envoyproxy/gateway

Unable to forward all the request headers to external auth server using SecurityPolicy CRD

Open

#7,703 创建于 2025年12月9日

在 GitHub 查看
 (4 评论) (1 反应) (1 负责人)Go (802 fork)auto 404
help wanted

仓库指标

Star
 (2,871 star)
PR 合并指标
 (PR 指标待抓取)

描述

Issue: Unable to Forward All Request Headers to External Auth Server in SecurityPolicy

Environment

Problem Description

I'm implementing custom authentication using an external auth server with Envoy Gateway's SecurityPolicy resource. By default, only the following headers are forwarded to the auth server:

  • host
  • content-length
  • x-envoy-internal
  • x-envoy-expected-rq-timeout-ms

Expected Behavior

I need to forward all incoming request headers to the external auth server for authentication purposes.

Current Configuration

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: pty-custom-auth
  namespace: test-gateway
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: auth-server-route
  extAuth:
    headersToExtAuth:
      - "*"
    http:
      path: "/auth"
      backendRefs:
        - name: auth-server-service
          namespace: test-gateway
          port: 80
      headersToBackend: ["temp-roles", "temp-username"]

Attempted Solutions

I've tried multiple variations in the headersToExtAuth field, but none have successfully forwarded all headers:

  1. headersToExtAuth: ["*"] - Only forwards the 4 default headers
  2. headersToExtAuth: ["."] - Same result
  3. headersToExtAuth: [".*"] - Same result
  4. headersToExtAuth: [""] - Same result

Questions

  1. Is forwarding all incoming headers to the external auth server currently supported in Envoy Gateway's SecurityPolicy API?
  2. If yes, what is the correct configuration to achieve this?
  3. If not, are there any workarounds or plans to support this functionality?

Any guidance would be greatly appreciated!

贡献者指南