我正在尝试使用通过app-identity-and-access-adapter控制的身份验证来部署Grafana。问题是适配器在成功验证时添加了 HTTP 授权标头,但 Grafana 也在寻找相同的标头,因此将请求作为失败的 HTTP API 请求拒绝。{"message":"Invalid API key"}
我尝试使用 EnvoyFilter 来剥离 Authorization 标头,如下所示:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: grafana
namespace: monitoring
spec:
workloadSelector:
labels:
app: grafana
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 3000
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
local originalHeader = request_handle:headers():get("Authorization")
if originalHeader then
request_handle:headers():remove("Authorization")
end
end
但它似乎不起作用。使用以下命令打印所有可用的标题:
for key, value in pairs(request_handle:headers()) do
request_handle:logWarn("key:" .. key .. " <--> value:" .. value)
end
显示标题不存在,但 Grafana 显然正在接收它。
我可能做错了什么?
Istio 版本:1.4.5