API Key Authentication Fails with Istio URI Rewriting for Qdrant #317
Description
We've encountered an issue with Qdrant's API key authentication when using Istio as our service mesh. The authentication mechanism works inconsistently depending on the URI path structure.
When accessing Qdrant through Istio with URI rewriting, the API key authentication fails:
Working: Direct access via https://host/collections - API key authentication functions correctly
Not Working: Access via rewritten path https://host/qdrant/collections - API key authentication fails, allowing unauthenticated access
Our Istio VirtualService configuration includes URI rewriting from /qdrant/ to /:
Conditionally Working:
http:
- match:
- uri:
prefix: /
route:
- destination:
host: qdrant
port:
number: 6333Not Working:
http:
- match:
- uri:
prefix: /qdrant/
rewrite:
uri: /
route:
- destination:
host: qdrant
port:
number: 6333We have API key authentication enabled in our Qdrant configuration:
config:
service:
enable_api_key_authentication: true
api_key: "[redacted]"
read_only_api_key: "[redacted]"Environment variables are correctly set in the pod:
QDRANT__SERVICE__API_KEY=[redacted]
QDRANT__SERVICE__READ_ONLY_API_KEY=[redacted]Expected Behavior
API key authentication should work consistently regardless of whether the request comes through the original path or the rewritten path.
Actual Behavior
API key authentication only works when accessing Qdrant directly without path rewriting. When accessing through the rewritten path (/qdrant/), requests are processed without requiring API key authentication.