 8447e9b9c2
			
		
	
	8447e9b9c2
	
	
	
		
			
			* add path prefix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * use prefix correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * only set redirect if session doesn't have a redirect yet Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
		
			
				
	
	
		
			49 lines
		
	
	
		
			1.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			49 lines
		
	
	
		
			1.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| Set the following settings on the _IstioOperator_ resource:
 | |
| 
 | |
| ```yaml
 | |
| apiVersion: install.istio.io/v1alpha1
 | |
| kind: IstioOperator
 | |
| metadata:
 | |
|     name: istio
 | |
|     namespace: istio-system
 | |
| spec:
 | |
|     meshConfig:
 | |
|         extensionProviders:
 | |
|             - name: "authentik"
 | |
|               envoyExtAuthzHttp:
 | |
|                   # Replace with <service-name>.<namespace>.svc.cluster.local
 | |
|                   service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local"
 | |
|                   port: "9000"
 | |
|                   pathPrefix: "/outpost.goauthentik.io/auth/envoy"
 | |
|                   headersToDownstreamOnAllow:
 | |
|                       - cookie
 | |
|                   headersToUpstreamOnAllow:
 | |
|                       - set-cookie
 | |
|                       - x-authentik-*
 | |
|                   includeRequestHeadersInCheck:
 | |
|                       - cookie
 | |
| ```
 | |
| 
 | |
| Afterwards, you can create _AuthorizationPolicy_ resources to protect your applications like this:
 | |
| 
 | |
| ```yaml
 | |
| apiVersion: security.istio.io/v1beta1
 | |
| kind: AuthorizationPolicy
 | |
| metadata:
 | |
|     name: authentik-policy
 | |
|     namespace: istio-system
 | |
| spec:
 | |
|     selector:
 | |
|         matchLabels:
 | |
|             istio: ingressgateway
 | |
|     action: CUSTOM
 | |
|     provider:
 | |
|         name: "authentik"
 | |
|     rules:
 | |
|         - to:
 | |
|               - operation:
 | |
|                     hosts:
 | |
|                         # You can create a single resource and list all Domain names here, or create multiple resources
 | |
|                         - "app.company"
 | |
| ```
 |