Istio and OSM Integrations

Istio Service Mesh Integration

Configure Istio to authorize inbound requests via PlainID Authorizer.

The following example (found in filter.yaml) enables traffic and external authorization on appropriate ports
in the default namespace:

kind: List
apiVersion: v1
items:
  - apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
      name: demo-filter
      namespace: default
    spec:
      configPatches:
        - applyTo: HTTP_FILTER
          match:
            context: SIDECAR_INBOUND
            listener:
              filterChain:
                filter:
                  name: envoy.filters.network.http_connection_manager
                  subFilter:
                    name: envoy.filters.http.router
              portNumber: 7000
          patch:
            operation: INSERT_BEFORE
            value:
              name: envoy.ext_authz
              typed_config:
                '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                failure_mode_allow: false
                grpc_service:
                  google_grpc:
                    stat_prefix: ext_authz
                    target_uri: 127.0.0.1:50051
                  timeout: 2s
                transport_api_version: V3
                with_request_body:
                  allow_partial_message: true
                  max_request_bytes: 1024
                  pack_as_bytes: true

Open Service Mesh (OSM) Integration

Configure OSM to authorize inbound requests via PlainID Authorizer.
The following example enables external authorization and adds PlainID Authorizer Operator communication port to exclusions:

apiVersion: config.openservicemesh.io/v1alpha2
kind: MeshConfig
metadata:
  name: osm-mesh-config
  namespace: osm-system
spec:
  certificate:
    certKeyBitSize: 2048
    ingressGateway:
      secret:
        name: osm-contour-envoy-client-cert
        namespace: osm-system
      subjectAltNames:
        - osm-contour-envoy.osm-system.cluster.local
      validityDuration: 24h
    serviceCertValidityDuration: 24h
  featureFlags:
    enableAsyncProxyServiceMapping: false
    enableEgressPolicy: true
    enableEnvoyActiveHealthChecks: false
    enableIngressBackendPolicy: true
    enableRetryPolicy: false
    enableSnapshotCacheMode: false
    enableWASMStats: true
  observability:
    enableDebugServer: false
    osmLogLevel: info
    tracing:
      enable: false
  sidecar:
    configResyncInterval: 0s
    enablePrivilegedInitContainer: false
    localProxyMode: Localhost
    logLevel: info
    resources: {}
    tlsMaxProtocolVersion: TLSv1_3
    tlsMinProtocolVersion: TLSv1_2
  traffic:
    enableEgress: true
    enablePermissiveTrafficPolicyMode: true
    inboundExternalAuthorization:
      enable: true
      address: localhost
      port: 50051
      failureModeAllow: false
      statPrefix: inboundExtAuthz
      timeout: 5s
    inboundPortExclusionList: []
    networkInterfaceExclusionList: []
    outboundIPRangeExclusionList: []
    outboundIPRangeInclusionList: []
    outboundPortExclusionList:
      - 16000