Istio setup and best practices #624
Description
This ticket addresses the setup with Istio + Envoy in a Kubernetes environment. This ticket provides a working example of an Istio setup and could be potentially adapted to any Envoy-based gateway such as Ambassador.
The version of Istio used is the latest available: 1.8.1.
Related ticket #263.
The following EnvoyFilter is working with a setup of ory Hydra (1.8.5) + Kratos (0.5.5) + Oathkeeper (0.38.5).
I would like to request a review by the ory team and ask whether they could verify that all the headers used by oathkeeper have been whitelisted.
Hopefully, this YAML will be useful and save some time and many headaches for all those who need to set up Istio as an edge proxy.
Our setup is working on both GKE and AWS with 2 ingresses (one secured with IAP and one public) which points to 2 Istio ingress gateways (NodePort) which authenticate and authorize requests via oathkeeper (EnvoyFilter).
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: oathkeeper
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
failure_mode_allow: false
http_service:
path_prefix: /decisions
server_uri:
uri: http://oathkeeper-api.oathkeeper.svc.cluster.local:4456
cluster: outbound|4456||oathkeeper-api.oathkeeper.svc.cluster.local
timeout: 10s
authorization_request:
allowed_headers:
patterns:
- exact: accept
- exact: authorization
- exact: cookie
- exact: content-type
- exact: x-forwarded-for
- exact: x-forwarded-proto
- exact: x-forwarded-host
authorization_response:
allowed_upstream_headers:
patterns:
- exact: authorization