search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
220 stars 62 forks source link

Add minimal examples to make it easier to get started #252

Closed nacx closed 7 months ago

nacx commented 7 months ago

The only configs we had are the e2e ones, but it may be hard to get there when you're just trying to get started. Having a minimal set of configs that are easy to copy/paste will be very helpful.

bburky commented 7 months ago

I would suggest including a RequestAuthentication and ALLOW AuthorizationPolicy which verify the JWT in the example config. Maybe include a comment to inform users that the CUSTOM AuthorizationPolicy runs first and these run afterwards.

Prior to https://github.com/istio-ecosystem/authservice/pull/187 and https://github.com/istio-ecosystem/authservice/pull/223, this was really the only way to deploy authservice safely: various requests would be allowed through authservice in undesired ways, mostly bypassing authentication. Having Istio perform JWT validation after authservice mitigated this and was the previous recommendation from the authservice developers: https://github.com/istio-ecosystem/authservice/issues/140#issuecomment-1197085674.

I think all of those old issues have been resolved now, and this would now just be extra defense in depth. (If the official recommendation has changed and Istio validation of the JWT is no longer considered required, some updated documentation would be appreciated.)

nacx commented 7 months ago

Sounds good. I'll add those examples!

nacx commented 7 months ago

Done

codecov-commenter commented 7 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

:exclamation: No coverage uploaded for pull request base (main@1df3e7e). Click here to learn what that means.

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #252 +/- ## ======================================= Coverage ? 90.64% ======================================= Files ? 25 Lines ? 1603 Branches ? 0 ======================================= Hits ? 1453 Misses ? 107 Partials ? 43 ```
istio-testing commented 7 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nacx, sergicastro

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/istio-ecosystem/authservice/blob/main/OWNERS)~~ [nacx] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment