How to remove HTTP request header using Istio EnvoyFilter

2/26/2020

I am trying to deploy Grafana with authentication controlled through app-identity-and-access-adapter. The issue is that the adapter adds an HTTP Authorization header on successful authentication, but Grafana is also looking for this same header and so rejects the request as a failed HTTP API request with {"message":"Invalid API key"}.

I have tried using an EnvoyFilter to strip the Authorization header as follows:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: grafana
  namespace: monitoring
spec:
  workloadSelector:
    labels:
      app: grafana
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 3000
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
        name: envoy.lua
        config:
          inlineCode: |
            function envoy_on_request(request_handle)
                local originalHeader = request_handle:headers():get("Authorization")
                if originalHeader then
                  request_handle:headers():remove("Authorization")
                end
            end

but it doesn't seem to work. Printing all available headers using:

for key, value in pairs(request_handle:headers()) do
  request_handle:logWarn("key:" .. key .. " <--> value:" .. value)
end 

shows the header isn't present, but Grafana is clearly receiving it.

What could I be doing wrong?

Istio version: 1.4.5

-- dippynark
envoyproxy
ibm-appid
istio
kubernetes
openid-connect

0 Answers