Istio and OSM Integrations
    • 01 Sep 2024
    • 1 Minute to read
    • Dark
      Light
    • PDF

    Istio and OSM Integrations

    • Dark
      Light
    • PDF

    Article summary

    Istio Service Mesh Integration

    Configure Istio to authorize inbound requests via PlainID Authorizer.

    The following example (found in filter.yaml) enables traffic and external authorization on appropriate ports
    in the default namespace:

    kind: List
    apiVersion: v1
    items:
      - apiVersion: networking.istio.io/v1alpha3
        kind: EnvoyFilter
        metadata:
          name: demo-filter
          namespace: default
        spec:
          configPatches:
            - applyTo: HTTP_FILTER
              match:
                context: SIDECAR_INBOUND
                listener:
                  filterChain:
                    filter:
                      name: envoy.filters.network.http_connection_manager
                      subFilter:
                        name: envoy.filters.http.router
                  portNumber: 7000
              patch:
                operation: INSERT_BEFORE
                value:
                  name: envoy.ext_authz
                  typed_config:
                    '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                    failure_mode_allow: false
                    grpc_service:
                      google_grpc:
                        stat_prefix: ext_authz
                        target_uri: 127.0.0.1:50051
                      timeout: 2s
                    transport_api_version: V3
                    with_request_body:
                      allow_partial_message: true
                      max_request_bytes: 1024
                      pack_as_bytes: true
    
    ParameterDetails
    spec.configPatches.match.listener.portNumberThe port number of the Microservice which handles requests where the Istio VirtualService is pointed to
    spec.configPatches.patch.value.typed_config.grpc_service.google_grpc.target_uriThe address of the PlainID Authorizer (refers to PlainidSidecar's spec.sidecarConfig.grpc.listener address)

    Open Service Mesh (OSM) Integration

    Configure OSM to authorize inbound requests via PlainID Authorizer.
    The following example enables external authorization and adds PlainID Authorizer Operator communication port to exclusions:

    apiVersion: config.openservicemesh.io/v1alpha2
    kind: MeshConfig
    metadata:
      name: osm-mesh-config
      namespace: osm-system
    spec:
      certificate:
        certKeyBitSize: 2048
        ingressGateway:
          secret:
            name: osm-contour-envoy-client-cert
            namespace: osm-system
          subjectAltNames:
            - osm-contour-envoy.osm-system.cluster.local
          validityDuration: 24h
        serviceCertValidityDuration: 24h
      featureFlags:
        enableAsyncProxyServiceMapping: false
        enableEgressPolicy: true
        enableEnvoyActiveHealthChecks: false
        enableIngressBackendPolicy: true
        enableRetryPolicy: false
        enableSnapshotCacheMode: false
        enableWASMStats: true
      observability:
        enableDebugServer: false
        osmLogLevel: info
        tracing:
          enable: false
      sidecar:
        configResyncInterval: 0s
        enablePrivilegedInitContainer: false
        localProxyMode: Localhost
        logLevel: info
        resources: {}
        tlsMaxProtocolVersion: TLSv1_3
        tlsMinProtocolVersion: TLSv1_2
      traffic:
        enableEgress: true
        enablePermissiveTrafficPolicyMode: true
        inboundExternalAuthorization:
          enable: true
          address: localhost
          port: 50051
          failureModeAllow: false
          statPrefix: inboundExtAuthz
          timeout: 5s
        inboundPortExclusionList: []
        networkInterfaceExclusionList: []
        outboundIPRangeExclusionList: []
        outboundIPRangeInclusionList: []
        outboundPortExclusionList:
          - 16000
    
    ParameterDetails
    spec.traffic.inboundExternalAuthorizationContains external authorization settings
    spec.traffic.inboundExternalAuthorization.portThe port of the PlainID Authorizer (refers to PlainidSidecar's spec.sidecarConfig.grpc.listener address).
    spec.traffic.inboundExternalAuthorization.addressShould be set to localhost as the PlainID Authorizer is running in the same pod.
    spec.traffic.outboundPortExclusionListShould contain PlainID Authorizer Operator communication port (refers to PlainidInjector's spec.config.params.mgr port).

    Was this article helpful?