oidc-filter
oidc-filter copied to clipboard
dgn
RBAC: access denied with istio 1.7
Hi @dgn ,
It seems this approach doesn't work with istio 1.7, probably you know some workarounds
istioctl version
client version: 1.7.2
control plane version: 1.7.2
data plane version: 1.7.2 (18 proxies)
2020-09-30T22:50:57.346838Z debug envoy connection [C902] closing data_to_write=143 type=2
2020-09-30T22:50:57.346856Z debug envoy connection [C902] setting delayed close timer with timeout 1000 ms
2020-09-30T22:50:57.346866Z debug envoy pool [C3] response complete
2020-09-30T22:50:57.346871Z debug envoy pool [C3] destroying stream: 0 remaining
2020-09-30T22:50:57.346954Z debug envoy connection [C902] write flush complete
2020-09-30T22:50:57.347105Z debug envoy connection [C902] remote early close
2020-09-30T22:50:57.347119Z debug envoy connection [C902] closing socket: 0
2020-09-30T22:50:57.347188Z debug envoy conn_handler [C902] adding to cleanup list
2020-09-30T22:50:57.744347Z debug envoy main flushing stats
2020-09-30T22:50:58.289883Z debug envoy http [C747] new stream
2020-09-30T22:50:58.290086Z debug envoy http [C747][S6519292591854974172] request headers complete (end_stream=true):
':authority', 'appwebform.example.com'
':path', '/'
':method', 'GET'
'cache-control', 'max-age=0'
'upgrade-insecure-requests', '1'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
'sec-fetch-site', 'none'
'sec-fetch-mode', 'navigate'
'sec-fetch-user', '?1'
'sec-fetch-dest', 'document'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', '9ee7ff66-1a7f-41be-9c7c-40adf26298de'
'x-envoy-decorator-operation', 'appwebform-service.appwebform.svc.cluster.local:80/*'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxNi4zMyxmZTgwOjo2YzkyOmI2ZmY6ZmU3Zjo2MTY2CpYCCgZMQUTFMSiwIqiAIKHQoDYXBwEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5ChMKBWNoYXJ0EgoaCGdhdGV3YXlzChQKCGhll0YWdlEggaBlRpbGxlcgoZCgVpc3RpbxIQGg5pbmdyZXNzZ2F0ZXdheQohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo4Njc5OGRiZmY4ChIKB3JlbGVhc2USBxoFaXNW8KOQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIWGhRpc3Rpby1pbmdyZXNzZ2F0ZXdheQovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKGgoHTUVTSF9JRBIPGg1jbHVzdGVyLmxvY2FsCi8KBE5BTUUSJxolaXN0aW8taWcmVzc2dhdGV3YXktODY3OThkYmZmOC04Zm44ZAobCglOQU1FU1BBQ0UhoMaXN0aW8tc3lzdGVtCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby1zeXN0ZW0vZGVwbG95bWVudHMvaXN0aW8taW5ncmVzc2dhdGV3YXkKOQoPU0VSVklDRV9BQ0NPVU5UEiYaJGlzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudAonCg1XJLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5'
'x-envoy-peer-metadata-id', 'router~172.30.216.33~istio-ingressgateway-86798dbff8-8fn8d.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'f3137deae108f6f2f3bb869c7f8c1468'
'x-b3-spanid', 'f3bb869c7f8c1468'
'x-b3-sampled', '0'
'content-length', '0'
2020-09-30T22:50:58.290123Z debug envoy http [C747][S6519292591854974172] request end stream
2020-09-30T22:50:58.290228Z debug envoy jwt Called Filter : setDecoderFilterCallbacks
2020-09-30T22:50:58.290351Z debug envoy jwt Called Filter : decodeHeaders
2020-09-30T22:50:58.290362Z debug envoy jwt Prefix requirement '/' matched.
