I’m trying to get the Open Policy Agent adapter working in Istio 1.1. I’ve installed Istio into a Minikube cluster using Helm and the default helm template values.
I’ve setup the OPA adapter operator configurations as described here. I noticed in the logs though that the handler is not being recognized:
Here are my kubernetes manifests:
apiVersion: "config.istio.io/v1alpha2"
kind: opa
metadata:
name: opa-handler
namespace: istio-system
spec:
policy:
- |+
package mixerauthz
default allow = false
#allow = true {
# input.subject.user = jwhitaker
# input.action.method = "GET"
#}
checkMethod: "data.mixerauthz.allow"
failClose: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: authorization
namespace: istio-system
spec:
actions:
- handler: opa-handler
instances: ["authz-instance"]
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: authz-instance
namespace: istio-system
spec:
template: authorization
params:
subject:
user: request.auth.claims["sub"] | request.auth.principal | source.principal | ""
groups: request.auth.claims["groups"] | ""
properties:
iss: request.auth.claims["iss"] | ""
action:
namespace: destination.namespace | "default"
service: destination.service.host | ""
path: request.path | "/"
method: request.method | ""
properties:
version: destination.labels["version"] | ""
Does OPA come pre-compiled into Mixer? If so, why would I be having this issue? I’ve compiled in a Mixer adapter before and got it to work, and I’ve also used gRPC out-of-process adapters without issue. So this issue is new to me…