Bug: extAuth.headersToExtAuth does not forward headers

[TobiasGleiter]

Description:

Envoy should forward headers to the ext auth service but the headers e.g. Cookies are not returned.

Environment:
Using:
extAuth.http

SecurityPolicy Version:
gateway.envoyproxy.io/v1alpha1

Images:
image: envoyproxy/gateway:v1.2.3
image: docker.io/envoyproxy/gateway:v1.2.3
image: envoyproxy/envoy:distroless-v1.32.1
image: envoyproxy/gateway:v1.2.3
image: docker.io/envoyproxy/envoy:distroless-v1.32.1
image: docker.io/envoyproxy/gateway:v1.2.3

[zhaohuabing]

@TobiasGleiter Did you configure the headersToExtAuth field in the SecurityPolicy? By default, only the following headers will be included in the check request to an HTTP authorization server: Host, Method, Path, Content-Length, and Authorization.

See: https://gateway.envoyproxy.io/docs/api/extension_types/#extauth

[TobiasGleiter]

@zhaohuabing Yes, I did. See attached:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
...
spec:
  extAuth:
    http:
      backendRefs:
        - name: kern-authorization
          namespace: kern
          port: 9002
    headersToExtAuth:
      - "Cookie"
      - "Authorization"

The default header authorization works well. Am I missing something?

[arkodg]

@TobiasGleiter you may need to explictly also configure the http subsection
https://gateway.envoyproxy.io/docs/api/extension_types/#httpextauthservice

http:
   headersToBackend:
   - "Cookie"

[TobiasGleiter]

@arkodg thanks for the idea. But shouldn't the configured extAuth service receive the headersToExtAuth without explicitly defining to forward it to the origin service?

I will check your idea soon and get back to you.