Filter and FilterPolicy not able to match requests
See original GitHub issueDescribe the bug
Filter
and FilterPolicy
objects created to pass requests through an External
authentication service in my cluster are unable to match requests regardless of host or path rules specified. The request simply goes through to the service without any authentication being performed.
To Reproduce
A simple http echo app was deployed to a test namespace named ingestion-test
, and instances of the authentication service was deployed to a separate authentication
namespace. Ambassador Edge Stack was deployed to a separate ambassador
namespace, with the mappings being created there as well. The authentication service has been proven to work through a dedicated mapping to it. The Filter
, FilterPolicy
, and Mapping
objects are as follows:
apiVersion: getambassador.io/v2
kind: Filter
metadata:
name: auth-service-filter
namespace: ambassador
spec:
External:
allowed_request_headers:
- customerId
auth_service: http://authentication.authentication:8080
failure_mode_allow: false
path_prefix: /gateway
status_on_error:
code: 401
timeout_ms: 2000
---
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
name: ingestion-api-filter-policy
namespace: ambassador
spec:
rules:
- filters:
- name: auth-service-filter
namespace: ambassador
host: '*'
path: /ingestion/v1/*
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: ingestion-echo
namespace: ambassador
spec:
host: ^.*(.qa|.dev|.prod)?.domain.com
host_regex: true
prefix: /ingestion/v1
rewrite: /ingestion/v1/api
service: http://echo.ingestion-test:80
timeout_ms: 300000
Expected behavior
The request to the app should return an Authorization
header with a JWT bearer token as the value.
Versions:
- Ambassador Edge Stack v1.5.3
- GKE 1.16.9-gke.2
Additional context
I’ve tried to create other Filter
and FilterPolicy
objects in my cluster, including one that utilizes OAuth2 via Google, and I see the same behaviour with the request going through without authentication. Additionally, I was able to get the expected behaviour but only when using the AuthService
object, which was recommended not to be used with AES.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:9 (4 by maintainers)
The issue was that I had set the AES helm chart to not deploy the AuthService because the docs say not to use an AuthService in AES and to instead use filter/filterpolicy. I was unaware that AES installs its own AuthService, which filter/filterpolicy relies on. After turning that on everything is working.
Having the same issue. Tried a lot of different permutations of configuration here. Ambassador is completely ignoring my filter/filterpolicy.