authelia/docs/content/en/integration/kubernetes/istio.md

3.1 KiB

title description lead date draft images menu integration parent weight toc
Istio A guide to integrating Authelia with the Istio Kubernetes Ingress. A guide to integrating Authelia with the Istio Kubernetes Ingress. 2022-10-02T13:59:09+11:00 false
kubernetes 551 true

Istio uses Envoy as an Ingress. This means it has a relatively comprehensive integration option.

Example

This example assumes that you have deployed an Authelia pod and you have configured it to be served on the URL https://auth.example.com and there is a Kubernetes Service with the name authelia in the default namespace with TCP port 80 configured to route to the Authelia pod's HTTP port and that your cluster is configured with the default DNS domain name of cluster.local.

Operator

This is an example IstioOperator manifest adjusted to authenticate with Authelia. This example only shows the necessary portions of the resource that you add as well as context. You will need to adapt it to your needs.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    extensionProviders:
      - name: 'authelia'
        envoyExtAuthzHttp:
          service: 'authelia.default.svc.cluster.local'
          port: 80
          pathPrefix: '/api/verify/'
          includeRequestHeadersInCheck:
            - accept
            - cookie
            - proxy-authorization
          headersToUpstreamOnAllow:
            - 'authorization'
            - 'proxy-authorization'
            - 'remote-*'
            - 'authelia-*'
          includeAdditionalHeadersInCheck:
            X-Authelia-URL: 'https://auth.example.com/'
            X-Forwarded-Method: '%REQ(:METHOD)%'
            X-Forwarded-Proto: '%REQ(:SCHEME)%'
            X-Forwarded-Host: '%REQ(:AUTHORITY)%'
            X-Forwarded-URI: '%REQ(:PATH)%'
            X-Forwarded-For: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%'
          headersToDownstreamOnDeny:
            - set-cookie
          headersToDownstreamOnAllow:
            - set-cookie

Authorization Policy

The following Authorization Policy applies the above filter extension provider to the nextcloud.example.com domain:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: nextcloud
  namespace: apps
spec:
  action: CUSTOM
  provider:
    name:  'authelia'
  rules:
    - to:
        - operation:
            hosts:
              - 'nextcloud.example.com'

See Also