我正在尝试将 EnvoyFilter (istio 1.8.3) 应用于专用命名空间中的特定部署 我找到了一种将其应用于所有传入流量的方法,但不适用于 1 个特定应用程序 这是所有流量的有效解决方案
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-api-extauth
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ilbgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
cluster: outbound|80||auth-server.public-api-poc.svc.cluster.local
uri: http://auth-server.public-api-poc.svc.cluster.local
timeout: 0.25s
failure_mode_allow: false
authorizationRequest:
allowedHeaders:
patterns:
- exact: "authorization"
我尝试了 SNI 并将 EnvoyFilter 部署到应用程序命名空间,并设置集群 - 无济于事
这是最后一次尝试
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: filter-mtapi-extauth
namespace: public-api-poc
spec:
workloadSelector:
labels:
role: api
configPatches:
- applyTo: VIRTUAL_HOST
match:
routeConfiguration:
name: "inbound|5000||"
vhost:
name: "public.api.dev.poc.net:443"
route:
name: "default"
patch:
operation: INSERT_FIRST
value:
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
cluster: outbound|80||auth-server.public-api-poc.svc.cluster.local
uri: http://auth-server.public-api-poc.svc.cluster.local
timeout: 0.25s
failure_mode_allow: false
authorizationRequest:
allowedHeaders:
patterns:
- exact: "authorization"
所以区别在于 match 块。
如何将 EnvoyFilter 指向特定命名空间中的特定部署?
我已经检查了应用程序 pod 的转储配置,我看到了修补的路由和集群 但是身份验证仍然不起作用