Istio算子的Istio外部授权错误

Question

我们已经在开发和生产环境中使用helm图表部署了Istio 1.11.0。我们在istio configmap中使用下面的配置，我们已经通过istio控制舵图进行了更新。

meshConfig:
  extensionProviders:
  - name: "ext-authz-grpc"
    envoyExtAuthzGrpc:
      service: "ext-auth-service.default.svc.cluster.local"
      port: "50051"
      includeHeadersInCheck: [ "authorization", "ws-protocol" ]
      headersToUpstreamOnAllow: [ "authorization", "x-role", "x-id" ]
  accessLogFile: /dev/stdout
  enablePrometheusMerge: true

基本上，我们使用grpc服务作为外部授权服务器。以上配置工作正常。我们的一个客户已经使用操作符部署了Istio 1.9.8。(他们有自己的Istio部署模式。不允许我们使用头盔图表部署istio )当我们试图使用操作符应用上述更改时，它会给我们以下错误：

2022-04-05T10:23:09.657830Z info installer Loading values from compiled in VFS at path profiles/minimal.yaml
2022-04-05T10:23:09.657837Z info installer Loading values from compiled in VFS at path profiles/default.yaml
2022-04-05T10:23:09.679340Z error installer failed to merge base profile with user IstioOperator CR profile-poc-customized, failed to unmarshall mesh config: unknown field "includeHeadersInCheck" in v1alpha1.MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider moreInfo=The values in the selected spec.profile could not be merged with the user IstioOperator resource. impact=The operator controller cannot create and act upon the user defined IstioOperator resource. The Istio control plane will not be installed or updated. action=Check that the IstioOperator resource has the correct syntax. If you are sure your configuration is correct, see https://istio.io/latest/about/bugs for possible solutions. likelyCause=The likely cause is an incorrect or badly formatted configuration.Another possible cause could be an issue with the Istio code.

如果我们直接编辑configmap并进行更改，那么它就能够应用这些更改。但当我们从操作符中更新它时，它会产生错误。有人能帮我理解为什么它不和操作员一起工作吗？

Answer 1

includeHeadersInCheck仅适用于http，而不适用于grpc：https://istio.io/v1.10/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider