Istio是否支持将HTTP服务作为外部授权服务?

huangapple go评论79阅读模式
英文:

Is having an HTTP service as an external authorization service supported in istio?

问题

我已经在ISTIO中看到了EnvoyFilter的示例,其中grpc_service被支持作为外部服务调用的filterconfig
但我想要使用我的外部服务作为filterconfig,而不是使用grpc_service,但每次我都收到404未找到错误。
Istio的envoyFilter是否支持http_service作为filterConfig

版本信息:GKE为14,istio为1.1.17

英文:

I have seen example for EnvoyFilter in ISTIO where grpc_service is supported as filterconfig for external service call out.

kind: EnvoyFilter
metadata:
  name: ext-authz
  namespace: istio-system
spec:
  filters:
  - insertPosition:
      index: FIRST
    listenerMatch:
      listenerType: SIDECAR_INBOUND
      listenerProtocol: HTTP
    filterType: HTTP
    filterName: "envoy.ext_authz"
    filterConfig:
      grpc_service:
        google_grpc:
          target_uri: 127.0.0.1:9191
          stat_prefix: "ext_authz" 

But I want to use my external service as filterconfig using http_service instead of grpc_service but everytime I get 404 not found error.

Is http_service supported as filterConfig in Istio's envoyFilter?

version info : GKE is 14 and istio is 1.1.17

答案1

得分: 1

经进一步验证,似乎 Istio 在过去有 http_service 授权服务,但并未完全正常运作。

曾尝试为较旧版本的 Istio 实现外部 HTTP 服务授权,但并未成功,唯一的解决方案是使用 http lua 过滤器或将 Nginx-Ingress Controller 作为入口网关来委派身份验证部分。

所有这些情况都可以在这个 GitHub 问题中找到。HTTP 调用成功,但标头未传递。

在这里是尝试运行 http_service 作为授权服务的另一尝试。


正如您注意到的,Envoy 1.11.0 版本的 Envoy http_service filterConfig 具有不同的语法。因此,我建议尝试来自GitHub问题中的过滤器配置。如果不起作用,可以尝试使用 http lua 过滤器作为一种解决方法。

关于将 HTTP 服务作为外部授权服务的信息在 Istio 文档中未提及,因此我认为可以说它并未得到完全支持。

英文:

Update: modified entire answer.

After further verification it appears that Istio had http_service authorization service in the past it was not fully functional.

There were attempts to implement external HTTP service authorization for older versions of Istio, however it did work and the only workaround solutions were to use http lua filter or Nginx-Ingress Controller as Ingress Gateway that delegates the authentication part.

All of above cases can be found in this github issue. The HTTP call was successful but the headers were not being passed.

Here is another attempt in running http_service as authorization service.


As You noticed the Envoy documentation for Envoy 1.11.0 http_service filterConfig has different syntax. Therefore I suggest trying the configuration for filter from the github issue. And if It doesnt't work, try the http lua filter as a workaround.

The HTTP service as an external authorization service its not mentioned in Istio documentation so, I think its safe to say its not fully supported.

huangapple
  • 本文由 发表于 2020年1月3日 18:20:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/59576805.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定