From 8938103fae8e465f819c0a9352bf0533b8ead8c6 Mon Sep 17 00:00:00 2001 From: Jianfei Hu Date: Mon, 16 Aug 2021 20:43:10 +0000 Subject: [PATCH] remove auth.yaml and update readme.md Signed-off-by: Jianfei Hu --- bookinfo-example/README.md | 4 +- bookinfo-example/auth.yaml | 211 ------------------------------------- 2 files changed, 2 insertions(+), 213 deletions(-) delete mode 100644 bookinfo-example/auth.yaml diff --git a/bookinfo-example/README.md b/bookinfo-example/README.md index 8e60f187..0bb45f34 100644 --- a/bookinfo-example/README.md +++ b/bookinfo-example/README.md @@ -46,8 +46,8 @@ URI to be hosted on a protected endpoint. extensionProviders: - name: "authservice-grpc" envoyExtAuthzGrpc: - service: authservice.default.svc.cluster.local - port: "10003" + service: authservice.default.svc.cluster.local + port: "10003" ``` 1. Install authservice via Helm. diff --git a/bookinfo-example/auth.yaml b/bookinfo-example/auth.yaml deleted file mode 100644 index 5ac1f49f..00000000 --- a/bookinfo-example/auth.yaml +++ /dev/null @@ -1,211 +0,0 @@ ---- -# Source: authservice/templates/config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: authservice -data: - config.json: | - { - "listen_address": "127.0.0.1", - "listen_port": "10003", - "log_level": "trace", - "threads": 8, - "chains": [ - { - "name": "idp_filter_chain", - "filters": [ - { - "oidc": - { - "authorization_uri": "https://accounts.google.com/o/oauth2/v2/auth", - "token_uri": "https://oauth2.googleapis.com/token ", - "callback_uri": "https://localhost:8443/productpage/oauth/callback", - "jwks": "{ \"keys\": [ { \"use\": \"sig\", \"alg\": \"RS256\", \"n\": \"7qnlkR2Ysvik__jqELu5__2Ib4_Pix6NEmEYKY80NyIGBhUQ0QDtijFypOk3cN3aRgb1f3741vQu7PQGMr79J8jM4-sA1A6UQNmfjl-thB5JpdfQrS1n3EpsrPMUvf5w-uBMQnxmiM3hrHgjA107-UxLF_xBG8Vp_EXmZI7y6IfUwTHrNotSpLLBSNH77C8ncFcm9ADsdl-Bav2CjOaef6CpGISCscx2T4LZS6DIafU1M_xYcx3aLET9TojymjZJi2hfZDyF9x_qssrlnxqfgrI71warY8HiXsiZzOTNB6s81Fu9AaxV7YckfLHyvXwOX8lQN53c2IiAuk-T7nf69w\", \"e\": \"AQAB\", \"kty\": \"RSA\", \"kid\": \"0fcc014f22934e47480daf107a340c22bd262b6c\" }, { \"alg\": \"RS256\", \"e\": \"AQAB\", \"kid\": \"462949174f1eedf4f9f9434877be483b324140f5\", \"kty\": \"RSA\", \"n\": \"2BHFUUq8NqZ3pxxi_RJcSIMG5nJoZQ8Nbvf-lW5o7hJ9CmLA4SeUmDL2IVK6CSuskTPj_ohAp_gtOg3PCJvn33grPoJQu38MoMB8kDqA4U-u3A86GGEjWtk6LPo7dEkojZNQkzhZCnEMTuRMtBZXsLWNGJpY3UADA3rxnHnBP1wrSt27iXIE0C6-1N5z00R13r3L0aWC0MuAUgjI2H4dGMr8B3niJ-NjOVPCwG7xSWsCwsSitAuhPGHaDtenB23ZsFJjbuTuiguoSJ9A1qo9kzBOg32xda4derbWasu7Tk8p53PFxXDJGR_h7dM-nsJHl7lAUDqL8zOrf9XXlPTjwQ\", \"use\": \"sig\" } ] }", - "client_id": "159575789034-27l81afqk927eg7urur2etntg91rv8on.apps.googleusercontent.com", - "client_secret": "5GHnk4Fs94x13Oif4hKhYV2d", - "scopes": [], - "cookie_name_prefix": "productpage", - "id_token": { - "preamble": "Bearer", - "header": "Authorization" - }, - "logout": { - "path": "/authservice_logout", - "redirect_uri": "https://localhost:8443/some/logout/path" - } - } - } - ] - } - ] - } ---- -# Source: authservice/templates/deployment.yaml -apiVersion: v1 -kind: Service -metadata: - name: authservice - # namespace: istio-system - labels: - app: authservice -spec: - ports: - - port: 10003 - name: grpc - selector: - app: authservice ---- -# Source: authservice/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authservice - # TODO(incfly): change to istio-system when the config map is also updated to that namespace. - # namespace: istio-system - labels: - app: authservice -spec: - replicas: 1 # you can scale up productpage as long as session affinity is enabled via a DestinationRule (see ./config/bookinfo-gateway.yaml) - selector: - matchLabels: - app: authservice - template: - metadata: - labels: - app: authservice - spec: - volumes: - - name: authservice-config # declare the volume containing