Ext_authz and lua filters in one filter chain

[vgsub]

Hi guys,

I'm trying to add ext_authz filter to the existing filter chain that already have LUA filter. I've faced with a problem, that my auth filter is not invoked. If I change cluster_header to cluster in routes config, ext_authz works. Is there any way to make them work togother? I just want to invoke my auth service before futher processing.

Here is my config snippet:

filter_chains:
  - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
        stat_prefix: ingress_http
        route_config:
          name: local_route
          virtual_hosts:
            - name: main
              domains: ["*"]
              routes:
                - match:
                    prefix: "/"
                  route:
                    cluster_header: cluster
                    hash_policy:
                      header:
                        header_name: balancing-key
                  metadata:
                    filter_metadata:
                      envoy.lua:
                        default_cluster: some-cluster                
         http_filters:
           - name: envoy.ext_authz
             typed_config:
               "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
               grpc_service:
                 envoy_grpc:
                   cluster_name: ext-authz
           - name: envoy.lua
             typed_config:
               "@type": type.googleapis.com/envoy.config.filter.http.lua.v2.Lua
               inline_code: some-code

[zuercher]

Is you config missing an envoy.router filter? (Or is it just not in your snippet?) Otherwise, I recommend enabling debug logging to see if that sheds any light on what's happening. I can't think of any reason why the ext_authz and lua filters wouldn't work in this configuration.

[vgsub]

Hi Stephan,

envoy.router is in my config. I've solved my issue yesterday by moving ext_authz filter after lua. So, my full filter chain is like: lua ->cors -> jwt -> ext_authz. It seems like workaround though - executing lua code before authenticating seems a little bit overheading, but it's acceptable for us.

Also, I've attached a log, where ext_authz filter is on top of a filter chain. I'm not sure, but maybe if routes have cluster_header, envoy determines that lua should be executed first and then ext_auth is skipped because it's on top?

log_snippet.txt

[zuercher]

If you look at the "decode headers called" lines (which come after the filter is invoked), I believe ext_authz is being called before lua. It's just not doing anything. There is an if statement in that filter's decodeHeader implementation that skips work without logging if there's no route or cluster. Thus, if you have cluster_header: cluster into your config and use the lua filter to set the cluster header, then the ext_authz won't make an auth call.

[vgsub]

Thanks for your answers, Stephan. I'll close the issue.

[vgsub]

Issue is solved