Routing and credential injection

[ftriolet]

Hi,

I have a backend secured by api key. Two clients want to call this backend using their own api key. So I'm using a Security policy to authenticate the caller (field in auth token) and put the value in a header. This header is used to call the good rule based on the path and the value of the header. In each rule, I put a filter to inject the good credential for the client.

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: jwt-claim
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: my-route
  jwt:
    providers:
      - name: roman
        recomputeRoute: true
        issuer: https://provider.local
        localJWKS:
          type: Inline
          inline: >-
            {"keys": [
              {
                ....
              }]
            }
        claimToHeaders:
          - claim: azp
            header: x-api-client
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: my-route
  namespace: default
spec:
  parentRefs:
    - name: eg
  hostnames:
    - "www.example.com"
  rules:
    - backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: backend
          port: 443
      matches:
        - path:
            type: PathPrefix
            value: /backend/v1
          headers:
            - name: x-api-client
              value: client1
      filters:
        - type: URLRewrite
          urlRewrite:
            path:
              type: ReplacePrefixMatch
              replacePrefixMatch: /backend/3.11/
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: HTTPRouteFilter
            name: client1-host-rewrite
    - backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: backend
          port: 443
      matches:
        - path:
            type: PathPrefix
            value: /backend/v1
          headers:
            - name: x-api-client
              value: client2
      filters:
        - type: URLRewrite
          urlRewrite:
            path:
              type: ReplacePrefixMatch
              replacePrefixMatch: /backend/3.11/
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: HTTPRouteFilter
            name: client2-host-rewrite
    # catch all
    - backendRefs:
        - kind: Service
          name: infra-backend-invalid
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /backend/v1
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: HTTPRouteFilter
metadata:
  name: client1-host-rewrite
spec:
  urlRewrite:
    hostname:
      type: Backend
  credentialInjection:
    overwrite: true
    header: X-Api-Key
    credential:
      valueRef:
        name: backend-credential1
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: HTTPRouteFilter
metadata:
  name: client2-host-rewrite
spec:
  urlRewrite:
    hostname:
      type: Backend
  credentialInjection:
    overwrite: true
    header: X-Api-Key
    credential:
      valueRef:
        name: backend-credential2

When I call the api, I get a 401 Unauthorized because no credentials are injected but if I put client1-host-rewrite filter on the "catch all" rule, I get a 200 OK. It's like the urlRewrite part of the custom client rule work but not the HTTPRouteFilter ExtensionRef part.

version : v1.4.1

[arkodg]

cc @guydc