Merge pull request #153 from incfly/master

Update a few issues w.r.t jwk update and listeners.
istio-ecosystem · Aug 26, 2021 · c6a89c9 · c6a89c9
2 parents a7d38e4 + c918b4b
commit c6a89c9
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/bookinfo-example/README.md b/bookinfo-example/README.md
@@ -52,6 +52,18 @@ URI to be hosted on a protected endpoint.
            port: "10003"
    ```
 
+1. Fetch the identity provider public key and populate into the configmap. In our example, run
+`scripts/google-jwks.sh`.
+
+      ```shell
+      bash scripts/google-jwks.sh
+      ```
+   Copy the output JWK (with escape) literally to the [templates/config.yaml](https://github.com/istio-ecosystem/authservice/blob/master/bookinfo-example/authservice/templates/config.yaml#L30)
+   to replace the JWK content.
+
+   TODO(Shikugawa): this is a limitation. We are currently working on making authservice fetch JWK
+   by itself when a jwk URI is provided. See https://github.com/istio-ecosystem/authservice/issues/34.
+
 1. Install authservice via Helm.
 
    ```shell

diff --git a/bookinfo-example/authservice/templates/config.yaml b/bookinfo-example/authservice/templates/config.yaml
@@ -11,9 +11,12 @@ apiVersion: v1
 metadata:
   name: authservice
 data:
+  # We listen on 0.0.0.0 since Istio 1.10, it changes the sidecar configuration only support
+  # application listen on pod IP. See https://istio.io/latest/blog/2021/upcoming-networking-changes/
+  # for more details.
   config.json: |
     {
-      "listen_address": "127.0.0.1",
+      "listen_address": "0.0.0.0",
       "listen_port": "10003",
       "log_level": "trace",
       "threads": 8,
@@ -27,7 +30,7 @@ data:
                 "authorization_uri": "{{ .Values.oidc.authorizationURI }}",
                 "token_uri": "{{ .Values.oidc.tokenURI }} ",
                 "callback_uri": "https://localhost:8443/productpage/oauth/callback",
-                "jwks": "{   \"keys\": [     {       \"use\": \"sig\",       \"alg\": \"RS256\",       \"n\": \"7qnlkR2Ysvik__jqELu5__2Ib4_Pix6NEmEYKY80NyIGBhUQ0QDtijFypOk3cN3aRgb1f3741vQu7PQGMr79J8jM4-sA1A6UQNmfjl-thB5JpdfQrS1n3EpsrPMUvf5w-uBMQnxmiM3hrHgjA107-UxLF_xBG8Vp_EXmZI7y6IfUwTHrNotSpLLBSNH77C8ncFcm9ADsdl-Bav2CjOaef6CpGISCscx2T4LZS6DIafU1M_xYcx3aLET9TojymjZJi2hfZDyF9x_qssrlnxqfgrI71warY8HiXsiZzOTNB6s81Fu9AaxV7YckfLHyvXwOX8lQN53c2IiAuk-T7nf69w\",       \"e\": \"AQAB\",       \"kty\": \"RSA\",       \"kid\": \"0fcc014f22934e47480daf107a340c22bd262b6c\"     },     {       \"alg\": \"RS256\",       \"e\": \"AQAB\",       \"kid\": \"462949174f1eedf4f9f9434877be483b324140f5\",       \"kty\": \"RSA\",       \"n\": \"2BHFUUq8NqZ3pxxi_RJcSIMG5nJoZQ8Nbvf-lW5o7hJ9CmLA4SeUmDL2IVK6CSuskTPj_ohAp_gtOg3PCJvn33grPoJQu38MoMB8kDqA4U-u3A86GGEjWtk6LPo7dEkojZNQkzhZCnEMTuRMtBZXsLWNGJpY3UADA3rxnHnBP1wrSt27iXIE0C6-1N5z00R13r3L0aWC0MuAUgjI2H4dGMr8B3niJ-NjOVPCwG7xSWsCwsSitAuhPGHaDtenB23ZsFJjbuTuiguoSJ9A1qo9kzBOg32xda4derbWasu7Tk8p53PFxXDJGR_h7dM-nsJHl7lAUDqL8zOrf9XXlPTjwQ\",       \"use\": \"sig\"     }   ] }",
+                "jwks": "{\n  \"keys\": [\n    {\n      \"e\": \"AQAB\",\n      \"kty\": \"RSA\",\n      \"kid\": \"462949174f1eedf4f9f9434877be483b324140f5\",\n      \"alg\": \"RS256\",\n      \"n\": \"2BHFUUq8NqZ3pxxi_RJcSIMG5nJoZQ8Nbvf-lW5o7hJ9CmLA4SeUmDL2IVK6CSuskTPj_ohAp_gtOg3PCJvn33grPoJQu38MoMB8kDqA4U-u3A86GGEjWtk6LPo7dEkojZNQkzhZCnEMTuRMtBZXsLWNGJpY3UADA3rxnHnBP1wrSt27iXIE0C6-1N5z00R13r3L0aWC0MuAUgjI2H4dGMr8B3niJ-NjOVPCwG7xSWsCwsSitAuhPGHaDtenB23ZsFJjbuTuiguoSJ9A1qo9kzBOg32xda4derbWasu7Tk8p53PFxXDJGR_h7dM-nsJHl7lAUDqL8zOrf9XXlPTjwQ\",\n      \"use\": \"sig\"\n    },\n    {\n      \"alg\": \"RS256\",\n      \"use\": \"sig\",\n      \"e\": \"AQAB\",\n      \"kid\": \"6ef4bd908591f697a8a9b893b03e6a77eb04e51f\",\n      \"kty\": \"RSA\",\n      \"n\": \"xkgm0jU0J7SgrmmuLypjWO6J9MlF9vpRpsw84sme4EtWMUyAu4zT-X9Ten5wB9W2z0Gft5QOmFL99ueP3MeOqZsXGwW2UWVuQCpkD0bo4qDDqwbt8Cl31Qjb5RHeuvmwYpNQK_1ppb6dwlUCA2Y9AaE7UsZITlR7r5XiBNvOEZh0LTsjPcikCheAs6nPSMBbdIeM28vii1PgPYTU6x6dRBVBAExaRnRDPZZh4acgfKIpbOCMJm2tucqwYhx3Wr5Lhu56oZALK4lvP9SAgOZdG3BA48PKIdLOeiTP-DI_pHJhIn1N5lMCcmcpG3OKMvWo0tFMOGj8Or-mHqB_5I-L4w\"\n    }\n  ]\n}",
                 "client_id": "{{ .Values.oidc.clientID }}",
                 "client_secret": "{{ .Values.oidc.clientSecret }}",
                 "scopes": [],

diff --git a/bookinfo-example/scripts/google-jwks.sh b/bookinfo-example/scripts/google-jwks.sh
@@ -0,0 +1,5 @@
+jwk=$(curl https://www.googleapis.com/oauth2/v3/certs)
+jwk=$(printf '%s' "${jwk}" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))')
+echo "Finish fetching JWK, filled config map at authservice/templates/config.yaml, oidc.jwk field"
+echo "${jwk}"
+