我正在尝试通过通过Grafana控制的身份验证来部署app-identity-and-access-adapter。问题在于适配器在成功进行身份验证时会添加HTTP授权标头,但是Grafana也在寻找相同的标头,因此将请求拒绝为带有{"message":"Invalid API key"}的HTTP API请求。
我尝试使用EnvoyFilter剥离如下所示的Authorization标头:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: grafana
namespace: monitoring
spec:
workloadSelector:
labels:
app: grafana
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 3000
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
local originalHeader = request_handle:headers():get("Authorization")
if originalHeader then
request_handle:headers():remove("Authorization")
end
end
但是它似乎不起作用。使用以下命令打印所有可用的标题:
for key, value in pairs(request_handle:headers()) do
request_handle:logWarn("key:" .. key .. " <--> value:" .. value)
end
显示标题不存在,但是Grafana显然正在接收它。
我做错了什么?
Istio版本:1.4.5