I have a simple application based on the httpbin application in the example. It is setup to use Istio through a simple gateway…
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
namespace: foo
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http2
protocol: HTTP2
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
namespace: foo
spec:
hosts:
- "*"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: httpbin
port:
number: 8000
I can run minikube tunnel and access via port 80. I would now like to add authentication using OAuth2 Proxy and OIDC. I configure OAuth2 Proxy and confirm it is working by running minikube service -n istio-system oauth-proxy. Now I would like to connect the 2 so I try adding the following to the config may (per the instructions)…
extensionProviders:
- name: "oauth2-proxy"
envoyExtAuthzHttp:
service: "oauth-proxy.istio-system.svc.cluster.local"
port: "4180" # The default port used by oauth2-proxy.
includeRequestHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
headersToDownstreamOnDeny: ["content-type", "set-cookie"]
Everything works until I get to the OAuth. Then it redirects to http://127.0.0.1/oauth2/start?rd=%2Fip which throws a 404 (since it is not being forwarded by Istio). How would I go about handling this? Do I need another gateway/virtual service for the OAuth2 proxy deployment running in istio-system?