Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to select endpoint by metadata whose namespace is not envoy.lb #34046

Closed
YvesZHI opened this issue May 9, 2024 · 2 comments
Closed

Is it possible to select endpoint by metadata whose namespace is not envoy.lb #34046

YvesZHI opened this issue May 9, 2024 · 2 comments
Labels
area/jwt_authn area/metadata

Comments

@YvesZHI
Copy link

YvesZHI commented May 9, 2024
edited

The client will send HTTP requests to my Envoy with a cookie, containing a JWT. With the jwt filter, I can put the payload of JWT into the metadata of Envoy.

The payload looks like this:

{
    ...
    role: loginUser
    ...
}

And here is the config of JWT:

          - name: envoy.filters.http.jwt_authn
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
              providers:
                sso_jwt_provider:
                  local_jwks:
                    filename: /conf/envoy/jwks.json
                  from_headers:
                  - name: my-authorization
                    value_prefix: "Bearer "
                  forward: true
                  payload_in_metadata: jwt_payload
              requirement_map:
                general: {provider_name: sso_jwt_provider}
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          route_config:
            name: local_route
            virtual_hosts:
            - name: exception_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                  dynamic_metadata:
                  - filter: envoy.filters.http.jwt_authn
                    path:
                    - key: jwt_payload
                    - key: role
                    value:
                      string_match:
                        exact: "loginUser"
                route:
                  cluster: service_addmachine
                  timeout: 5s
                metadata:
                  filter_metadata:
                    envoy.lb:
                      canary: 0
                typed_per_filter_config:
                  envoy.filters.http.jwt_authn:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
                    "requirement_name": general
              - match:
                  prefix: "/"
                  dynamic_metadata:
                  - filter: envoy.filters.http.jwt_authn
                    path:
                    - key: jwt_payload
                    - key: role
                    value:
                      string_match:
                        exact: "grayLoginUser"
                route:
                  cluster: service_addmachine
                  timeout: 5s
                metadata:
                  filter_metadata:
                    envoy.lb:
                      canary: 1
                typed_per_filter_config:
                  envoy.filters.http.jwt_authn:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
                    "requirement_name": general
  clusters:
  - name: service_addmachine
    connect_timeout: 30s
    type: STATIC
    lb_policy: ROUND_ROBIN
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        upstream_http_protocol_options:
          auto_sni: true
        common_http_protocol_options:
          idle_timeout: 3600s
        explicit_http_config:
          http_protocol_options: {}
    lb_subset_config:
      fallback_policy: DEFAULT_SUBSET
      default_subset:
        canary: 0
      subset_selectors:
      - keys:
        - canary
    load_assignment:
      cluster_name: service_addmachine
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 20000
          metadata:
            filter_metadata:
              envoy.lb:
                canary: 1
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 20001
          metadata:
            filter_metadata:
              envoy.lb:
                canary: 0

As my understanding, after passing throuth the jwt_authn filter, the payload of JWT will be injected into the metadata.

However, it doesn't seem to work as expected. It gave me an error about NR, which means that NoRouteFound.

Did I misunderstand something about dynamic_metadata?
@YvesZHI YvesZHI added the triage Issue requires triage label May 9, 2024
@phlax
Copy link
Member

phlax commented May 9, 2024

cc @TAOXUY @lizan

@phlax phlax added area/jwt_authn area/metadata and removed triage Issue requires triage labels May 9, 2024
@YvesZHI
Copy link
Author

YvesZHI commented May 16, 2024
edited

duplicated issue: #34111

@YvesZHI YvesZHI closed this as completed May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/jwt_authn area/metadata
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@phlax @YvesZHI