2 # ============LICENSE_START=======================================================
3 # Copyright (C) 2022 Nordix Foundation.
4 # ================================================================================
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
17 # SPDX-License-Identifier: Apache-2.0
18 # ============LICENSE_END=========================================================
20 apiVersion: networking.istio.io/v1alpha3
23 name: {{.Name}}-outbound-filter
24 namespace: {{.Namespace}}
28 app.kubernetes.io/name: {{.Name}}
30 # The first patch adds the lua filter to the listener/http connection manager
31 - applyTo: HTTP_FILTER
33 context: SIDECAR_OUTBOUND
37 name: "envoy.filters.network.http_connection_manager"
39 name: "envoy.filters.http.router"
41 operation: INSERT_BEFORE
42 value: # lua filter specification
45 "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
47 function envoy_on_request(request_handle)
48 local uri = request_handle:headers():get(":path")
49 local method = request_handle:headers():get(":method")
50 if (method ~= "POST" and uri ~= "/auth/realms/{{.Realm}}/protocol/openid-connect/token")
52 -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
53 local headers, body = request_handle:httpCall(
58 [":authority"] = "jwt-proxy",
59 ["realm"] = "{{.Realm}}",
60 ["client"] = "{{.Client}}",
61 ["authenticator"] = "{{.Authenticator}}",
62 ["ns"] = "{{.Namespace}}"
66 if (headers["authorization"] ~= nil)
68 request_handle:headers():add("authorization", headers["authorization"])
74 context: SIDECAR_OUTBOUND
77 value: # cluster specification
81 lb_policy: ROUND_ROBIN
83 cluster_name: jwt_cluster