How do I add custom headers to HTTP traffic with Istio EnvoyFilter?
To add custom headers to HTTP traffic using Istio’s EnvoyFilter
, we need to create an EnvoyFilter
resource that modifies the HTTP request or response headers as they pass through the Envoy proxy. This can be useful for a variety of purposes, such as adding security headers, modifying existing headers, or inserting custom metadata.
Here’s how you can achieve this using Pulumi and Istio:
- Install Istio: Ensure that Istio is installed and configured in your Kubernetes cluster.
- Create an EnvoyFilter: Define an
EnvoyFilter
resource that specifies the custom headers to be added.
Below is a Pulumi program written in TypeScript that demonstrates how to create an EnvoyFilter
to add custom headers to HTTP traffic.
Explanation
- Istio EnvoyFilter: This resource allows you to customize the behavior of the Envoy proxies used by Istio. You can use it to add or modify HTTP headers.
- WorkloadSelector: This specifies which workloads the filter should apply to. In this example, it applies to all workloads in the
default
namespace. - HTTP Filter Configuration: This part of the configuration specifies the HTTP filter that will add the custom headers.
Pulumi Program
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Define the custom headers to be added
const customHeaders = [
{
name: "x-custom-header",
value: "custom-value",
},
{
name: "x-another-header",
value: "another-value",
},
];
// Create an EnvoyFilter resource
const envoyFilter = new k8s.apiextensions.CustomResource("custom-headers-filter", {
apiVersion: "networking.istio.io/v1alpha3",
kind: "EnvoyFilter",
metadata: {
name: "custom-headers-filter",
namespace: "default",
},
spec: {
workloadSelector: {
labels: {
app: "your-app-label", // Apply this filter to workloads with this label
},
},
configPatches: [
{
applyTo: "HTTP_FILTER",
match: {
context: "SIDECAR_INBOUND",
listener: {
filterChain: {
filter: {
name: "envoy.filters.network.http_connection_manager",
},
},
},
},
patch: {
operation: "INSERT_BEFORE",
value: {
name: "envoy.filters.http.lua",
typed_config: {
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
inlineCode: `
function envoy_on_request(request_handle)
request_handle:headers():add("x-custom-header", "custom-value")
request_handle:headers():add("x-another-header", "another-value")
end
`,
},
},
},
},
],
},
});
// Export the name of the EnvoyFilter
export const envoyFilterName = envoyFilter.metadata.name;
Explanation of the Code
- Importing Modules: We import the necessary Pulumi and Kubernetes modules.
- Defining Custom Headers: We define the custom headers that we want to add to the HTTP traffic.
- Creating EnvoyFilter: We create an
EnvoyFilter
resource with the specified configuration.- workloadSelector: Specifies the workloads to which this filter should apply. In this example, it applies to workloads with the label
app: your-app-label
in thedefault
namespace. - configPatches: Defines the patches to be applied to the Envoy configuration. In this case, we use the Lua filter to add custom headers to inbound HTTP requests.
- workloadSelector: Specifies the workloads to which this filter should apply. In this example, it applies to workloads with the label
- Exporting EnvoyFilter Name: We export the name of the
EnvoyFilter
resource for reference.
This Pulumi program will create an EnvoyFilter
in your Kubernetes cluster that adds the specified custom headers to HTTP requests handled by Envoy proxies in the Istio service mesh.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.