1 apiVersion: networking.istio.io/v1alpha3
4 name: {{.Name}}-outbound-filter
5 namespace: {{.Namespace}}
9 app.kubernetes.io/name: {{.Name}}
11 # The first patch adds the lua filter to the listener/http connection manager
12 - applyTo: HTTP_FILTER
14 context: SIDECAR_OUTBOUND
18 name: "envoy.filters.network.http_connection_manager"
20 name: "envoy.filters.http.router"
22 operation: INSERT_BEFORE
23 value: # lua filter specification
26 "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
28 function envoy_on_request(request_handle)
29 local uri = request_handle:headers():get(":path")
30 local method = request_handle:headers():get(":method")
31 if (method ~= "POST" and uri ~= "/auth/realms/{{.Realm}}/protocol/openid-connect/token")
33 -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
34 local headers, body = request_handle:httpCall(
39 [":authority"] = "jwt-proxy",
40 ["realm"] = "{{.Realm}}",
41 ["client"] = "{{.Client}}",
42 ["authenticator"] = "{{.Authenticator}}",
43 ["caCrt"] = "{{.CaCrt}}",
44 ["tlsCrt"] = "{{.TlsCrt}}",
45 ["tlsKey"] = "{{.TlsKey}}",
46 ["ns"] = "{{.Namespace}}"
50 if (headers["authorization"] ~= nil)
52 request_handle:headers():add("authorization", headers["authorization"])
58 context: SIDECAR_OUTBOUND
61 value: # cluster specification
65 lb_policy: ROUND_ROBIN
67 cluster_name: jwt_cluster