Unable to forward all the request headers to external auth server using SecurityPolicy CRD #7703
Description
Issue: Unable to Forward All Request Headers to External Auth Server in SecurityPolicy
Environment
- Envoy Gateway Version: v1.6.1
- Installation Method: Following the official external auth documentation
Problem Description
I'm implementing custom authentication using an external auth server with Envoy Gateway's SecurityPolicy resource. By default, only the following headers are forwarded to the auth server:
hostcontent-lengthx-envoy-internalx-envoy-expected-rq-timeout-ms
Expected Behavior
I need to forward all incoming request headers to the external auth server for authentication purposes.
Current Configuration
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: pty-custom-auth
namespace: test-gateway
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: auth-server-route
extAuth:
headersToExtAuth:
- "*"
http:
path: "/auth"
backendRefs:
- name: auth-server-service
namespace: test-gateway
port: 80
headersToBackend: ["temp-roles", "temp-username"]Attempted Solutions
I've tried multiple variations in the headersToExtAuth field, but none have successfully forwarded all headers:
headersToExtAuth: ["*"]- Only forwards the 4 default headersheadersToExtAuth: ["."]- Same resultheadersToExtAuth: [".*"]- Same resultheadersToExtAuth: [""]- Same result
Questions
- Is forwarding all incoming headers to the external auth server currently supported in Envoy Gateway's
SecurityPolicyAPI? - If yes, what is the correct configuration to achieve this?
- If not, are there any workarounds or plans to support this functionality?
Any guidance would be greatly appreciated!