jphenow
commented
3 years ago 👋🏻 Are you referring to the ext_authz that might normally be available by using Envoy directly?
If so, I'm very interested in that myself.
My use case for some context:
We have a series of services that will connect via the service mesh. Some elements of consistency I'd like to provide as part of membership to this mesh:
- Eventually consistent access rule policies for service-to-service communication
- I recognize Consu ACLs perform this, though due to below bullets I think OPA provides a more consistent experience
- Ability to unpack and verify JWTs
- Ability to pass information about a validated JWT (from step 2) into the service (augment headers)
Notably, I'm imagining the proxy and OPA runtime as all part of the suite of sidecars we'll run with every service instance.
I've proved the above is possible with OPA via Envoy when I was tinkering with Spire directly. We want the added benefits that Consul provides - which is why we're going that direction. In lieu of support of ext_auth configuration, we'll likely be running another envoy with OPA as sidecars. Naturally, this adds some heft to our systems and I'd prefer to simply have this available as part of operating Consul.
Let me know if our interests align?
mhmnemati
Is there any plan to support external PDP's like OPA or Keto ?