I am trying to apply ext authz filter per route for my app but it is failing. Below are the filter configuration
step-1. Applied below configuration for the app and all the request are passing filter fine but i want the filter to disabled for specific route path , so i am using the step-2 as well
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: myFiltername
namespace: myNamespace
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
failure_mode_allow: false
http_service:
authorization_request:
allowed_headers:
patterns:
- exact: Authorization
path_prefix: /mypath
server_uri:
cluster: outbound|8080||myClusterName
timeout: 6s
uri: myClusterName:8080
with_request_body:
allow_partial_message: true
max_request_bytes: 8192
workloadSelector:
labels:
app: myApp
step-2 To disable ext authz filter based on route or virtual service path. by passing routename i do not see any difference after applying step2 but when matching the merger operation with header then calls made with header is by passing the filter but other calls are failing with 404 error
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: myFiltername-bypass
namespace: myNamespace
spec:
workloadSelector:
labels:
app: myApp
configPatches:
- applyTo: HTTP_ROUTE
match:
context: SIDECAR_INBOUND
routeConfiguration:
portNumber: 8080
vhost:
name: inbound|http|8080
# I tried with route name from virtual service but not working as expected
patch:
operation: MERGE
value:
match:
headers:
- name: some-header
present_match: true
prefix: /
typed_per_filter_config:
envoy.filters.http.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true
