search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

Update to Istio 1.6+ #116

Closed margocrawf closed 3 years ago

margocrawf commented 4 years ago

Ensure that our project is compatible with Istio 1.6 (or 1.7 once it's out)

margocrawf commented 4 years ago

106 seems to point to a problem with the way headers are preserved when they pass through the Istio RBAC components.

ipuustin commented 4 years ago

The examples also talk about Policy CRDs, even though they are removed from Istio 1.6 and 1.7. RequestAuthentication + AuthorizationPolicy should be used instead AFAIK.

cflewis commented 4 years ago

I just hit the examples problem. I only found out once I hit the Policy CRD :facepalm:

It would be very good if this was fixed, it's very unclear to me how to transition this custom resource to the new ones.

cflewis commented 4 years ago

@cfryanr for visibility, as there's no way to onboard people to use authservice at this point.

jeff-mccoy commented 4 years ago

We're using with Istio 1.7 with Authservice running in it's own namespace and only using ext_authz from Envoy. We add the label protect: keycloak for any workloads we need to protect and do not use Istio's additional Authz/Authn CRDs. 

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz-filter-cluster
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      protect: keycloak
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz"
            stat_prefix: ext_authz
            grpc_service:
              timeout: 30s
              google_grpc:
                stat_prefix: ext_authz
                target_uri: authservice.authservice.svc.cluster.local:10003
davidberglund commented 3 years ago

What are the latest Istio/k8s releases that are known to work with the bookinfo example, please? Worked through it yesterday but got stuck when trying to add Policy.

Update: I searched through change notes back to 1.5 and couldn't find where this was removed? Trying to decide if downgrading temporarily or if a better implementation with docs might be coming soon.

incfly commented 3 years ago

Master now works with 1.9+ istio release. mark as obsolete.