We are implementing istio in our k8s cluster. Our first usecase is to move authentication / authorization out of our application and handle it in istio and gain more insights to our cluster communication. We plan to use canaries, a/b, dev testing and all the other cool stuff in the future.
Maybe it’s me but, seems like we are hitting a lot of walls doing this with istio.
We are using jwt tokens, api/mobile clients are sending them in headers, and webapps is sending them in cookies.
We would like istio to decode the jwt, validate it, put everything in headers. So that virtualservice can route based on jwt values, and the application doesn’t have to thing about jwt, but can concentrate on header values.
Here some of our observations:
Documentation is not up to date, some examples are not working.
There are lots of unanswered questions in this forum.
It seems like the release of 1.5 outdated all prior documentation/examples/blog posts etc. But searching for something thats all we get.
Support for JWT in cookies is missing. Generally it seems that jwt isn’t that well supported. What is everyone else using?
Is istio mature enough for this usecase?
Are we wrong in these observations?
We trying to solve the usecase using RequestAuthentication, AuthorizationPolicy and lua envoyfilters. The latter is something that we would like to avoid, it makes everything much more complex.