jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-06-09 12:47:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

feature: support third-party-jwt for istio access authentication (#93)

Browse Source
This commit is contained in:
xcbeyond
2022-12-02 17:00:25 +08:00
committed by GitHub
parent 1e448da8e9
commit cf50b6edce
3 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
helm/higress/templates/deployment.yaml
View File

@@ -122,7 +122,7 @@ spec:
- name: ENABLE_INGRESS_GATEWAY_SDS - name: ENABLE_INGRESS_GATEWAY_SDS
value: "false" value: "false"
- name: JWT_POLICY - name: JWT_POLICY
value: first-party-jwt value: {{ .Values.gateway.jwtPolicy }}
- name: ISTIO_META_HTTP10 - name: ISTIO_META_HTTP10
value: "1" value: "1"
- name: ISTIO_META_CLUSTER_ID - name: ISTIO_META_CLUSTER_ID
@@ -166,6 +166,11 @@ spec:
{{- toYaml .Values.gateway.resources | nindent 12 }} {{- toYaml .Values.gateway.resources | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
{{- if eq .Values.gateway.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: config - name: config
mountPath: /etc/istio/config mountPath: /etc/istio/config
- name: istio-ca-root-cert - name: istio-ca-root-cert
@@ -189,6 +194,15 @@ spec:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
volumes: volumes:
{{- if eq .Values.gateway.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: istio-ca-root-cert - name: istio-ca-root-cert
configMap: configMap:
name: istio-ca-root-cert name: istio-ca-root-cert

4
helm/higress/values.yaml
View File

@@ -35,6 +35,10 @@ gateway:
# Pod environment variables # Pod environment variables
env: {} env: {}
# Configure the policy for validating JWT, it is used for istio authentication.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Labels to apply to all resources # Labels to apply to all resources
labels: {} labels: {}

2
helm/istiod/values.yaml
View File

@@ -416,7 +416,7 @@ global:
# Configure the policy for validating JWT. # Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt". # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "first-party-jwt" jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where # Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be # meshes will interact with each other, but it is not required to be