Introduction

As a newcomer to the field of security and compliance, I am exploring the integration of Lua filters with Open Policy Agent (OPA) in an Istio setup. This guide presents a simple proof of concept (PoC) for implementing a Lua filter that interacts with OPA.

Creating the Envoy Filter

To begin, I have defined an Envoy External Authorization filter that queries OPA. Below is the configuration for the filter:

############################################################
# Envoy External Authorization filter configuration for OPA.
############################################################
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz
  namespace: istio-system
spec:
  filters:
  - insertPosition:
      index: FIRST
    listenerMatch:
      listenerType: GATEWAY
      listenerProtocol: HTTP
    filterType: HTTP
    filterName: envoy.lua
    filterConfig:
      inlineCode: |
        function envoy_on_request(request_handle)
            request_handle:logWarn("envoy_on_request")
        end

        function envoy_on_response(response_handle)
            response_handle:logWarn("envoy_on_response")
            response_handle:headers():add("x-this","It works")
        end

Testing the Filter

Upon executing my API, I observed that the response included the modified header value, indicating that the Lua filter was successfully invoked within the filter chain.

Troubleshooting Logging Issues

However, I encountered an issue where the log message "envoy_on_request" was not appearing in the container logs. To resolve this, consider the following suggestions:

  • Ensure that the logging level is set appropriately in your Envoy configuration to capture warning logs.
  • Check if the logging output is directed to the correct location or if any log rotation settings might be affecting visibility.
  • Verify that the filter is correctly applied and that requests are indeed reaching the Lua filter.

Conclusion

This guide provides a foundational understanding of integrating Lua filters with OPA in an Istio environment. If you face logging issues, the troubleshooting steps outlined above may assist in resolving them.