Routing and credential injection

[ftriolet]

Hi,

I have a backend secured by api key. Two clients want to call this backend using their own api key. So I'm using a Security policy to authenticate the caller (field in auth token) and put the value in a header. This header is used to call the good rule based on the path and the value of the header. In each rule, I put a filter to inject the good credential for the client.

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: jwt-claim
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: my-route
  jwt:
    providers:
      - name: roman
        recomputeRoute: true
        issuer: https://provider.local
        localJWKS:
          type: Inline
          inline: >-
            {"keys": [
              {
                ....
              }]
            }
        claimToHeaders:
          - claim: azp
            header: x-api-client
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: my-route
  namespace: default
spec:
  parentRefs:
    - name: eg
  hostnames:
    - "www.example.com"
  rules:
    - backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: backend
          port: 443
      matches:
        - path:
            type: PathPrefix
            value: /backend/v1
          headers:
            - name: x-api-client
              value: client1
      filters:
        - type: URLRewrite
          urlRewrite:
            path:
              type: ReplacePrefixMatch
              replacePrefixMatch: /backend/3.11/
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: HTTPRouteFilter
            name: client1-host-rewrite
    - backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: backend
          port: 443
      matches:
        - path:
            type: PathPrefix
            value: /backend/v1
          headers:
            - name: x-api-client
              value: client2
      filters:
        - type: URLRewrite
          urlRewrite:
            path:
              type: ReplacePrefixMatch
              replacePrefixMatch: /backend/3.11/
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: HTTPRouteFilter
            name: client2-host-rewrite
    # catch all
    - backendRefs:
        - kind: Service
          name: infra-backend-invalid
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /backend/v1
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: HTTPRouteFilter
metadata:
  name: client1-host-rewrite
spec:
  urlRewrite:
    hostname:
      type: Backend
  credentialInjection:
    overwrite: true
    header: X-Api-Key
    credential:
      valueRef:
        name: backend-credential1
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: HTTPRouteFilter
metadata:
  name: client2-host-rewrite
spec:
  urlRewrite:
    hostname:
      type: Backend
  credentialInjection:
    overwrite: true
    header: X-Api-Key
    credential:
      valueRef:
        name: backend-credential2

When I call the api, I get a 401 Unauthorized because no credentials are injected but if I put client1-host-rewrite filter on the "catch all" rule, I get a 200 OK. It's like the urlRewrite part of the custom client rule work but not the HTTPRouteFilter ExtensionRef part.

version : v1.4.1

[arkodg]

cc @guydc

[ftriolet]

Do you have some news about this question ?

[guydc]

We previously had an issue where mixing extended HTTPRouteFilters with built-in filters on the same route led to some of them being ignored: #6557. This was fixed in 1.5.
@ftriolet - can you maybe test with the latest EG version to see if this still happens?

[ftriolet]

I do some test on version v1.5.3 with httbin as backend :

Simple test with credentials injection and host rewrite

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: httpbin-backend
  namespace: default
spec:
  endpoints:
    - fqdn:
        hostname: httpbin.org
        port: 443
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httpbin-backend-route
  namespace: default
spec:
  parentRefs:
    - name: eg
  hostnames:
    - "www.example.com"
  rules:
    - backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: httpbin-backend
          port: 443
      matches:
        - path:
            type: PathPrefix
            value: /
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: HTTPRouteFilter
            name: host-rewrite
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
  name: httpbin-backend-tls
  namespace: default
spec:
  targetRefs:
    - group: gateway.envoyproxy.io
      kind: Backend
      name: httpbin-backend
  validation:
    hostname: httpbin.org
    wellKnownCACertificates: System
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: HTTPRouteFilter
metadata:
  name: host-rewrite
spec:
  urlRewrite:
    hostname:
      type: Backend
  credentialInjection:
    overwrite: true
    header: API-KEY
    credential:
      valueRef:
        name: httpbin-credential
---
apiVersion: v1
kind: Secret
metadata:
  name: httpbin-credential
  namespace: default
data:
  credential: YWVkMTYwYzEtZzkwNS0yMDEyLTM1OTAtajFzNDA2NzAxNDYw

response is :