2020-09-30T22:50:58.290374Z debug envoy jwt extract authorizationBearer
2020-09-30T22:50:58.290383Z debug envoy jwt origins-0: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.290389Z debug envoy jwt origins-0: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.290403Z debug envoy jwt Called AllowMissingVerifierImpl.verify : verify
2020-09-30T22:50:58.290408Z debug envoy jwt extract authorizationBearer
2020-09-30T22:50:58.290413Z debug envoy jwt _IS_ALLOW_MISSING_: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.290416Z debug envoy jwt _IS_ALLOW_MISSING_: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.290422Z debug envoy jwt Called Filter : check complete OK
2020-09-30T22:50:58.290474Z debug envoy filter AuthenticationFilter::decodeHeaders with config
policy {
peers {
mtls {
mode: PERMISSIVE
}
}
origins {
jwt {
issuer: "https://keycloak.example.com/auth/realms/istio"
}
}
origin_is_optional: true
principal_binding: USE_ORIGIN
}
skip_validate_trust_domain: true
2020-09-30T22:50:58.290500Z debug envoy filter [C747] validateX509 mode PERMISSIVE: ssl=true, has_user=true
2020-09-30T22:50:58.290505Z debug envoy filter [C747] trust domain validation skipped
2020-09-30T22:50:58.290509Z debug envoy filter Set peer from X509: cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
2020-09-30T22:50:58.290518Z debug envoy filter Validating request path / for jwt issuer: "https://keycloak.example.com/auth/realms/istio"
2020-09-30T22:50:58.290524Z debug envoy filter No dynamic_metadata found for filter envoy.filters.http.jwt_authn
2020-09-30T22:50:58.290528Z debug envoy filter No dynamic_metadata found for filter jwt-auth
2020-09-30T22:50:58.290531Z debug envoy filter Origin authenticator failed
2020-09-30T22:50:58.290585Z debug envoy filter Saved Dynamic Metadata:
fields {
key: "source.namespace"
value {
string_value: "istio-system"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
2020-09-30T22:50:58.290668Z debug envoy rbac checking request: requestedServerName: outbound_.80_._.appwebform-service.appwebform.svc.cluster.local, sourceIP: 172.30.216.33:39150, directRemoteIP: 172.30.216.33:39150, remoteIP: 10.215.25.170:0,localAddress: 172.30.218.100:80, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'appwebform.example.com'
':path', '/'
':method', 'GET'
'cache-control', 'max-age=0'
'upgrade-insecure-requests', '1'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
'sec-fetch-site', 'none'
'sec-fetch-mode', 'navigate'
'sec-fetch-user', '?1'
'sec-fetch-dest', 'document'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-request-id', '9ee7ff66-1a7f-41be-9c7c-40adf26298de'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'f3137deae108f6f2f3bb869c7f8c1468'
'x-b3-spanid', 'f3bb869c7f8c1468'
'x-b3-sampled', '0'
'content-length', '0'
'x-envoy-internal', 'true'
'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/appwebform/sa/default;Hash=45344697d73a89b728012dc151ff07d6a20791833cf4b74a470e66f3aaf4cb45;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account'
, dynamicMetadata: filter_metadata {
key: "istio_authn"
value {
fields {
key: "source.namespace"
value {
string_value: "istio-system"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
}
}
2020-09-30T22:50:58.290696Z debug envoy rbac enforced denied
2020-09-30T22:50:58.290703Z debug envoy http [C747][S6519292591854974172] Sending local reply with details rbac_access_denied
