Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Istio Envoy docs to use AuthorizationPolicy instead of EnvoyFilter #492

Merged
merged 1 commit into from
Nov 30, 2023

Conversation

tjons
Copy link
Collaborator

@tjons tjons commented Nov 23, 2023

Resolves open-policy-agent/opa#5911 by rewriting the quick_start.yaml file to use the Istio AuthorizationPolicy with a CUSTOM authorizer instead of the unstable EnvoyFilter API. I've also added some instructions to the YAML file as a comment on how to register the OPA sidecars as an external authorizer in the meshconfig object.

I'm working on resolving the issues with the Istio e2e tests - the mesh config object needs to be modified directly in this case to register OPA as the external authorizer so I'm figuring out how to automate that in the end-to-end tests

Copy link

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (as an Istio maintainer)

rules:
- to:
- operation:
paths: ["/*"]

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this? if so, why?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope! unnecessary

############################################################
# ServiceEntry to register the OPA-Istio sidecars as external authorizers.
############################################################
apiVersion: networking.istio.io/v1alpha3

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
apiVersion: networking.istio.io/v1alpha3
apiVersion: networking.istio.io/v1beta1

nit, both will work

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will fix

# ServiceEntry to register the OPA-Istio sidecars as external authorizers.
############################################################
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: mind be nice to add exportTo: [.] so it doesn't impact other namespaces

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@@ -0,0 +1,33 @@
data:

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure the testing setup, but this seems to patch a lot more than what is needed. Maybe thats intended, though

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is intended. I found it impossible to just add the extensionProvider to the mesh config since is a nested yaml object... it doesn't play nicely with kubectl patch even with a json patch. Any thoughts? Otherwise this is just to restore the rest of the default data that is created when we install istio with the demo profile for our CI

@tjons
Copy link
Collaborator Author

tjons commented Nov 27, 2023

@howardjohn addressed your comments - LMK if anything else should be addressed

Copy link
Member

@ashutosh-narkar ashutosh-narkar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. You may have already done this but have you tried these steps manually to ensure everything works end to end?

If you could squash your commits we can get this in.

@tjons
Copy link
Collaborator Author

tjons commented Nov 30, 2023

@ashutosh-narkar yes, have tested manually a bunch of different ways. Squashed and pushed

Copy link
Member

@ashutosh-narkar ashutosh-narkar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tjons!

@ashutosh-narkar ashutosh-narkar merged commit 414738c into open-policy-agent:main Nov 30, 2023
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Move Istio from EnvoyFilter to AuthorizationPolicy
3 participants