4c0b6c71ac
Added a comment about allowing the http authorization headers to upstream, necessary in an istio meshConfig if there are proxy providers which inject http basic auth headers. Signed-off-by: Wessel Valkenburg (prevue.ch) <116259817+valkenburg-prevue-ch@users.noreply.github.com>
52 lines
1.7 KiB
Markdown
52 lines
1.7 KiB
Markdown
Set the following settings on the _IstioOperator_ resource:
|
|
|
|
```yaml
|
|
apiVersion: install.istio.io/v1alpha1
|
|
kind: IstioOperator
|
|
metadata:
|
|
name: istio
|
|
namespace: istio-system
|
|
spec:
|
|
meshConfig:
|
|
extensionProviders:
|
|
- name: "authentik"
|
|
envoyExtAuthzHttp:
|
|
# Replace with <service-name>.<namespace>.svc.cluster.local
|
|
service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local"
|
|
port: "9000"
|
|
pathPrefix: "/outpost.goauthentik.io/auth/envoy"
|
|
headersToDownstreamOnAllow:
|
|
- cookie
|
|
headersToUpstreamOnAllow:
|
|
- set-cookie
|
|
- x-authentik-*
|
|
# Add authorization headers to the allow list if you need proxy providers which
|
|
# send a custom HTTP-Basic Authentication header based on values from authentik
|
|
# - authorization
|
|
includeRequestHeadersInCheck:
|
|
- cookie
|
|
```
|
|
|
|
Afterwards, you can create _AuthorizationPolicy_ resources to protect your applications like this:
|
|
|
|
```yaml
|
|
apiVersion: security.istio.io/v1beta1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: authentik-policy
|
|
namespace: istio-system
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
istio: ingressgateway
|
|
action: CUSTOM
|
|
provider:
|
|
name: "authentik"
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
hosts:
|
|
# You can create a single resource and list all Domain names here, or create multiple resources
|
|
- "app.company"
|
|
```
|