External Authz fails when server in a separate namespace #38451
Description
Bug Description
This was discovered while working on #37914. Specifically while porting the TestAuthorization_Custom to the new framework.
If the external authz server is created in the same namespace as the echo apps, then it works properly (this is the way the test works today). However, if you try to move the authz server to its own namespace, I see:
authz_test.go:1298: failed calling a (cluster=cluster-0)->'http://b.echo1.svc.cluster.local:80/custom': call failed from a (cluster=cluster-0) to http://b.echo1.svc.cluster.local:80/custom (using http): 5 errors occurred:
* response[0]: expected response code `200`, got "403". Response: RawContent: [0] Url=http://b.echo1.svc.cluster.local:80/custom
[0] StatusCode=403
[0] ResponseHeader=Content-Length:0
[0] ResponseHeader=Date:Tue, 19 Apr 2022 16:53:45 GMT
[0] ResponseHeader=Server:envoy
[0] ResponseHeader=X-Envoy-Upstream-Service-Time:1
ID:
Method:
Protocol:
Alpn:
URL:
Version:
Port:
Code: 403
Host:
Hostname:
Cluster:
IstioVersion:
IP:
Request Headers: map[]
Response Headers: map[Content-Length:[0] Date:[Tue, 19 Apr 2022 16:53:45 GMT] Server:[envoy] X-Envoy-Upstream-Service-Time:[1]]
Version
master (head)
Additional Information
No response