8447e9b9c2
* add path prefix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * use prefix correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * only set redirect if session doesn't have a redirect yet Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
49 lines
1.4 KiB
Markdown
49 lines
1.4 KiB
Markdown
Set the following settings on the _IstioOperator_ resource:
|
|
|
|
```yaml
|
|
apiVersion: install.istio.io/v1alpha1
|
|
kind: IstioOperator
|
|
metadata:
|
|
name: istio
|
|
namespace: istio-system
|
|
spec:
|
|
meshConfig:
|
|
extensionProviders:
|
|
- name: "authentik"
|
|
envoyExtAuthzHttp:
|
|
# Replace with <service-name>.<namespace>.svc.cluster.local
|
|
service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local"
|
|
port: "9000"
|
|
pathPrefix: "/outpost.goauthentik.io/auth/envoy"
|
|
headersToDownstreamOnAllow:
|
|
- cookie
|
|
headersToUpstreamOnAllow:
|
|
- set-cookie
|
|
- x-authentik-*
|
|
includeRequestHeadersInCheck:
|
|
- cookie
|
|
```
|
|
|
|
Afterwards, you can create _AuthorizationPolicy_ resources to protect your applications like this:
|
|
|
|
```yaml
|
|
apiVersion: security.istio.io/v1beta1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: authentik-policy
|
|
namespace: istio-system
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
istio: ingressgateway
|
|
action: CUSTOM
|
|
provider:
|
|
name: "authentik"
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
hosts:
|
|
# You can create a single resource and list all Domain names here, or create multiple resources
|
|
- "app.company"
|
|
```
|