Setting a custom call source header with Istio

Question

I have a setup using Kubernetes and Istio where we run a set of services. Each of our services have an istio-sidecar and a REST-api. What we would like is that whenever a service within our setup calls another that the called service knows what service is the caller (Preferably through a header).

Looking at the example image from bookinfo: bookinfo-image (Link due to <10 reputation) This would mean that in the source code for the ratings service I would like to be able to, for example, read a header telling me the request came from e.g. Reviews-v2.

My intuition tells me that I should be able to handle this in the istio sidecars, but I fail to realise exactly how.

Until now I have looked at especially envoy filters in the hope that they could help me. I see that for the envoy filters I would be able to set a header, but what I don't see is how I would get the information about what service made the call in order to set it in the header.

Answer 1

I ended up finding another solution by using a "rule". If we made sure that policy enforcing is enabled and then added the rule:

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: header-rule
  namespace: istio-system
spec:
  actions: []
  requestHeaderOperations:
    - name: serviceid
      values:
      - source.labels["app"]
      operation: REPLACE

We achieved what we were attempting to do.

Answer 2

Envoy automatically sets the X-Forwarded-Client-Cert header, which contains the SPIFFE ID of the caller. SPIFFE ID in Istio is a URI in the form spiffe://cluster.local/ns/<namespace>/sa/<service account>. Practically, it designates the Kubernetes Service Account of the caller. You may want to test it by using the Istio httpbin sample and sending a request to httpbin:8000/headers