously, even if the kubernetes dashboard shows the new yaml, like istio is not not picking up the latest version. It feels like some error happens on activation and I have no idea how to debug it.

I deduct that the header being too long is the issue, but without debugging I can’t tell for sure that that’s the issue, instead of for example the presence of some characters in the header. (I used a url encoded header value representing a url for my use case).