I would like to use istio in my kubernetes cluster for routing. My use case is I have 3 service running in my cluster - A, B, and C. I would like to route my traffic to these services based on some value in JWT token. Is it doable using istio ?
I found the following Github issues #3763, #8444 might be relevant to your initial request, and based on the contributors comments, the feature of routing network traffic with JWT claims is not expected in further Istio Mixer adapter development.
However, I assume that you can configure Envoy HTTP filters in order to fetch JWT token from HTTP header and use match option for RequirementRule and apply some Lua script that will afford routing functionality. The other way would be using intermediate proxy server like NGINX Plus which has content-based routing with JWTs out the box within NGINX Ingress Controller for Kubernetes.
Related
is it possible to handle authentication (using a JWT) with Google's Load balancer?. I know it uses Envoy proxy under the hood to handle advance traffic management. But is it just that?, I know Envoy has native implementations to validate JWT (using HTTP filters), does this GCP LB version can use that?.
If thats not the case, do you know any GCP service that can manage this type of logic+LB? (besides Google's Api Gateway)
We cannot use JWT Auth to GCP Load balancer. However you might want to explore IAP for this concern.
Let me also share with you the overview of IAP for further understanding.
You can check this link on how to enable IAP on external load balancer under backend service. Also note that there are possibilities of changes depending on what resource you are using.
We are looking to leverage existing Istio functionality to configure request time-outs. Our Microservice is in the service mesh, and it makes a https call to external system. Is it possible to configure the timeouts for https calls?
We found this documentation of Istio , but the examples here are only HTTP :
Istio Request Timeouts
Well when you use HTTPS/TLS, traffic is encrypted outside of Istio and therefore much Istio functionality is not available.
You could define a Service Entry and use TLS origination to let Istio do the upgrade, then you could also use a request timeout. See this.
I am trying to set Listener rules on an ALB. I want to add Google Oauth support to one of my servers.
Here are the Google endpoints I am using
I see google auth page alright, but on the callback url I'm seeing 500 Internal Server Error. I've also set the callback URL. Am at a loss as to what's wrong here. Any help is most appreciated!
After authentication, I'm not redirecting to my application, instead I've set ALP to show a text based simple response.
I struggled with the same problem for hours, and in the end it turned out to be the user info endpoint that was wrong. I was using the same one as you, but it should be https://openidconnect.googleapis.com/v1/userinfo.
I haven’t found any Google documentation saying what the value should be, but found this excellent blog post that contained a working example: https://cloudonaut.io/how-to-secure-your-devops-tools-with-alb-authentication/ (the first example uses Cognito, but the second uses OIDC and Google directly).
From AWS documentation
HTTP 500: Internal Server Error
Possible causes:
You configured an AWS WAF web access control list (web ACL) and there was an error executing the web ACL rules.
You configured a listener rule to authenticate users, but one of the following is true:
The load balancer is unable to communicate with the IdP token endpoint or the IdP user info endpoint. Verify that the security groups for your load balancer and the network ACLs for your VPC allow outbound access to these endpoints. Verify that your VPC has internet access. If you have an internal-facing load balancer, use a NAT gateway to enable internet access.
The size of the claims returned by the IdP exceeded the maximum size supported by the load balancer.
A client submitted an HTTP/1.0 request without a host header, and the load balancer was unable to generate a redirect URL.
A client submitted a request without an HTTP protocol, and the load balancer was unable to generate a redirect URL.
The requested scope doesn't return an ID token.
To my knowledge Google Cloud Load Balancer is not supporting HTTP to HTTPS redirect out of the box and it's a known issue: https://issuetracker.google.com/issues/35904733
Currently, I'm sending certain requests to GKE backend where I run Kubernetes apps and I have GCS-backed backends. I'm also using Apache in the default backend where I force HTTPS.
Problem with this approach is that, if any request match the criteria for GKE backend, I have no way to force HTTPS. I'm thinking to use Apache backend for all requests (?) and somehow proxy some of them to GKE backend. This way Apache backend becomes a bottleneck and I'm not sure if it's a good solution at all.
How would you approach this problem? Thanks in advance!
Seems that the only way is to send HTTP traffic to custom backend (it can be apache/nginx) and force the HTTPS upgrade there.
I find this answer useful if you're using GKE backend with an Ingress.
How to force SSL for Kubernetes Ingress on GKE
To force SSL traffic from Load Balancer to GKE backend (pod), you need to expose port 443 (or similar) on the pod and configure SSL there.
tldr: See bold generic questions below.
I have built the infrastructure outlined below(in attachment) in AWS. OAuth specifies an auth server which issues tokens(Authorizes) and then authenticates tokens on each request and allows a proxy to the internal ALB.
It's based on a micro-services architecture and uses oauth to issue tokens and authenticate them from the client apps. The client apps could be apps inside the VPC or apps external to the VPC. As you can see I want all requests to go through OAuth server before they get to the internal ALB. Now the different types of apps should use different types of grants to get an access tokens. Those access tokens will contain a scope which relates to the routes(API endpoints) of the internal ALB.
Now I have a few questions which I hope are as succinct as possible:
AWS VPC ALB Questions
What is the most secure way of insuring that only the oauth apps communicate with the internal ALB and not other apps in the public subnet? So we can be sure that all requests to the internal ALB are authenticated? Do I have to somehow attach a new oauth only subnet to the input of internal ALB but how do I restrict the internal ALBs input?
To the same end, how do I ensure apps in the same subnet do not communicate with each other? Basically, how do I ensure that no internal apps communicate with each other and must be passed all the way to the external load balancer and therefore to oauth from the private subnet.
Route 53 SLL termination ALB
Does SSL termination on certain port stop traffic directed from different domains. If I make a call to ALB port 433 from internal ALB with SSL termination do I have to call from the host(route53 something.com) specified by the certificate or can I use the DNS hostname of the ALB(something.elb.amozonaws.com) resolved by AWS ok?
Scopes and OAuth
How to compare each request's url and it's token with oauth scopes? I want to relate oauth scopes to api endpoints. So each request goes to a route endpoint with an access_token which contains scopes. This scope will have to be compared with the request url on each request to make sure it’s allowed. Does oauth come with this functionality? I would guess not. However whats the point of scopes if this is not the case? Seems like scope is just an array I need to do some processing on after authentication rather than it being special in oauth. I’m probably missing something :-).
This post is too long already so I can’t for obvious reasons get into all the details but if you would like more detail I would of course give them. Even a help in the right direction would be useful at this point.
Thanks in advance.