I am trying to deploy Grafana with authentication controlled through app-identity-and-access-adapter. The issue is that the adapter adds an HTTP Authorization header on successful authentication, but Grafana is also looking for this same header and so rejects the request as a failed HTTP API request with {"message":"Invalid API key"}.
I have tried using an EnvoyFilter to strip the Authorization header as follows:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: grafana
namespace: monitoring
spec:
workloadSelector:
labels:
app: grafana
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 3000
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
local originalHeader = request_handle:headers():get("Authorization")
if originalHeader then
request_handle:headers():remove("Authorization")
end
end
but it doesn't seem to work. Printing all available headers using:
for key, value in pairs(request_handle:headers()) do
request_handle:logWarn("key:" .. key .. " <--> value:" .. value)
end
shows the header isn't present, but Grafana is clearly receiving it.
What could I be doing wrong?
Istio version: 1.4.5
