0

I have a service-A that receives a header "Authorization" I want to pass this header for outbound calls to service-B. I set up an EnvoyFilter but the header is never added.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authorization-header
  namespace: acme
spec:
  workloadSelector:
    labels:
      app: acme-graphql
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_OUTBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
              subFilter:
                name: "envoy.filters.http.router"
      patch:
        operation: INSERT_AFTER
        value:
          name: envoy.lua
          typed_config:
            '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
            inlineCode: |
              function envoy_on_request(request_handle)
                  local headers = request_handle:headers()
                  local auth_header = headers:get("Authorization")
                  if auth_header ~= nil then
                      request_handle:headers():add("Authorization", auth_header)
                  end
              end

I tried INSERT_AFTER and INSERT_BEFORE, MERGE operations, and namespace: istio-system but with no luck. Also, to note that I am trying to pass the header to ext-authz. The requests make it to ext-authz but with no header. I do have in my meshconfig includeRequestHeadersInCheck = ["Authorization"]. If I force acme-graphql to put header["Authorization"] the ext-authz service does contain the header so I know the meshConfig is working.

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: ext-authz
spec:
  selector:
    matchLabels:
      app: acme-backend
  action: CUSTOM
  provider:
    name: acme-ext-authz
  rules:
    - {}
slik
  • 5,001
  • 6
  • 34
  • 40
  • I don't think you can do this with the filters (or it would be fairly complex). This could (theoretically) work if you capture the authorization header on SIDECAR_INBOUND, store it somewhere, and then attach it back in the SIDECAR_OUTBOUND. An easier way would be to configure your service-a service to propagate the request headers when making requests to service-b (just like you have to do for trace context). – peterj Jul 31 '23 at 23:17
  • Thanks. Yeah, I have the service now propagating certain headers. I was trying to figure out if there was a way to do this with filters. – slik Aug 03 '23 at 08:45

0 Answers0