nielsole · November 7, 2022 16:41
diff --git a/gistfile1.txt b/gistfile1.txt
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  labels:
    istio.io/rev: 1-12
  name: tls-mtls-routing-lua
  namespace: wf-istio-decentralized-ingressgateway
 spec:
  workloadSelector:
    labels:
      istio: decentralizedgateway
      istio.io/rev: 1-12
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        # TODO this needs to be 443 later
        # portNumber: 80
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.router"
    patch:
      operation: INSERT_BEFORE
      value:
        name: tlsmtls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
          inlineCode: |
            function envoy_on_request(request_handle)
              host_header = request_handle:headers():get(":authority")
              if (host_header == "eureka-client.smesh.dev.plain.wfapis.com") then
                request_handle:headers():add("Authorization", "Baz")
                request_handle:headers():replace(":authority", "eureka-client.smesh.dev.mtls.wfapis.com")
              -- request_handle:headers():remove("X-Envoy-Peer-Metadata-Id")
              end
            end
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
  name: test
  namespace: wf-istio-decentralized-ingressgateway
 spec:
  selector:
    istio: decentralizedgateway
  servers:
  - port:
      number: 80
      name: http-port
      protocol: HTTP  
    hosts:
    - "*"
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
  name: test
 spec:
  host: "*.dev.mtls.wfapis.com"
  subsets:
  - name: outbound-test
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: ISTIO_MUTUAL
        # sni: {{ .externalHost }} # this is optional
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
  name: test
  namespace: wf-istio-decentralized-ingressgateway
 spec:
  hosts:
  - "*.dev.mtls.wfapis.com"
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https
    protocol: ISTIO_MUTUAL
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
  name: outbound-test
 spec:
  hosts:
  - "*.dev.mtls.wfapis.com"
  gateways:
  # We want this on the sidecars
  #- istio-egressgateway
  - test
  http:
  - match:
    - port: 80
    route:
    - destination:
        host: "*.dev.mtls.wfapis.com"
        subset: outbound-test
        port:
          number: 443
      headers:
        request:
          set:
            Host: {{ .externalHost }}
      weight: 100
	apiVersion: networking.istio.io/v1alpha3
	kind: EnvoyFilter
	metadata:
	labels:
	istio.io/rev: 1-12
	name: tls-mtls-routing-lua
	namespace: wf-istio-decentralized-ingressgateway
	spec:
	workloadSelector:
	labels:
	istio: decentralizedgateway
	istio.io/rev: 1-12
	configPatches:
	- applyTo: HTTP_FILTER
	match:
	context: GATEWAY
	listener:
	# TODO this needs to be 443 later
	# portNumber: 80
	filterChain:
	filter:
	name: "envoy.filters.network.http_connection_manager"
	subFilter:
	name: "envoy.filters.http.router"
	patch:
	operation: INSERT_BEFORE
	value:
	name: tlsmtls
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
	inlineCode: \|
	function envoy_on_request(request_handle)
	host_header = request_handle:headers():get(":authority")
	if (host_header == "eureka-client.smesh.dev.plain.wfapis.com") then
	request_handle:headers():add("Authorization", "Baz")
	request_handle:headers():replace(":authority", "eureka-client.smesh.dev.mtls.wfapis.com")
	-- request_handle:headers():remove("X-Envoy-Peer-Metadata-Id")
	end
	end
	---
	apiVersion: networking.istio.io/v1alpha3
	kind: Gateway
	metadata:
	name: test
	namespace: wf-istio-decentralized-ingressgateway
	spec:
	selector:
	istio: decentralizedgateway
	servers:
	- port:
	number: 80
	name: http-port
	protocol: HTTP
	hosts:
	- "*"
	- port:
	number: 443
	name: https
	protocol: HTTPS
	hosts:
	- "*"
	---
	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: test
	spec:
	host: "*.dev.mtls.wfapis.com"
	subsets:
	- name: outbound-test
	trafficPolicy:
	loadBalancer:
	simple: ROUND_ROBIN
	portLevelSettings:
	- port:
	number: 443
	tls:
	mode: ISTIO_MUTUAL
	# sni: {{ .externalHost }} # this is optional
	---
	apiVersion: networking.istio.io/v1beta1
	kind: ServiceEntry
	metadata:
	name: test
	namespace: wf-istio-decentralized-ingressgateway
	spec:
	hosts:
	- "*.dev.mtls.wfapis.com"
	location: MESH_EXTERNAL
	ports:
	- number: 443
	name: https
	protocol: ISTIO_MUTUAL
	- number: 80
	name: http
	protocol: HTTP
	resolution: DNS
	---
	apiVersion: networking.istio.io/v1beta1
	kind: VirtualService
	metadata:
	name: outbound-test
	spec:
	hosts:
	- "*.dev.mtls.wfapis.com"
	gateways:
	# We want this on the sidecars
	#- istio-egressgateway
	- test
	http:
	- match:
	- port: 80
	route:
	- destination:
	host: "*.dev.mtls.wfapis.com"
	subset: outbound-test
	port:
	number: 443
	headers:
	request:
	set:
	Host: {{ .externalHost }}
	weight: 100