Istio maturity observations

We are implementing istio in our k8s cluster. Our first usecase is to move authentication / authorization out of our application and handle it in istio and gain more insights to our cluster communication. We plan to use canaries, a/b, dev testing and all the other cool stuff in the future.

Maybe it’s me but, seems like we are hitting a lot of walls doing this with istio.

We are using jwt tokens, api/mobile clients are sending them in headers, and webapps is sending them in cookies.

We would like istio to decode the jwt, validate it, put everything in headers. So that virtualservice can route based on jwt values, and the application doesn’t have to thing about jwt, but can concentrate on header values.

Here some of our observations:

Documentation is not up to date, some examples are not working.

There are lots of unanswered questions in this forum.

It seems like the release of 1.5 outdated all prior documentation/examples/blog posts etc. But searching for something thats all we get.

Support for JWT in cookies is missing. Generally it seems that jwt isn’t that well supported. What is everyone else using?

Is istio mature enough for this usecase?

Are we wrong in these observations?

We trying to solve the usecase using RequestAuthentication, AuthorizationPolicy and lua envoyfilters. The latter is something that we would like to avoid, it makes everything much more complex.

Hi @ovd-capturi!

I hear your frustration and are with you. Before I go into some general recommendations, let me tell you that Istio came a long way and has improved tremendously. I started evaluating it shortly after its GA release (v 1.0) and it has matured greatly since then. However, I agree, there is still a lot of room for improvement. But, please keep in mind that Istio is a community effort mostly developed and maintained by “volunteers”, although some companies have a vested interest in it and actively contribute by dedicating some of their staff to work on it.
Nevertheless, it is definitely not comparable with a “commercial” product where you can and should expect more.

Now to some of your concrete issues you are seeing:
Istio is using Envoy proxy (https://www.envoyproxy.io/) as its data plane, i.e. the component that is “moving the bits and bytes”. For a lot of the more detailed documentation, you might want to study Envoy’s documentation. While Istio uses a slightly modified version of Envoy, it is nevertheless 99% the same, so all of the documentation also applies to Istio.
For example, regarding JWT authentication you can read more about it here https://www.envoyproxy.io/docs/envoy/v1.14.1/configuration/http/http_filters/jwt_authn_filter#config-http-filters-jwt-authn.
Also, while there is no standard about this, I believe passing JWTs in the authentication header of HTTP requests is considered “best practice” and not in a cookie. So, it is no surprise to me that there is little support for this specific use case. BTW, there is an “enhancement request” for Envoy to support JWT authentication in HTTPOnly cookies https://github.com/envoyproxy/envoy/issues/7025

So, sometimes you have to read both documentation - for Istio and Envoy - and figure out how to translate the Envoy configuration into Istio.

Even though it is sometimes harder to work with Istio, please keep trying. It is a great product!

P.S. I am not affiliated to the Istio project in any form, except that I am a potential user (not yet deployed to production) and a big “fan” of it.