OIDC EnvoyFilter not working with Istio 1.3.1

[adriangonz]

Describe the bug:

I'm currently trying to set up a cluster with Istio and Dex using Istio 1.3.1 instead of Istio 1.1.6 (using the manifests under istio-1-3-1). However, I can't get the login flow to work. In particular what I see is that the /login/oidc URL just returns a 404 error. On a regular cluster (i.e. using Istio 1.1.6) /login/oidc would just get routed to the authservice pod.

Potential cause:

The routing of /login/oidc requests to the authservice seems to happen through an EnvoyFilter created in istio/oidc-authservice. However, Istio 1.3 released some changes affecting the EnvoyFilter CRD. This means that the manifests for Istio 1.3.1 (under istio-1-3-1) are currently incompatible with the ones under istio/oidc-authservice.

[issue-label-bot]

Issue-Label Bot is automatically applying the labels:

Label	Probability
kind/question	0.61

Please mark this comment with 👍 or 👎 to give our bot feedback!
Links: app homepage, dashboard and code for this bot.

[adriangonz]

/kind bug

[jtfogarty]

/area istio

[yanniszark]

Hi @adriangonz!
We have been deploying clusters with Istio 1.3.1 and that exact EnvoyFilter for a while now.
In fact, the last MiniKF has Istio 1.3.1 and uses that EnvoyFilter.
The kfctl_istio_dex config uses Istio 1.3.1 by default. Did you make any changes to the KFDef file before deploying?
Can you include your KFDef file here?

[adriangonz]

I think you are on the money @yanniszark. I was tinkering with the kfctl_istio_dex config and it seems I may have removed something important. Using the default one with Istio 1.3.1 seems to work!

Closing this issue now as there doesn't seem to be a problem.