If we remove an established istio-auth relation, the EnvoyFilter backing that auth enforcement is not removed. This means breaking this relationship and removing the oidc on the other end blocks all traffic through the ingress.
Reproduction steps:
juju deploy istio-pilot --trust --channel 1.11/stable --config default-gateway=my-gateway
juju deploy istio-gateway istio-ingressgateway --trust --channel 1.11/stable --config kind=ingress
juju relate istio-pilot istio-ingressgateway
juju deploy dex-auth --channel=2.31/edge --trust --config static-username=user2 --config static-password=user2 --config public-url=http://10.64.140.43.nip.io
juju deploy oidc-gatekeeper --channel ckf-1.6/edge --config public-url=http://10.64.140.43.nip.io
juju relate istio-pilot:ingress dex-auth:ingress
juju relate dex-auth:oidc-client oidc-gatekeeper:oidc-client
juju relate istio-pilot:ingress oidc-gatekeeper:ingress
juju relate istio-pilot:ingress-auth oidc-gatekeeper:ingress-auth
# Wait for everything to come up
# Browse to http://10.64.140.43.nip.io/dex, which will redirect you to the dex auth flow
juju remove-relation istio-pilot:ingress-auth oidc-gatekeeper:ingress-auth
# Browse to http://10.64.140.43.nip.io/dex, which will not work
kimwnasptd
commented
1 year ago
If we remove an established
istio-authrelation, the EnvoyFilter backing that auth enforcement is not removed. This means breaking this relationship and removing the oidc on the other end blocks all traffic through the ingress.Reproduction steps: