Identify path forward for Keycloak with Istio Ambient

defenseunicorns / uds-core

A FOSS secure runtime platform for mission-critical capabilities

https://uds.defenseunicorns.com

GNU Affero General Public License v3.0

52 stars 21 forks source link

Identify path forward for Keycloak with Istio Ambient #1031

Open mjnagel opened 2 days ago

mjnagel commented 2 days ago

Our current L7 AuthorizationPolicies for Keycloak are not natively supported with Ambient unless we are using Waypoints. This issue should find a path forward to setup waypoints for Keycloak and ensure full functionality including:

Access from both tenant and admin gateways
Proper restrictions of paths from the tenant gateway
Access to client registration from Pepr

mjnagel commented 2 days ago

Path identified here/usage of waypoints may inform https://github.com/defenseunicorns/uds-core/issues/1029.

Additional note related to Keycloak from our previous work:

Traffic to keycloak from Pepr showed as originating from a "different" host, requiring a new trusted host policy in Keycloak for *.pepr-uds-core-watcher.pepr-system.svc.cluster.local (previously we were using the generic Isto 127.0.0.6).