the authservice ConfigMap - configMap: - name: authservice - containers: - - name: authservice # authservice needs to be deployed in the sample Pod as the productpage - # TODO(incfly): change to a proper project wide container registry. - image: gcr.io/jianfeih-images-pub/authservice/authservice:0.4.1 # Manually docker pull the latest authservice image from https://github.com/istio-ecosystem/authservice/packages and push it to your own image registry (e.g. Docker Hub), and use it here. (The Github Package Registry does not work with k8s yet until this issue is fixed and released: https://github.com/kubernetes-sigs/kind/issues/870) - imagePullPolicy: Always - ports: - - containerPort: 10003 - volumeMounts: - - name: authservice-config # mount the volume containing the authservice ConfigMap - mountPath: /etc/authservice ---- -# Source: authservice/templates/config.yaml -# -# A ConfigMap which contains the configuration of the authservice. -# In bookinfo-with-authservice-template.yaml the authservice container is created -# with this ConfigMap volume mounted inside the container at /etc/authservice, which -# is the location where the authservice expects the file to exist. -# ---- -# Source: authservice/templates/gateway.yaml -# -# A simple example of a gateway for the bookinfo app. -# ---- -# Source: authservice/templates/ext-authz.yaml -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: ext-authz -spec: - selector: - matchLabels: - app: productpage - action: CUSTOM - provider: - # The provider name must match the extension provider defined in the mesh config. - name: authservice.default.svc.cluster.local - rules: - - to: - - operation: - notPaths: ["/public"] # enable all except /public paths. ---- -# Source: authservice/templates/gateway.yaml -# Add a DestinationRule to enable session affinity, which ensures that the requests from the same user-agent reach -# the same instance of productpage, and hence, the same instance of Sidecar and Authservice. This is required when you -# deploy multiple instances of productpage because Authservice currently only supports in-memory session storage. -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: bookinfo-dest-rule -spec: - host: productpage.default.svc.cluster.local - trafficPolicy: - loadBalancer: - consistentHash: - httpCookie: - name: bookinfo-session-affinity-cookie - ttl: 0s ---- -# Source: authservice/templates/gateway.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: bookinfo-gateway -spec: - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 443 - name: https-443 - protocol: HTTPS - hosts: - - "*" - tls: - mode: SIMPLE - credentialName: ingress-tls-cert ---- -# Source: authservice/templates/ext-authz.yaml -# TODO(incfly): enable if else check for including this only for sidecar mode. -# Istio requires the external authz provider to be available in the service registry. -# See https://github.com/istio/istio/issues/34622. -apiVersion: networking.istio.io/v1beta1 -kind: ServiceEntry -metadata: - name: authz-svc -spec: - hosts: - - ext.authz.local # not used - ports: - - number: 10003 - name: grpc-ext - protocol: grpc - resolution: STATIC - endpoints: - - address: 127.0.0.1 ---- -# Source: authservice/templates/gateway.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: bookinfo -spec: - hosts: - - "*" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - # Allow the Authentication Request Callback to get routed to productpage so it can be intercepted by the authservice - prefix: /productpage/oauth - - uri: - # Allow the authservice logout request to get routed to productpage so it can be intercepted by the authservice - exact: /authservice_logout - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/ - route: - - destination: - host: productpage - port: - number: 9080