Istio in Kubernetes: Oauth2 External Auth

Hi all,

I’m to replace a Nginx Ingress Controller with Istio Gateway and am looking for the appropriate means to integrate an external OAuth2 Proxy. The Nginx Ingress controller handles this with annotations on the Ingres resource and is documented here:
https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/

I am looking to do something similar with the Istio Gateway. The closest article that I can find related to this is using a EnvoyFilter Lua script as shown here:

This looks like a good resource, but was wondering if there was more information about this. I’m also wondering if there is an easier way to achieve this (as the syntax is pretty simple in the case of the Nginx Ingress controller - I’m wondering if someone has done this before with the Istio Gateway).

What is the best way to go about integrating Istio in Kubernetes with an external Oauth2 service?

Thank you for reading, and any feedback is much appreciated.

Hi Joe, I’m looking at doing this as well. What did you settle on?

Hi haggs, I ended up using the EnvoyFilter attached to the istio ingress gateway, kinda as documented in that blog post. I really wish I could find an easier way, as writing the code in Lua seems kinda fragile. I wonder if there are any plans to use the web assembly plugins available in newer Istio versions.

Ok thanks! Did you by chance check out this auth service: https://github.com/istio-ecosystem/authservice It was pretty easy to use out of the box. Likewise I am looking forward to a WASM plugin, I know the group on the IBM adapter have talked about moving their adapter there.

@YangminZhu is there any plan to add a user guide into istio.io that integrates with external auth?

the user guide could be a good blog on istio.io if the original author is wiling to send our a PR.

On the other hand, we’re working to improve the ext_authz use case in istio to provide first-class support but this is still in early stage and currently we do not have concrete timeline, will share the design with the community once it’s ready.

@Joe_J
Hi Joe,
I am also looking to integrate oauth2 proxy with istio ingress gateway. Did you get any other alternative approach on this?

Thanks all for the replies. I did look into authservice. I was looking for a way to authenticate on a per-k8s-service basis. And each namespace has its own oauth2 service, so I needed a way to send auth requests directed at a specific k8s service to a specific oauth2 proxy service in a specific namespace.

With Nginx ingress, this worked well with ingress annotations: auth-url to auth each request through the ingress and auth-signin to land the user on a failed login page.

nginx.ingress.kubernetes.io/auth-url
nginx.ingress.kubernetes.io/auth-signin

So basically, on a per k8s service basis, I needed to have something that allows me to call an auth url for every request and allow me a way to redirect the user to a signin url if the auth request fails (and preserve the “next url”).

I couldn’t find a way to do this with either ext_auth or authservice, but maybe I missed something. It’s almost if the Istio approaches (istio docs, ext_auth, authservice) assume a user will be making api requests to istio backed services rather than browsing with a Webbrowser.

I ended up going the envoyfilter route (on the ingress gateway), which is unfortunate because it feels really fragile. For every k8s service needing ingress for every namespace, I needed to deploy a gateway envoyfilter with a Lua code block that matches the domain and path component for that service and applies my auth logic there as Lua code. I can’t write unit tests for this Lua code either (not sure how to write tests for a Lua filler).

It’s unfortunate because this was so easy with the Nginx ingress annotations, but maybe I’m missing something obvious. This was a huge obstacle to moving away from Nginx ingress to Istio ingress. Maybe a webassembly plugin approach would work for this?