B3 HTTP headers not propagated to ext_authz server in 1.10.0 #6520
Description
B3 HTTP headers are not propagated to ext_authz server
Description:
Upgrading from Envoy 1.9.0 to 1.10.0 omits the Zipkin trace context propagation (B3 headers) to an external HTTP authorization server and hence is not visible in a distributed trace.
Using Envoy 1.9.0 the following config propagates B3 trace context (x-b3-traceid and x-b3-spanid headers) to an external auth server so it can join a distributed trace.
- name: envoy.ext_authz
config:
http_service:
server_uri:
uri: http://authorization-service:8080
cluster: ext-authz
timeout: 2s
allowed_request_headers: ["x-b3-traceid", "x-b3-spanid"]
With Envoy 1.10.0 this configuration has changed (see https://www.envoyproxy.io/docs/envoy/v1.10.0/intro/version_history) and the corresponding config looks like
- name: envoy.ext_authz
config:
http_service:
server_uri:
uri: http://authorization-service:8080
cluster: ext-authz
timeout: 2s
authorization_request:
allowed_headers:
patterns:
prefix: "x-b3"
However, in 1.10.0 none of the x-b3-* keys are added in HTTP headers and hence the external authz. server can't be part of the trace. I've tried several patterns (exact, prefix, regex) to see if there are any issues with the StringMatcher but without any luck :(
Note that it is only the external auth.server that doesn't get the HTTP headers, I can see the trace which is initiated by Envoy in my tracing UI (Jeager) but without the external auth.server so some parts of the trace is working as expected.