istio: Unable to configure EnvoyFilter to do auth redirect

Bug description

I’m trying to prepare a setup with TLS termination at ingress-gateway, JWT based authz and automated redirection to the login page when user arrives without a valid JWT token. Currently everything works fine apart from redirection to login page.

I’ve tried to used both “new” and “old” style to define EnvoyFilters: New:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
  namespace: istio-system
spec:
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
      patch:
        # For some reason, INSERT_FIRST doesn't work
        operation: INSERT_BEFORE
        value:
          name: "envoy.filters.http.ext_authz"
          config:
            http_service:
              server_uri:
                uri: http://oauthproxy-service.auth-proxy.svc.cluster.local
                cluster: outbound|4180||oauthproxy-service.auth-proxy.svc.cluster.local
                timeout: 10s
              authorization_request:
                allowed_headers:
                  patterns:
                  - exact: "cookie"
                  - exact: "x-forwarded-access-token"
                  - exact: "x-forwarded-user"
                  - exact: "x-forwarded-email"
                  - exact: "authorization"
                  - exact: "x-forwarded-proto"
                  - exact: "proxy-authorization"
                  - exact: "user-agent"
                  - exact: "x-forwarded-host"
                  - exact: "from"
                  - exact: "x-forwarded-for"
                  - exact: "accept"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"
              authorization_response:
                allowedClientHeaders:
                  patterns:
                  - exact: "location"
                  - exact: "proxy-authenticate"
                  - exact: "set-cookie"
                  - exact: "authorization"
                  - exact: "www-authenticate"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"
                allowedUpstreamHeaders:
                  patterns:
                  - exact: "location"
                  - exact: "proxy-authenticate"
                  - exact: "set-cookie"
                  - exact: "authorization"
                  - exact: "www-authenticate"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"

old:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
  namespace: istio-system
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
  - filterConfig:
      http_service:
        server_uri:
          uri: http://oauthproxy-service.auth-proxy.svc.cluster.local
          cluster: outbound|4180||oauthproxy-service.auth-proxy.svc.cluster.local
          timeout: 10s
        authorizationRequest:
          allowedHeaders:
            patterns:
            - exact: "cookie"
            - exact: "x-forwarded-access-token"
            - exact: "x-forwarded-user"
            - exact: "x-forwarded-email"
            - exact: "authorization"
            - exact: "x-forwarded-proto"
            - exact: "proxy-authorization"
            - exact: "user-agent"
            - exact: "x-forwarded-host"
            - exact: "from"
            - exact: "x-forwarded-for"
            - exact: "accept"
            - prefix: "x-forwarded"
            - prefix: "x-auth-request"
        authorizationResponse:
          allowedClientHeaders:
            patterns:
            - exact: "location"
            - exact: "proxy-authenticate"
            - exact: "set-cookie"
            - exact: "authorization"
            - exact: "www-authenticate"
            - prefix: "x-forwarded"
            - prefix: "x-auth-request"
          allowedUpstreamHeaders:
            patterns:
            - exact: "location"
            - exact: "proxy-authenticate"
            - exact: "set-cookie"
            - exact: "authorization"
            - exact: "www-authenticate"
            - prefix: "x-forwarded"
            - prefix: "x-auth-request"
      statusOnError:
        code: GatewayTimeout
    filterName: envoy.ext_authz
    filterType: HTTP
    insertPosition:
      index: FIRST
    listenerMatch:
      portNumber: 443
      listenerType: GATEWAY

Unfortunately non of them works. Nothing happens when I create those resources I always get “RBAC: access denied” just like it was before creating EnvoyFilter.

[x ] Configuration Infrastructure [ x] Docs [ ] Installation [ x] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [x ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

Expected behavior

When I access the webpage without a valid JWT token I should be redirected to the login page

Steps to reproduce the bug

Create any service, expose it via ingress and add JWT filtering.

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm) Kubectl

Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.11", GitCommit:"d94a81c724ea8e1ccc9002d89b7fe81d58f89ede", GitTreeState:"clean", BuildDate:"2020-03-12T21:08:59Z", GoVersion:"go1.12.17", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.11", GitCommit:"d94a81c724ea8e1ccc9002d89b7fe81d58f89ede", GitTreeState:"clean", BuildDate:"2020-03-12T21:00:06Z", GoVersion:"go1.12.17", Compiler:"gc", Platform:"linux/amd64"}

istioctl

client version: 1.6.0
control plane version: 1.6.0
data plane version: 1.6.0 (16 proxies)

Environment where bug was observed (cloud vendor, OS, etc) OpenStack VM, kubernetes 1.15.11