envoy
envoy copied to clipboard
Is it possible to select endpoint by metadata whose namespace is not `envoy.lb`
The client will send HTTP requests to my Envoy with a cookie, containing a JWT. With the jwt filter, I can put the payload of JWT into the metadata of Envoy.
The payload looks like this:
{
...
role: loginUser
...
}
And here is the config of JWT:
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
sso_jwt_provider:
local_jwks:
filename: /conf/envoy/jwks.json
from_headers:
- name: my-authorization
value_prefix: "Bearer "
forward: true
payload_in_metadata: jwt_payload
requirement_map:
general: {provider_name: sso_jwt_provider}
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
name: local_route
virtual_hosts:
- name: exception_service
domains: ["*"]
routes:
- match:
prefix: "/"
dynamic_metadata:
- filter: envoy.filters.http.jwt_authn
path:
- key: jwt_payload
- key: role
value:
string_match:
exact: "loginUser"
route:
cluster: service_addmachine
timeout: 5s
metadata:
filter_metadata:
envoy.lb:
canary: 0
typed_per_filter_config:
envoy.filters.http.jwt_authn:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
"requirement_name": general
- match:
prefix: "/"
dynamic_metadata:
- filter: envoy.filters.http.jwt_authn
path:
- key: jwt_payload
- key: role
value:
string_match:
exact: "grayLoginUser"
route:
cluster: service_addmachine
timeout: 5s
metadata:
filter_metadata:
envoy.lb:
canary: 1
typed_per_filter_config:
envoy.filters.http.jwt_authn:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
"requirement_name": general
clusters:
- name: service_addmachine
connect_timeout: 30s
type: STATIC
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
upstream_http_protocol_options:
auto_sni: true
common_http_protocol_options:
idle_timeout: 3600s
explicit_http_config:
http_protocol_options: {}
lb_subset_config:
fallback_policy: DEFAULT_SUBSET
default_subset:
canary: 0
subset_selectors:
- keys:
- canary
load_assignment:
cluster_name: service_addmachine
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 20000
metadata:
filter_metadata:
envoy.lb:
canary: 1
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 20001
metadata:
filter_metadata:
envoy.lb:
canary: 0
As my understanding, after passing throuth the jwt_authn filter, the payload of JWT will be injected into the metadata.
However, it doesn't seem to work as expected. It gave me an error about NR, which means that NoRouteFound.
Did I misunderstand something about dynamic_metadata?
cc @taoxuy @lizan
duplicated issue: https://github.com/envoyproxy/envoy/issues/34111