91 lines
3.1 KiB
Markdown
91 lines
3.1 KiB
Markdown
---
|
|
title: "Istio"
|
|
description: "A guide to integrating Authelia with the Istio Kubernetes Ingress."
|
|
lead: "A guide to integrating Authelia with the Istio Kubernetes Ingress."
|
|
date: 2022-10-02T13:59:09+11:00
|
|
draft: false
|
|
images: []
|
|
menu:
|
|
integration:
|
|
parent: "kubernetes"
|
|
weight: 551
|
|
toc: true
|
|
---
|
|
|
|
Istio uses [Envoy](../proxies/envoy.md) as an Ingress. This means it has a relatively comprehensive integration option.
|
|
|
|
## Example
|
|
|
|
This example assumes that you have deployed an Authelia pod and you have configured it to be served on the URL
|
|
`https://auth.example.com` and there is a Kubernetes Service with the name `authelia` in the `default` namespace with
|
|
TCP port `80` configured to route to the Authelia pod's HTTP port and that your cluster is configured with the default
|
|
DNS domain name of `cluster.local`.
|
|
|
|
### Operator
|
|
|
|
This is an example IstioOperator manifest adjusted to authenticate with Authelia. This example only shows the necessary
|
|
portions of the resource that you add as well as context. You will need to adapt it to your needs.
|
|
|
|
```yaml
|
|
apiVersion: install.istio.io/v1alpha1
|
|
kind: IstioOperator
|
|
spec:
|
|
meshConfig:
|
|
extensionProviders:
|
|
- name: 'authelia'
|
|
envoyExtAuthzHttp:
|
|
service: 'authelia.default.svc.cluster.local'
|
|
port: 80
|
|
pathPrefix: '/api/verify/'
|
|
includeRequestHeadersInCheck:
|
|
- accept
|
|
- cookie
|
|
- proxy-authorization
|
|
headersToUpstreamOnAllow:
|
|
- 'authorization'
|
|
- 'proxy-authorization'
|
|
- 'remote-*'
|
|
- 'authelia-*'
|
|
includeAdditionalHeadersInCheck:
|
|
X-Authelia-URL: 'https://auth.example.com/'
|
|
X-Forwarded-Method: '%REQ(:METHOD)%'
|
|
X-Forwarded-Proto: '%REQ(:SCHEME)%'
|
|
X-Forwarded-Host: '%REQ(:AUTHORITY)%'
|
|
X-Forwarded-URI: '%REQ(:PATH)%'
|
|
X-Forwarded-For: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%'
|
|
headersToDownstreamOnDeny:
|
|
- set-cookie
|
|
headersToDownstreamOnAllow:
|
|
- set-cookie
|
|
```
|
|
|
|
### Authorization Policy
|
|
|
|
The following [Authorization Policy] applies the above filter extension provider to the `nextcloud.example.com` domain:
|
|
|
|
```yaml
|
|
apiVersion: security.istio.io/v1beta1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: nextcloud
|
|
namespace: apps
|
|
spec:
|
|
action: CUSTOM
|
|
provider:
|
|
name: 'authelia'
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
hosts:
|
|
- 'nextcloud.example.com'
|
|
```
|
|
|
|
## See Also
|
|
|
|
- Istio [External Authentication](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/) Documentation
|
|
- Istio [Authorization Policy] Documentation
|
|
- Istio [IstioOperator Options](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/) Documentation
|
|
- Istio [MeshConfig Extension Provider EnvoyExtAuthz HTTP Provider](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider) Documentation
|
|
|
|
[Authorization Policy]: https://istio.io/latest/docs/reference/config/security/authorization-policy/
|