I am considering integrating Istio in order to replace our custom edge implementation. Our edge has a lot of custom pre/post processing request filters that append headers to requests and do some fallback logic for some endpoints.
How should I do this with Istio?
For example I would like to implement JWT token blacklisting. Some external service would populate redis with blacklisted tokens and filter needs to check that our current token is not present
If my understanding is correct there are a few ways that it could be done:
-
Using EnvoyFilter with custom lua code.
I suppose it would be tricky to access redis from lua code. Also there seems to be a problem with ordering multiple filters and at least from what I understood it is not recommended to use custom envoy filters because “there will not be any backward compatibility across different Istio releases”
-
Using mixer adapter
This seems possible for the JWT case, but I am struggling to understand if it is the right way to go. It seems like I would need to add some custom templates for other more complicated cases (for example if I need to return multiple values from adapter and append them to request headers). And there seems to be no way to implement custom logic for response handling.
Is there any other way to do this? Should I even bother implementing it using Istio? Am I missing something?
Thank you
Lua:
Yes, you should be able to use Lua filters. There are Lua client libraries for Redis, but I believe you would need to use your own Envoy proxy build as being a Redis client would likely require a loadable shared library.
Mixer adapter:
This could also potentially work, depending on your needs. Mixer rules have both requestHeaderOperations and responseHeaderOperations that can modify request and response headers, respectively… That said, the check call happens at request time, not response… so if you needed to vary based on parsing the response, that wouldn’t work.
Another possibility it to use a mixture of Lua and/or Mixer adapters depending on specific requirements…
1 Like
Do you think that it is the right way to go? Should I front Istio with some other technology that is more natural for that kind of use cases (Netflix Zuul for example)
It feels like lua / mixer at the moment is at its alpha stages, not well documented and doesn’t feel “production-ready” at its current state. I’m afraid that it might become a maintenance nightmare for the company that I work at and it will be hard to explain / teach to other developers.
I don’t know your use cases, so hard to say what is appropriate for you. But as for the technologies:
The gRPC-based Mixer adapters in Istio 1.1 have a stable API and will continue to be supported even as the internal Mixer technology itself evolves. I have published such an adapter for production use as have others. I think this is your best bet for most use cases.
The Lua support in Istio is really just a pass-through for Envoy config, but Envoy itself has committed to Lua and has pretty well documented support. That said, if you’re going to use native libraries, it’s not so straightforward: Replacing Istio’s Envoy build with a custom one is not documented, not supported, and would be an advanced trick. I agree, I would avoid it unless you’re prepared for undertaking the full support of that situation.
1 Like