You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a security vulnerability or a crashing bug
This is not a question about how to use Istio
Bug Description
I'm using Kubernetes with ingress-nginx ingress controller. I'm planning to move to istio with envoy, as the first step I want to put the ingress controller into the mesh by injecting an envoy sidecar.
With the ingress-controller, I'm using external authentication (jwt), everything else works fine except the jwt authentication of the requests, when the ingress-controller's envoy returns the following when log level is set to debug (I'm using http1.1).
These are the logs when the ingress controller tries to authenticate the request with the jwt auth provider:
2024-06-12T07:28:30.012339Z debug envoy filter external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:69 original_dst: set destination to 172.20.142.80:80 thread=34
2024-06-12T07:28:30.012408Z debug envoy filter external/envoy/source/extensions/filters/listener/http_inspector/http_inspector.cc:139 http inspector: set application protocol to http/1.1 thread=34
2024-06-12T07:28:30.012459Z debug envoy conn_handler external/envoy/source/common/listener_manager/active_tcp_listener.cc:160 [Tags: "ConnectionId":"263"] new connection from 10.201.34.39:38818 thread=34
2024-06-12T07:28:30.012483Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:398 [Tags: "ConnectionId":"263"] new stream thread=34
2024-06-12T07:28:30.012548Z debug envoy http external/envoy/source/common/http/filter_manager.cc:1077 [Tags: "ConnectionId":"263","StreamId":"13433699386571971837"] Sending local reply with details http.invalid_authority thread=34
2024-06-12T07:28:30.012587Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1772 [Tags: "ConnectionId":"263","StreamId":"13433699386571971837"] closing connection due to connection close header thread=34
As I understood, the authority header should be checked only when the protocol is http2.
When I set the jwt auth provider's kubernetes service port name from http-something to tcp-something, it starts to work.
Version
istioctl version
client version: 1.22.1
control plane version: 1.22.1
data plane version: 1.22.1 (89 proxies)
kubectl version
client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.4-eks-036c24b
I think I found the issue, just the invalid_authority error confused me, but it seems that for us the problem was on our ingress configuration side, the host contained also the path.
Is this the right place to submit this?
Bug Description
I'm using Kubernetes with ingress-nginx ingress controller. I'm planning to move to istio with envoy, as the first step I want to put the ingress controller into the mesh by injecting an envoy sidecar.
With the ingress-controller, I'm using external authentication (jwt), everything else works fine except the jwt authentication of the requests, when the ingress-controller's envoy returns the following when log level is set to debug (I'm using http1.1).
These are the logs when the ingress controller tries to authenticate the request with the jwt auth provider:
As I understood, the authority header should be checked only when the protocol is http2.
When I set the jwt auth provider's kubernetes service port name from http-something to tcp-something, it starts to work.
Version
Additional Information
https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
The text was updated successfully, but these errors were encountered: