search

salrashid123 / istio_external_authorization_server

Tutorial to setup a simple Istio external authorization server
Apache License 2.0
52 stars 16 forks source link

What happens if the authz service has multiple ports? #2

Open kevinmichaelchen opened 4 years ago

kevinmichaelchen commented 4 years ago

Currently the envoyfilter looks like:

# https://github.com/istio/istio/issues/21841
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz-filter-cluster-patch
  namespace: istio-system
spec:
  workloadLabels:
    app: istio-ingressgateway
  configPatches:
  - applyTo: CLUSTER
    match:
      cluster:
        service: authz.authz-ns.svc.cluster.local
    patch:
      operation: MERGE
      value:
        name: "patched.authz.authz-ns.svc.cluster.local"

We're providing the fully qualified service name for the cluster as authz.authz-ns.svc.cluster.local, but how does the authz filter know what port the gRPC authz endpoint is running on?

What happens if authz.authz-ns.svc.cluster.local runs on multiple ports? I tried something like https://github.com/istio/istio/issues/21841#issuecomment-623298141, to no avail.

Here's my example repo where I'm trying to get this to work: https://github.com/kevinmichaelchen/istio-authz-example

EDIT: I should've started by saying thank you for providing this example. I've learned quite a bit and this is one of the few examples I could find showing Istio + authz.

EDIT 2: Looks like traffic is making it to my istio-proxy sidecar pod but not being routed to my actual Go code.

salrashid123 commented 4 years ago

the extAuthz runs as a Serivce so i this section defines the port https://github.com/salrashid123/istio_external_authorization_server/blob/master/ext_authz_filter.yaml.tmpl#L125-L129

From edit2, your'e seeing traffic inbound to the the authz's proxy but not to the service?

kevinmichaelchen commented 4 years ago

Yeah, I've defined the ports in my service.

When I make a network request:

# this is supposed to fail
curl -i -HHost:api.example.com \
  "http://$INGRESS_HOST:$INGRESS_PORT/secure"

# this is supposed to succeed
curl -i -HHost:api.example.com \
  "http://$INGRESS_HOST:$INGRESS_PORT/secure" \
  -H "Authorization: Bearer kevin"

and then inspect the logs:

kubectl logs -n authz-ns  -l app.kubernetes.io/name=api --all-containers=true
kubectl logs -n authz-ns  -l app.kubernetes.io/name=api -c istio-proxy

I see that the local Envoy proxy (the istio-proxy sidecar container) logs this:

[2020-08-25T14:46:42.882Z] "GET /secure HTTP/1.1" 200 - "-" "-" 0 6 0 0 "192.168.65.3" "curl/7.64.1" "3740e5bb-07a7-9d06-ae10-7af793b600b5" "api.example.com" "127.0.0.1:8081" inbound|8081|http|api.authz-ns.svc.cluster.local 127.0.0.1:57632 10.1.7.201:8081 192.168.65.3:0 outbound_.8081_._.api.authz-ns.svc.cluster.local default

My EnvoyFilter looks like:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: extauth-sample
  namespace: authz-ns
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: envoy.router
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.ext_authz
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"
          grpc_service:
            google_grpc:
              target_uri: patched.api.authz-ns.svc.cluster.local:8082
              stat_prefix: ext_authz
            timeout: 2s

I've also tried using api.authz-ns.svc.cluster.local:8082 as my target_uri.