search

salrashid123 / istio_external_authorization_server

Tutorial to setup a simple Istio external authorization server
Apache License 2.0
52 stars 16 forks source link

Example with non-deprecated EnvoyFilter fields? #1

Closed prestonvanloon closed 4 years ago

prestonvanloon commented 4 years ago

First of all, thank you for maintaining such a detailed example for ext_authz in istio and thanks for leading me here.

I have been trying to understand and use an EnvoyFilter for ext_authz in Istio 1.3. However, the examples here are using deprecated fields which are undocumented and likely removed already in a recent version of Istio. (According to https://github.com/istio/api/pull/1344, these fields have been removed from Pilot already).

Would it be possible to update this example with the non-deprecated EnvoyFilter fields?

Context link: https://github.com/istio/istio/issues/21841#issuecomment-639887372

salrashid123 commented 4 years ago

i think the following would work (i ran a very quick check but if you can reconfirm, i'll update the repo):

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz-filter
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
         name: envoy.ext_authz
         config:
           grpc_service:
             envoy_grpc:
               cluster_name: patched.authz.authz-ns.svc.cluster.local
---
# https://github.com/istio/istio/issues/21841
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz-filter-cluster-patch
  namespace: istio-system
spec:
  workloadLabels:
    app: istio-ingressgateway
  configPatches:
  - applyTo: CLUSTER
    match:
      cluster:
        service: authz.authz-ns.svc.cluster.local
    patch:
      operation: MERGE
      value:
        name: "patched.authz.authz-ns.svc.cluster.local"
salrashid123 commented 4 years ago

seems to work; pls reopen if not

JacobSMoller commented 4 years ago

@salrashid123 workloadLabels doesn't seem to work in istio 1.6.x at least :).

When i did that the cluster patch seemed to apply to all sidecars as well, because the selector didn't match anything. Updating it to
workloadSelector: labels: app: istio-ingressgateway

Or workloadSelector: labels: istio: ingressgateway

Seems to fix the issue i saw.

Mostly a heads up if someone else drops by this repo.