Configuring Authz for proxy-protocol
By default, the authorization policies are created using workload port of the server to match the traffic. However in some cases like when using curl with --haproxy-protocol
, envoy proxy tries to match the incoming traffic at service port instead of the workload port. This document provides a way for users to allow that.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Deploy the Istio Bookinfo sample app
✓ Create a Tenant
✓ Create a Workspace
✓ Create Config Groups
✓ Configure Permissions
✓ Configure Ingress Gateway
Apply haproxy-protocol EnvoyFilter
Enable haproxy-protocol on listener. Create the following haproxy-filter.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: proxy-protocol
namespace: bookinfo
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: proxy_protocol
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol"
allow_requests_without_proxy_protocol: true
- name: tls_inspector
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector"
Apply with kubectl
kubectl apply -f haproxy-filter.yaml
Configure TSB Gateway
Update the gateway.yaml
file to the following:
- Gateway
- Legacy
apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
Metadata:
organization: tetrate
name: bookinfo-gw-ingress
group: bookinfo-gw
workspace: bookinfo-ws
tenant: tetrate
spec:
workloadSelector:
namespace: bookinfo
labels:
app: tsb-gateway-bookinfo
http:
- name: bookinfo
port: 443
hostname: "bookinfo.tetrate.com"
tls:
mode: SIMPLE
secretName: bookinfo-certs
routing:
rules:
- route:
serviceDestination:
host: "bookinfo/productpage.bookinfo.svc.cluster.local"
From TSB 1.7.0 onwards, we have merged both Tier1Gateway and IngressGateway capabilities under a common resource Gateway
apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
Metadata:
organization: tetrate
name: bookinfo-gw-ingress
group: bookinfo-gw
workspace: bookinfo-ws
tenant: tetrate
spec:
workloadSelector:
namespace: bookinfo
labels:
app: tsb-gateway-bookinfo
http:
- name: bookinfo
port: 443
hostname: "bookinfo.tetrate.com"
tls:
mode: SIMPLE
secretName: bookinfo-certs
routing:
rules:
- route:
host: "bookinfo/productpage.bookinfo.svc.cluster.local"
Apply with tctl
tctl apply -f gateway.yaml
Configure Ingress Gateway object
To enable authorization on the service port instead of workload port update your ingress.yaml
:
apiVersion: install.tetrate.io/v1alpha1
kind: IngressGateway
metadata:
name: tsb-gateway-bookinfo
namespace: bookinfo
spec:
kubeSpec:
service:
type: LoadBalancer
annotations:
xcp.tetrate.io/authz-ports: "443" # This annotation prevents TSB translation for this port to workload port when creating istio authorization policies
Apply with kubectl
kubectl apply -f ingress.yaml
Testing
To test if your ingress is working correctly with haproxy-protocol try the following curl curl request:
curl -k -s --connect-to bookinfo.tetrate.com:443:$GATEWAY_IP \
"https://bookinfo.tetrate.com/productpage" | \
grep -o "<title>.*</title>" \
-H "X-B3-Sampled: 1"