2020-09-30T22:50:58.290759Z debug envoy http [C747][S6519292591854974172] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxOC4xMDAsZmU4MDo6Y2M5OmJmZmY6ZmVjYzoxYzY4CvgCCgZMQUJFTFMS7QIq6gIKIQoDYXBwEhoaGGt1YmUta3ljLWRhdGFzZXQtd2ViZm9ybQopCgVjaGFydBIgGh5rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tMS4wLjAKEgoIaGVyaXRhZ2USBhoESGVsbQoZCgxpc3Rpby5pby9yZXYSCRoHZGVmYXVsdAChFwb2QtdGVtcGxhdGUtaGFzaBIgo2NWM3NTVmNzhiCiUKB3JlbGVhc2USGhoYa3ViZS1reWMtZGF0YXNldC13ZWJmb3JtCiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KPQc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KKwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SBBoCdjEKDwoHdmVyc2lvbhIEGgJ2MQoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKPgTkFNRRI2GjRrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tZGVwbG95bWVudC02NWM3NTVmNzhiLTJ2Y2toCicKCU5BTUVTUEFDRRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KeAoFT1dORVISbxpta3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS9kZXBsb3ltZW50cy9rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tZGVwbG95bWVudAocCg9TRVJWSUNFX0FDQ09VTlQSCRoHZGVmYXVsdAo2Cg1XTLTE9BRF9OQU1FEiUaI2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS1kZXBsb3ltZW50'
'x-envoy-peer-metadata-id', 'sidecar~172.30.218.100~appwebform-deployment-65c755f78b-2vckh.appwebform~appwebform.svc.cluster.local'
'date', 'Wed, 30 Sep 2020 22:50:57 GMT'
'server', 'istio-envoy'
2020-09-30T22:50:58.290810Z debug envoy jwt Called Filter : onDestroy
2020-09-30T22:50:58.290816Z debug envoy filter Called AuthenticationFilter : onDestroy
2020-09-30T22:50:58.290946Z debug envoy wasm wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=12
2020-09-30T22:50:58.290975Z debug envoy wasm wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=6
2020-09-30T22:50:58.290981Z debug envoy wasm wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=10
2020-09-30T22:50:58.290987Z debug envoy wasm wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=14
2020-09-30T22:50:58.417910Z debug envoy http [C747] new stream
2020-09-30T22:50:58.418106Z debug envoy http [C747][S3780791924704176796] request headers complete (end_stream=true):
':authority', 'appwebform.example.com'
':path', '/favicon.ico'
':method', 'GET'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'image/avif,image/webp,image/apng,image/*,*/*;q=0.8'
'sec-fetch-site', 'same-origin'
'sec-fetch-mode', 'no-cors'
'sec-fetch-dest', 'image'
'referer', 'https://appwebform.example.com/'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', 'c7030a4d-9d44-4395-a77a-7ce6c38789d7'
'x-envoy-decorator-operation', 'appwebform-service.appwebform.svc.cluster.local:80/*'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxNi4zMyxmZTgwOjo2YzkyOmI2ZmY6ZmU3Zjo2MTY2CpYCCgZMQUJFMSiwIqiAIKHQoDYXBwEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5ChMKBWNoYXJ0EgoaCGdhdGV3YXlzChQKCGhlcml0YWdlEggaBlRpbGxlcgoZCgVpc3RpbxIQGgbmdyZXNzZ2F0ZXdheQohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo4Njc5OGRiZmY4ChIKB3JlbGVhc2USBxoFaXN0aW8KOQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIWGhRpc3Rpby1pbmdyZXNzZ2F0ZXdheQovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKGgoHTUVTSF9JIPGg1jbHVzdGVyLmxvY2FsCi8KBE5BTUUSJxolaXN0aW8taW5ncmVzc2dhdGV3YXktODY3OThkYmZmOC04Zm44ZAobCglOQU1FU1BBQ0USDhoMaXN0aW8tc3lzdGVtCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby1zeXN0ZW0vZGVwbG95bWVudHMvaXN0aW8taW5ncmVzc2dhdGV3YXkKOQoPU0VSVklDRV9BQPVU5UEiYaJGlzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudAonCg1XT1JLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5'
'x-envoy-peer-metadata-id', 'router~172.30.216.33~istio-ingressgateway-86798dbff8-8fn8d.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', '09ad482c28859c1617246f025f6a26b1'
'x-b3-spanid', '17246f025f6a26b1'
'x-b3-sampled', '0'
'content-length', '0'
2020-09-30T22:50:58.418129Z debug envoy http [C747][S3780791924704176796] request end stream
2020-09-30T22:50:58.418222Z debug envoy jwt Called Filter : setDecoderFilterCallbacks
2020-09-30T22:50:58.418322Z debug envoy jwt Called Filter : decodeHeaders
2020-09-30T22:50:58.418343Z debug envoy jwt Prefix requirement '/' matched.
2020-09-30T22:50:58.418356Z debug envoy jwt extract authorizationBearer
2020-09-30T22:50:58.418366Z debug envoy jwt origins-0: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.418372Z debug envoy jwt origins-0: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.418378Z debug envoy jwt Called AllowMissingVerifierImpl.verify : verify
2020-09-30T22:50:58.418382Z debug envoy jwt extract authorizationBearer
2020-09-30T22:50:58.418387Z debug envoy jwt _IS_ALLOW_MISSING_: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.418390Z debug envoy jwt _IS_ALLOW_MISSING_: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.418396Z debug envoy jwt Called Filter : check complete OK
2020-09-30T22:50:58.418444Z debug envoy filter AuthenticationFilter::decodeHeaders with config
policy {
peers {
mtls {
mode: PERMISSIVE
}
}
origins {
jwt {
issuer: "https://keycloak.example.com/auth/realms/istio"
}
}
origin_is_optional: true
principal_binding: USE_ORIGIN
}
skip_validate_trust_domain: true
2020-09-30T22:50:58.418468Z debug envoy filter [C747] validateX509 mode PERMISSIVE: ssl=true, has_user=true
2020-09-30T22:50:58.418496Z debug envoy filter [C747] trust domain validation skipped
2020-09-30T22:50:58.418508Z debug envoy filter Set peer from X509: cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
2020-09-30T22:50:58.418520Z debug envoy filter Validating request path /favicon.ico for jwt issuer: "https://keycloak.example.com/auth/realms/istio"
2020-09-30T22:50:58.418540Z debug envoy filter No dynamic_metadata found for filter envoy.filters.http.jwt_authn
2020-09-30T22:50:58.418545Z debug envoy filter No dynamic_metadata found for filter jwt-auth
2020-09-30T22:50:58.418549Z debug envoy filter Origin authenticator failed
2020-09-30T22:50:58.418605Z debug envoy filter Saved Dynamic Metadata:
fields {
key: "source.namespace"
value {
string_value: "istio-system"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
2020-09-30T22:50:58.418686Z debug envoy rbac checking request: requestedServerName: outbound_.80_._.appwebform-service.appwebform.svc.cluster.local, sourceIP: 172.30.216.33:39150, directRemoteIP: 172.30.216.33:39150, remoteIP: 10.215.25.170:0,localAddress: 172.30.218.100:80, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'appwebform.example.com'
':path', '/favicon.ico'
':method', 'GET'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'image/avif,image/webp,image/apng,image/*,*/*;q=0.8'
'sec-fetch-site', 'same-origin'
'sec-fetch-mode', 'no-cors'
'sec-fetch-dest', 'image'
'referer', 'https://appwebform.example.com/'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-request-id', 'c7030a4d-9d44-4395-a77a-7ce6c38789d7'
'x-envoy-attempt-count', '1'
'x-b3-traceid', '09ad482c28859c1617246f025f6a26b1'
'x-b3-spanid', '17246f025f6a26b1'
'x-b3-sampled', '0'
'content-length', '0'
'x-envoy-internal', 'true'
'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/appwebform/sa/default;Hash=45344697d73a8928012dc151ff07d6a20791833cf4ba470e66f3aaf4cb45;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account'
, dynamicMetadata: filter_metadata {
key: "istio_authn"
value {
fields {
key: "source.namespace"
value {
string_value: "istio-system"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
}
}
2020-09-30T22:50:58.418716Z debug envoy rbac enforced denied
2020-09-30T22:50:58.418723Z debug envoy http [C747][S3780791924704176796] Sending local reply with details rbac_access_denied
2020-09-30T22:50:58.418783Z debug envoy http [C747][S3780791924704176796] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxOC4xMDAsZmU4MDo6Y2M5OmJmZmY6ZmVjYzoxYzY4CvgCCgZMQUJFTFMS7QIq6gIKIQoDYXBwEhoaGGt1YmUta3ljLWRhdGFzZXQtd2ViZm9ybQopCgVjaGFydBIgGh5WJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tMS4wLjAKEgoIaGVyaXRhZ2USBhoESGVsbQoZCgxpc3Rpby5pby9yZXYSCRoHZGVmYXVsdAohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo2NWM3NTVmNzhiCiUKB3JlbGVhc2USGhoYa3ViZS1reWMtZGF0YXNldC13ZWJmb3JtCiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KPQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KKwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SBBoCdjEKDwoHdmVyc2lvbhIEGgJ2MQoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKPgoETkFNRRI2GjRrdWJlLWt5Yy1kYXRhV0LXdlYmZvcm0tZGVwbG95bWVud2NWM3NTVmNzhiLTJ2Y2toCicKCU5BTUVTUEFDRRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KeAoFT1dORVISbxpta3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS9kZXBsb3ltZW50cy9rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcmZGVwbG95bWVudAocCg9TRVJWSUNFX0FDQ09VTlQSCRoHZGVmYXVsdAo2Cg1XT1JLTE9BRF9OQU1FEiUaI2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS1kZXBsb3ltZW50'
'x-envoy-peer-metadata-id', 'sidecar~172.30.218.100~appwebform-deployment-65c755f78b-2vckh.appwebform~appwebform.svc.cluster.local'
'date', 'Wed, 30 Sep 2020 22:50:58 GMT'
'server', 'istio-envoy'
Trying to change the version here didn't help https://github.com/dgn/oidc-filter/blob/master/example/envoyfilter.yaml#L11
It seems this is the root cause https://istio.io/latest/news/releases/1.7.x/announcing-1.7/upgrade-notes/#envoyfilter-syntax-change
Managed to fix this by adding
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
This example is sufficient to check
k get EnvoyFilter -n istio-system tcp-stats-filter-1.7 -o yaml