< HTTP/1.1 200 OK
< date: Fri, 17 Oct 2025 07:05:27 GMT
< content-type: application/json
< content-length: 418
< server: gunicorn/19.9.0
< access-control-allow-origin: *
< access-control-allow-credentials: true
< 
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    **"Api-Key": "aed160c1-g905-2012-3590-j1s406701460",**
    "Host": "httpbin.org", 
    "User-Agent": "curl/8.7.1", 
    "X-Amzn-Trace-Id": "Root=1-68f1eab7-2fd2300638e6fe9132914528", 
    "X-Envoy-External-Address": "10.244.0.1", 
    "X-Forwarded-Host": "www.example.com"
  }, 
  "origin": "10.244.0.1, 88.126.202.179", 
  "url": "https://www.example.com/get"
}

Api-Key is injected and host is rewrite

Test with JWT and routing with client name, credentials injection and host rewrite

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: httpbin-backend
  namespace: default
spec:
  endpoints:
    - fqdn:
        hostname: httpbin.org
        port: 443

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: sirene-jwt-claim
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin-backend-route
  jwt:
    providers:
      - name: roman
        recomputeRoute: true
        issuer: https://roman.local
        localJWKS:
          type: Inline
          inline: >-
            {"keys": [
              {
                "alg": "RS256",
                "e": "AQAB",
                "key_ops": [
                  "verify"
                ],
                "kty": "RSA",
                "n": "XXXXX",
                "use": "sig",
                "kid": "XXXXX"
              }]
            }
        claimToHeaders:
          - claim: azp
            header: x-apim-client

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httpbin-backend-route
  namespace: default
spec:
  parentRefs:
    - name: eg
  hostnames:
    - "www.example.com"
  rules:
    - backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: httpbin-backend
          port: 443
      matches:
        - path:
            type: PathPrefix
            value: /
          headers:
            - name: x-apim-client
              value: client1
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.envoyproxy.io
            kind: HTTPRouteFilter
            name: host-rewrite
        - type: RequestHeaderModifier
          requestHeaderModifier:
            remove:
              - "Authorization"
    - backendRefs:
        - kind: Service
          name: infra-backend-invalid
          port: 443
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /

apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
  name: httpbin-backend-tls
  namespace: default
spec:
  targetRefs:
    - group: gateway.envoyproxy.io
      kind: Backend
      name: httpbin-backend
  validation:
    hostname: httpbin.org
    wellKnownCACertificates: System

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: HTTPRouteFilter
metadata:
  name: host-rewrite
spec:
  urlRewrite:
    hostname:
      type: Backend
  credentialInjection:
    overwrite: true
    header: API-KEY
    credential:
      valueRef:
        name: httpbin-credential

apiVersion: v1
kind: Secret
metadata:
  name: httpbin-credential
  namespace: default
data:
  credential: YWVkMTYwYzEtZzkwNS0yMDEyLTM1OTAtajFzNDA2NzAxNDYw`

response is :

< HTTP/1.1 200 OK
< date: Fri, 17 Oct 2025 07:11:00 GMT
< content-type: application/json
< content-length: 395
< server: gunicorn/19.9.0
< access-control-allow-origin: *
< access-control-allow-credentials: true
< 
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Host": "httpbin.org", 
    "User-Agent": "curl/8.7.1", 
    "X-Amzn-Trace-Id": "Root=1-68f1ec03-585205bc7d23029800a5bdaf", 
    "X-Apim-Client": "client1", 
    "X-Envoy-External-Address": "10.244.0.1", 
    "X-Forwarded-Host": "www.example.com"
  }, 
  "origin": "10.244.0.1, 88.126.202.179", 
  "url": "https://www.example.com/get"
}

Host is still rewrite but Api-Key is NOT injected