search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

Update the authservice to the Istio 1.9+ #149

Closed incfly closed 3 years ago

incfly commented 3 years ago

The doc and the setup requires some setup. This issue captures the changes including

anhdle14 commented 3 years ago

Should I abandon the PR #145 and work with you on this instead?

Although Ext-authz is recommended I was thinking we should still provide EnvoyFilter as a backward compatibility solution when Istio decide to change ext-authz.

As highlighted in the doc: The following information describes an experimental feature, which is intended for evaluation purposes only.

2 things I am working on right now are:

Should I create a new PR for these changes?

incfly commented 3 years ago

even though that is an experimental feature, but it's added to beta authorization policy. I would expect the performance stability can be improved as it goes to alpha beta and stable, but the API semantics should still be the same. however, envoy filter on the other hand, Istio would not maintain any promise anyway. I originally thought it's fine to add envoy filter for backward compatbility. but last version without external authz, 1.8 should be out of support already. https://istio.io/latest/docs/releases/supported-releases/. It might also confuses users for which one to choose.

ConfigMap is easier to people to see and understand. But it should be better provided as a Secret instead.

I agree. this avoids the sensitive information putting in the plaintext in the config directly.

And the mesh.config can be done via Istio-operator other than manually edit it.

Good idea. This can also help to streamline the installation onboarding process.

anhdle14 commented 3 years ago

Sure, no problem. I will try to work on it in the weekend. But this is my first time contributing so it may take longer than what you expected.

Anyway, regarding the new docs for istio 1.9+. I tried to implement it with httpbin and got this error in authservice/istio-proxy container. And when trying to access the Ext-authz path I only received 403 and there is no redirect to the OIDC login page. I don't think I change anything major. 

2021-08-18T23:53:01.570508Z     warning envoy config    gRPC config for type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment rejected: malformed IP address: auth-service.default.svc.cluster.local. Consider setting resolver_name or setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'
2021-08-18T23:53:01.570514Z     warning envoy config    gRPC config for type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment rejected: malformed IP address: auth-service.default.svc.cluster.local. Consider setting resolver_name or setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'
2021-08-18T23:53:01.570520Z     warning envoy config    gRPC config for type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment rejected: malformed IP address: auth-service.default.svc.cluster.local. Consider setting resolver_name or setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'
2021-08-18T23:53:01.570527Z     warning envoy config    gRPC config for type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment rejected: malformed IP address: auth-service.default.svc.cluster.local. Consider setting resolver_name or setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'
incfly commented 3 years ago

From the log it seems like there's a cluster endpoint with name rather than IP. Not sure how it ends up like this. Have you tried the bookinfo-example/README.md with updated helm packages? This works for me.

incfly commented 3 years ago

@anhdle14 sorry i speak too soon. you are right, there's some issues will give you 403. I already find the problems, will update the doc and config soon.