External Filter not able to hit the external auth service

[junmcao]

Describe the bug Currently have the AuthService set up with an External Filter and Filter Policy. The external auth service is not having the request be redirected by the external filter.

After the live debug session, I have set the DNS host to resolve to the load balancer IP for the services.

Previous error:

{
    "message": "Post \"https://host.com/service/1\": dial tcp: lookup host.com on xxx.xx.x.xx:xx: no such host",
    "status_code": 403
}

New error:

{
    "message": "Post \"https://host.com/service/1\": context deadline exceeded",
    "status_code": 403
}

apiVersion: getambassador.io/v3alpha1
kind: AuthService
metadata:
  name: ambassador-auth
  namespace: ambassador-dev
spec:
  auth_service: "127.0.0.1:8500"
  proto: grpc
  timeout_ms: 5000
  include_body:
    max_bytes: 1000001
    allow_partial: true
  status_on_error:
    code: 403
  failure_mode_allow: false
---
apiVersion: getambassador.io/v3alpha1
kind: Filter
metadata:
  name: "ext-filter"
  namespace: "ambassador-dev"
spec:
  External:
    auth_service: "https://host.com"
    path_prefix: "/auth/authservice"
    proto: http
    timeout_ms: 5000
    include_body:
      max_bytes: 1000000
      allow_partial: false
    status_on_error:
      code: 403
    failure_mode_allow: false

    # proto: http only
    allowed_request_headers: ["h1","h2", "h3", "h4"]
    allowed_authorization_headers: ["a1"]
---
apiVersion: getambassador.io/v3alpha1
kind: FilterPolicy
metadata:
  name: ext-filter-policy
  namespace: ambassador-dev
spec:
  rules:
  - host: "https://host.com"
    path: "**"
    filters:
    - name: "ext-filter"
      onDeny: "break"       # optional; default is "break"
      onAllow: "break"      # optional; default is "continue"

Expected behavior A request being made to https://host.com/service1 should be able to be redirected by the external filter to the external auth service at https://host.com/auth/authservice and redirect the request after being authorized to the upstream service.

Versions (please complete the following information):

• Ambassador: [Edge stack 2.2.2]
• Kubernetes environment [AKS]
• Version [v1.22.6]

Additional context

Possible issues outlined in the live debug call

• Emissary is unable to resolve the host name (DNS issue) - made changes to this to point to the service load balancer in the other cluster
• Routing loop as the external auth service and the service requests are being made to are under the same DNS.
• extauthz will always append the request path to the request made to the external auth service which would require the external auth service to handles those prefixes.

A bug outlined in the call is that the AuthService configuration must have include_body.allow_partial=true otherwise Ambassador will say that it is not set when it is false as that is the default.

[cindymullins-dw]

Hi @juncao97, we suspect this is related to a known issue where POST requests are not working when you have include_body in your auth service or external filter. As you have max bytes set and are getting a 403, that seems to match up with this known bug. (For internal reference)