Closed perezjasonr closed 3 years ago
ok i found a small mistake, the extension provider had a typo in my istio operator yaml which didnt match up with auth policy, once i fixed that, i get:
Access to bookinfo.domain.com/productpage was denied
I have the same gateway/vs/destinationrule in the example but instead of "*" hosts I put bookinfo.domain.com for hosts.
is this not possible via the ingress route unless we edit the ingress gateway to have authservice container running in it? my impression from the docs was that this was just sort of a performance improvement but not required.
and as mentioned above, i didnt make a service entry (seems to only be if you want the sidecar route, which i dont want).
and i dont see envoyfilter mentioned in the docs so I presume we don't have to have that either?
once authservice is deployed i cant reach keycloak anymore either (same error), im wondering if the google example works because its outside k8s, and wondering if authservice is trying to reach keycloak and getting locked out somehow. or perhaps istio is tryna reach authservice and getting locked out. if this is the case is there any info on trying to use authservice/istio/keycloak where keycloak resides inside k8s?
with the configmap above i expected it to try to take me to keycloak login, not just "denied", im not sure what I'm missing here.
after continuing to troubleshoot and reviewing I'm starting to think the ingress route (meaning, non application sidecar, and non sidecar w/ ingressgateway) is only doable with istio 1.10, if we could confirm that it would be appreciated.
i think i figured out what it was, the filter/chain was too broad so it was locking me out of stuff i didnt intend to for my POC setup. Now I'm having issues with the trusted cert field, but thats a separate issue so closing this.
having a really difficult time following the docs for a standalone authservice deployment (the non sidecar method). instead of google im trying to use keycloak.
I'm basically using the templates here:
https://github.com/istio-ecosystem/authservice/tree/master/bookinfo-example/authservice/templates
but using keycloak values, so for the configmap
but all this gets me is: RBAC: access denied
I can't figure out what could be missing and I can't find it in the docs. I noticed serviceEntry is conditional, seems to only be if "productpage" is set but im trying to do ingress.
I heard others getting this RBAC problem, but they were using istio 1.10, but were on 1.9 so i thought it wouldn't apply here (perhaps I understood it wrong and you need to be 1.10 to get past this???) is there something else authservice needs for this to work? i think many others will go down this same path.
thank you.