istio envoy filter not working in minikube

Question

Hi guys im having a problem with setting up and external auth system on my local node minikube and istio . i have already set up two deployments on is helloworld and the other one is auther . what i want is to authorize all of the requests to /hello route by sending the request to /auther route which will connect to auther service and if specific headers are set (like jwt token in authorization) then return 200 status or 401 status if nothing is set . i tried to use this config file which is using an envoy ext auth filter but nothing is working . although all the requests pass to /hello are getting 403 but its not sending any request to my auther service . here is my config for envoy ext-auth filter :

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-auth
  # namespace: istio-system
  namespace: default
spec:
  workloadSelector:
    labels:
      app: helloworld
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          portNumber: 5000
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          #name: envoy.filters.http.ext_authz
          name: envoy.ext_authz
          typed_config:
            "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
            http_service:
              server_uri:
                uri: http://auther.default.svc.cluster.local:3000
                cluster: outbound|3000||auther.default.svc.cluster.local
                timeout: 3s
              # authorizationRequest:
              #   allowedHeaders:
              #     patterns:
              #     - exact: "cookie"

Answer 1

Your configuration applies to every sidecar, including the auther's sidecar. So the forwarded traffic from the helloworld is denied as well.

Just set the filter to apply only on your gateway. Set the context to GATEWAY and set allowedHeaders for request and response, so authorized requests can pass.

Here an example configuration:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz"
            http_service:
              server_uri:
                uri: http://auther.default.svc.cluster.local
                cluster: outbound|4180||auther.default.svc.cluster.local
                timeout: 1.5s
              authorizationRequest:
                allowedHeaders:
                  patterns:
                    - exact: "cookie"
                    - exact: "authorization"
                    - ....
              authorizationResponse:
                allowedClientHeaders:
                  patterns:
                    - exact: "set-cookie"
                    - exact: "authorization"
                    - ....
                allowedUpstreamHeaders:
                  patterns:"
                    - exact: "set-cookie"
                    - exact: "authorization"
                    - ....

Let me know if you need further assistence!