Skip to content

Add istio meshConfig, internal auth gateway and token-vendor auth httproutes #687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ensonic merged 4 commits into from
May 20, 2026
Merged

Add istio meshConfig, internal auth gateway and token-vendor auth httproutes #687

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
72b9336
Add envoyExtAuthzHttp extensionProvider in istio_operator
awhdesmond May 20, 2026
b9c776a
Add crc-auth-gateway (internal) and auth httproutes for tokenvendor
awhdesmond May 20, 2026
82bad46
Add catch-all for internal auth gateway
awhdesmond May 20, 2026
4478fe3
fix nginx alpine version
awhdesmond May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 100 additions & 1 deletion src/app_charts/base/cloud/istio.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
name: crc-gateway
annotations:
# Use standard K8s annotations for cloud-specific LB settings
networking.istio.io/service-type: LoadBalancer
networking.istio.io/service-type: LoadBalancer
networking.istio.io/service-externalTrafficPolicy: Local
spec:
gatewayClassName: istio # Provisions Istio-managed LB infrastructure
Expand Down Expand Up @@ -47,4 +47,103 @@ spec:
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: crc-auth-gateway
annotations:
networking.istio.io/service-type: ClusterIP # only require internal cluster ip
spec:
gatewayClassName: istio # Provisions Istio-managed LB
listeners:
- name: http
hostname: {{ .Values.domain }}
protocol: HTTP
port: 8080
allowedRoutes:
namespaces:
from: All
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: crc-gateway-auth
spec:
targetRefs: # assoc this global auth policy on external crc-gateway
- kind: Gateway
group: gateway.networking.k8s.io
name: crc-gateway
action: CUSTOM
provider:
name: "crc-auth-gateway" # Must match name in meshConfig.extensionProviders exactly.
rules:
# targeting all paths.
# it is also possible to specify the relevant paths here, so that not all requests will be daisy-chained
- {}
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: crc-auth-catchall
spec:
parentRefs:
- name: crc-auth-gateway
namespace: default
sectionName: http
hostnames:
- {{ .Values.domain }}
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: explicit-allow-svc
namespace: default
port: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: explicit-allow-svc
Copy link
Copy Markdown
Contributor Author

@awhdesmond awhdesmond May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's may be worth to refactor this service out to its own file.

Copy link
Copy Markdown
Contributor

@koonpeng koonpeng May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it appears to be only for testing?

Copy link
Copy Markdown
Contributor Author

@awhdesmond awhdesmond May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This service is used as the catch-all service with pathprefix / under the auth gateway. I would assume not all paths require authz, so this catch-all service will respond with HTTP 200 for all those services.

Copy link
Copy Markdown
Contributor

@ensonic ensonic May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we need to support routes that don't require auth.

Copy link
Copy Markdown
Contributor

@ensonic ensonic May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we try this:

filters:
    - type: RequestRedirect
      requestRedirect:
        statusCode: 200

Copy link
Copy Markdown
Contributor Author

@awhdesmond awhdesmond May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will result in:

The HTTPRoute "crc-auth-catchall" is invalid: 
* spec.rules[0].filters[0].requestRedirect.statusCode: Unsupported value: 200: supported values: "301", "302"
* <nil>: Invalid value: null: some validation rules were not checked because the object was invalid; correct the existing errors to complete validation

labels:
app: explicit-allow-svc
spec:
replicas: 1
selector:
matchLabels:
app: explicit-allow-svc
template:
metadata:
labels:
app: explicit-allow-svc
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged:1.30.1-alpine
ports:
- containerPort: 8080
command: ["/bin/sh", "-c"]
args:
- |
echo 'server {
listen 8080;
location / {
add_header Content-Type text/plain;
return 200 "OK\n";
}
}' > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'
---
apiVersion: v1
kind: Service
metadata:
name: explicit-allow-svc
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: explicit-allow-svc
{{- end}}
59 changes: 59 additions & 0 deletions src/app_charts/token-vendor/cloud/http-route.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,3 +70,62 @@ spec:
- path:
type: PathPrefix
value: /apis/core.token-vendor/v1/token.oauth2
---
# NOTE: ReferenceGrant not needed if we deploy this HTTPRoutes
# in the same namespace as the token-vendor service (backendRef)
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: public-key-access-auth
spec:
hostnames:
- {{ .Values.domain }}
parentRefs:
- name: crc-auth-gateway
namespace: default
sectionName: http
rules:
- matches:
- path:
type: PathPrefix
value: /apis/core.token-vendor/v1/public-key.read
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplaceFullPath
replaceFullPath: /apis/core.token-vendor/v1/token.verify?robots=true
backendRefs:
- name: token-vendor
namespace: app-token-vendor
port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: public-key-manager-auth
spec:
hostnames:
- {{ .Values.domain }}
parentRefs:
- name: crc-auth-gateway
namespace: default
sectionName: http
rules:
- matches:
- path:
type: PathPrefix
value: /apis/core.token-vendor/v1/public-key.configure
- path:
type: PathPrefix
value: /apis/core.token-vendor/v1/public-key.publish
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplaceFullPath
replaceFullPath: /apis/core.token-vendor/v1/token.verify?robots=false
backendRefs:
- name: token-vendor
namespace: app-token-vendor
port: 80
12 changes: 12 additions & 0 deletions third_party/istio/istio_operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,18 @@ spec:
accessLogFormat: |
{"authority": "%REQ(:AUTHORITY)%", "start_time": "%START_TIME%", "bytes_received": "%BYTES_RECEIVED%", "bytes_sent": "%BYTES_SENT%", "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%", "downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%", "duration": "%DURATION%", "istio_policy_status": "%DYNAMIC_METADATA(istio.mixer:status)%", "method": "%REQ(:METHOD)%", "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%", "protocol": "%PROTOCOL%", "request_id": "%REQ(X-REQUEST-ID)%", "requested_server_name": "%REQUESTED_SERVER_NAME%", "response_code": "%RESPONSE_CODE%", "response_flags": "%RESPONSE_FLAGS%", "route_name": "%ROUTE_NAME%", "start_time": "%START_TIME%", "upstream_cluster": "%UPSTREAM_CLUSTER%", "upstream_host": "%UPSTREAM_HOST%", "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%", "upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%", "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%", "user_agent": "%REQ(USER-AGENT)%", "x_forwarded_for": "%REQ(X-FORWARDED-FOR)%", "x_icon_instance_name": "%REQ(x-icon-instance-name)%", "x_resource_instance_name": "%REQ(x-resource-instance-name)%"}

extensionProviders:
- name: "crc-auth-gateway"
envoyExtAuthzHttp:
service: "crc-auth-gateway-istio.default.svc.cluster.local" # crc-auth-gateway-istio k8s svc in default namespace
port: "8080"
includeRequestHeadersInCheck:
- "authorization"
- "x-forwarded-access-token"
- "x-auth-url"
headersToUpstreamOnAllow:
- "authorization"

components:
base:
enabled: true
Expand Down
Loading