envoyproxy/gateway

Unable to forward all the request headers to external auth server using SecurityPolicy CRD

Open

#7.703 geöffnet am 9. Dez. 2025

Auf GitHub ansehen
 (4 Kommentare) (1 Reaktion) (1 zugewiesene Person)Go (802 Forks)auto 404
help wanted

Repository-Metriken

Stars
 (2.871 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

Issue: Unable to Forward All Request Headers to External Auth Server in SecurityPolicy

Environment

Problem Description

I'm implementing custom authentication using an external auth server with Envoy Gateway's SecurityPolicy resource. By default, only the following headers are forwarded to the auth server:

  • host
  • content-length
  • x-envoy-internal
  • x-envoy-expected-rq-timeout-ms

Expected Behavior

I need to forward all incoming request headers to the external auth server for authentication purposes.

Current Configuration

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: pty-custom-auth
  namespace: test-gateway
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: auth-server-route
  extAuth:
    headersToExtAuth:
      - "*"
    http:
      path: "/auth"
      backendRefs:
        - name: auth-server-service
          namespace: test-gateway
          port: 80
      headersToBackend: ["temp-roles", "temp-username"]

Attempted Solutions

I've tried multiple variations in the headersToExtAuth field, but none have successfully forwarded all headers:

  1. headersToExtAuth: ["*"] - Only forwards the 4 default headers
  2. headersToExtAuth: ["."] - Same result
  3. headersToExtAuth: [".*"] - Same result
  4. headersToExtAuth: [""] - Same result

Questions

  1. Is forwarding all incoming headers to the external auth server currently supported in Envoy Gateway's SecurityPolicy API?
  2. If yes, what is the correct configuration to achieve this?
  3. If not, are there any workarounds or plans to support this functionality?

Any guidance would be greatly appreciated!

Contributor Guide