| # Simple httpbin deployment | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| annotations: | |
| labels: | |
| app: httpbin-auth | |
| app.kubernetes.io/instance: httpbin-auth | |
| name: httpbin-auth | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: httpbin-auth | |
| app.kubernetes.io/instance: httpbin-auth | |
| template: | |
| metadata: | |
| annotations: | |
| # Mounting secrets on envoy proxy sidecar | |
| sidecar.istio.io/userVolume: '[{"name":"oauth-creds", "secret":{"secretName":"auth-secret"}}]' | |
| sidecar.istio.io/userVolumeMount: '[{"name":"oauth-creds", "mountPath":"/etc/istio/config/", | |
| "readonly":true}]' | |
| labels: | |
| app: httpbin-auth | |
| app.kubernetes.io/instance: httpbin-auth | |
| spec: | |
| containers: | |
| - image: kong/httpbin:0.1.0 | |
| imagePullPolicy: Always | |
| image: kong/httpbin:0.1.0 | |
| name: app | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| app: httpbin-auth | |
| app.kubernetes.io/instance: httpbin-auth-main-stg | |
| name: httpbin-auth | |
| spec: | |
| ports: | |
| - name: http | |
| port: 80 | |
| protocol: TCP | |
| targetPort: 80 | |
| selector: | |
| app: httpbin-auth | |
| app.kubernetes.io/instance: httpbin-auth-main-stg |
| apiVersion: v1 | |
| data: | |
| hmac-secret.yaml: cmVzb3VyY2VzOgotICJAdHlwZSI6ICJ0eXBlLmdvb2dsZWFwaXMuY29tL2Vudm95LmV4dGVuc2lvbnMudHJhbnNwb3J0X3NvY2tldHMudGxzLnYzLlNlY3JldCIKICBuYW1lOiBobWFjCiAgZ2VuZXJpY19zZWNyZXQ6CiAgICBzZWNyZXQ6CiAgICAgICMgZ2VuZXJhdGVkIHVzaW5nIGBoZWFkIC1jIDMyIC9kZXYvdXJhbmRvbSB8IGJhc2U2NGAKICAgICAgaW5saW5lX2J5dGVzOiBBV0U1MDZLZnR0aDVYdXJkVWJudU1LWjBGbzFoNHphdkZMcVpKaEliVVVzPQ== | |
| token-secret.yaml: cmVzb3VyY2VzOgogIC0gIkB0eXBlIjogInR5cGUuZ29vZ2xlYXBpcy5jb20vZW52b3kuZXh0ZW5zaW9ucy50cmFuc3BvcnRfc29ja2V0cy50bHMudjMuU2VjcmV0IgogICAgbmFtZTogdG9rZW4KICAgIGdlbmVyaWNfc2VjcmV0OgogICAgICBzZWNyZXQ6CiAgICAgICAgaW5saW5lX3N0cmluZzogZGtHYVRpb1UzUUJMUEJMLWtvcklWRFkyd2V4WEFXU1h6QlJjUjBPUQ== | |
| kind: Secret | |
| metadata: | |
| name: auth-secret | |
| type: Opaque |
resources:
- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
name: hmac
generic_secret:
secret:
# generated using `head -c 32 /dev/urandom | base64`
inline_bytes: AWE506Kftth5XurdUbnuMKZ0Fo1h4zavFLqZJhIbUUs=resources:
- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
name: token
generic_secret:
secret:
inline_string: dkGaTioU3QBLPBL-korIVDY2wexXAWSXzBRcR0OQ| apiVersion: networking.istio.io/v1alpha3 | |
| kind: EnvoyFilter | |
| metadata: | |
| name: httpbin-auth | |
| spec: | |
| configPatches: | |
| - applyTo: HTTP_FILTER | |
| match: | |
| context: SIDECAR_INBOUND | |
| listener: | |
| filterChain: | |
| filter: | |
| name: envoy.filters.network.http_connection_manager | |
| subFilter: | |
| name: envoy.filters.http.router | |
| portNumber: 80 | |
| patch: | |
| operation: INSERT_BEFORE | |
| value: | |
| name: envoy.lua.my_filter | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua | |
| inlineCode: | | |
| function envoy_on_request(request_handle) | |
| request_handle:headers():add("X-TEST", "fromLua!") | |
| end | |
| function envoy_on_response(response_handle) | |
| filter_name = "ENVOY" | |
| response_handle:headers():add("my_Filter", filter_name) | |
| end | |
| - applyTo: CLUSTER | |
| match: | |
| cluster: | |
| service: oauth | |
| patch: | |
| operation: ADD | |
| value: | |
| connect_timeout: 10s | |
| lb_policy: ROUND_ROBIN | |
| load_assignment: | |
| cluster_name: oauth | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: yourorg.okta.com | |
| port_value: 443 | |
| name: oauth | |
| transport_socket: | |
| name: envoy.transport_sockets.tls | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | |
| sni: yourorg.okta.com | |
| type: LOGICAL_DNS | |
| - applyTo: HTTP_FILTER | |
| match: | |
| context: SIDECAR_INBOUND | |
| listener: | |
| filterChain: | |
| filter: | |
| name: envoy.filters.network.http_connection_manager | |
| subFilter: | |
| name: envoy.filters.http.jwt_authn | |
| portNumber: 80 | |
| patch: | |
| operation: INSERT_BEFORE | |
| value: | |
| name: envoy.okta.my_filter_httpbin | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 | |
| config: | |
| auth_scopes: | |
| - openid | |
| - profile | |
| - groups | |
| authorization_endpoint: https://yourorg.okta.com/oauth2/<customAuth>/v1/authorize | |
| credentials: | |
| client_id: 000000000000 | |
| hmac_secret: | |
| name: hmac | |
| sds_config: | |
| path: /etc/istio/config/hmac-secret.yaml | |
| token_secret: | |
| name: token | |
| sds_config: | |
| path: /etc/istio/config/token-secret.yaml | |
| forward_bearer_token: true | |
| # Bypass auth proxy for health check | |
| pass_through_matcher: | |
| - name: :path | |
| exact_match: /healthz/ready | |
| redirect_path_matcher: | |
| path: | |
| exact: /oauth2/callback | |
| redirect_uri: https://%REQ(:authority)%/oauth2/callback | |
| signout_path: | |
| path: | |
| exact: /signout | |
| token_endpoint: | |
| cluster: oauth | |
| timeout: 5s | |
| uri: https://yourorg.okta.com/oauth2/<customAuthId>/v1/token | |
| workloadSelector: | |
| labels: | |
| app.kubernetes.io/instance: httpbin-auth | |
| app: httpbin-auth |
| apiVersion: security.istio.io/v1beta1 | |
| kind: RequestAuthentication | |
| metadata: | |
| name: httpbin-auth | |
| spec: | |
| jwtRules: | |
| - forwardOriginalToken: true | |
| fromHeaders: | |
| - name: cookie | |
| prefix: IdToken= | |
| issuer: https://yourorg.okta.com/oauth2/<customAuthId> | |
| jwksUri: https://yourorg.okta.com/oauth2/<customAuthId>/v1/keys | |
| outputPayloadToHeader: X-ID-TOKEN | |
| selector: | |
| matchLabels: | |
| app: httpbin-auth | |
| app.kubernetes.io/instance: httpbin-auth |
Based on istio/istio#43251