OpenShift ServiceMesh 中基于 JWT 声明的路由无法正常工作
我正在尝试利用 OpenShift Service Mesh 执行一些基本的基于 JWT 声明的路由。 OpenShift 版本是 4.6.23。 RedHat OpenShift Service Mesh 版本为 2.1.1-0。
下面是我用来在 OCP 集群上设置 ServiceMesh 的 ServiceMeshControlPlane 资源:
apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
name: basic
namespace: istio-system
spec:
version: v2.0
tracing:
type: Jaeger
sampling: 10000
addons:
jaeger:
name: jaeger
install:
storage:
type: Memory
kiali:
enabled: true
name: kiali
grafana:
enabled: true
基本上,我尝试遵循此 Istio 文档页面 测试 JWT 声明路由
这是我正在使用的 JWT 令牌的结构:
{
"iss": "https://eu-de.appid.cloud.ibm.com/oauth/v4/6f631e4d-7ecc-4a1c-8cf8-ea2d0a5c32e6",
"exp": 1646244105,
"aud": [
"f7f1e8bf-72d0-4e7d-90ff-cb76a8079c46"
],
"sub": "99bb916e-8f99-4e0a-8b1f-72c2171448d1",
"email_verified": true,
"amr": [
"cloud_directory"
],
"iat": 1646240505,
"tenant": "6f631e4d-7ecc-4a1c-8cf8-ea2d0a5c32e6",
"scope": "openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated",
"roles": [
"teamA"
]
}
RequestAuthentication 定义:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: sample-mesh
spec:
jwtRules:
- issuer: "https://eu-de.appid.cloud.ibm.com/oauth/v4/6f631e4d-7ecc-4a1c-8cf8-ea2d0a5c32e6"
jwksUri: "https://eu-de.appid.cloud.ibm.com/oauth/v4/6f631e4d-7ecc-4a1c-8cf8-ea2d0a5c32e6/publickeys"
以及VirtualService 应该处理路由:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: catalog
spec:
hosts:
- '*'
gateways:
- sample-mesh-gateway
http:
- match:
- headers:
"@request.auth.claims.roles":
exact: teamA
route:
- destination:
host: catalog
subset: version-v1
- route:
- destination:
host: catalog
subset: version-v2
然后,当 roles 声明包含值 teamA 时,我希望流量被路由到目录 v1。但实际上,我观察到即使令牌在声明中具有所需的值,流量也始终会路由到目录 v2。
配置中有什么我遗漏的吗? 谢谢 :-)
I'm trying to perform some basic JWT claim based routing leveraging OpenShift Service Mesh. OpenShift version is 4.6.23. RedHat OpenShift Service Mesh version is 2.1.1-0.
Below is the ServiceMeshControlPlane resource I use to setup ServiceMesh on the OCP cluster :
apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
name: basic
namespace: istio-system
spec:
version: v2.0
tracing:
type: Jaeger
sampling: 10000
addons:
jaeger:
name: jaeger
install:
storage:
type: Memory
kiali:
enabled: true
name: kiali
grafana:
enabled: true
Basically, I tried to follow this Istio documentation page to test the JWT claim routing
Here is the structure of the JWT token I'm using :
{
"iss": "https://eu-de.appid.cloud.ibm.com/oauth/v4/6f631e4d-7ecc-4a1c-8cf8-ea2d0a5c32e6",
"exp": 1646244105,
"aud": [
"f7f1e8bf-72d0-4e7d-90ff-cb76a8079c46"
],
"sub": "99bb916e-8f99-4e0a-8b1f-72c2171448d1",
"email_verified": true,
"amr": [
"cloud_directory"
],
"iat": 1646240505,
"tenant": "6f631e4d-7ecc-4a1c-8cf8-ea2d0a5c32e6",
"scope": "openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated",
"roles": [
"teamA"
]
}
The RequestAuthentication definition :
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: sample-mesh
spec:
jwtRules:
- issuer: "https://eu-de.appid.cloud.ibm.com/oauth/v4/6f631e4d-7ecc-4a1c-8cf8-ea2d0a5c32e6"
jwksUri: "https://eu-de.appid.cloud.ibm.com/oauth/v4/6f631e4d-7ecc-4a1c-8cf8-ea2d0a5c32e6/publickeys"
And the definition of the VirtualService that is supposed to handle the routing :
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: catalog
spec:
hosts:
- '*'
gateways:
- sample-mesh-gateway
http:
- match:
- headers:
"@request.auth.claims.roles":
exact: teamA
route:
- destination:
host: catalog
subset: version-v1
- route:
- destination:
host: catalog
subset: version-v2
I would then expect the trafic to be routed to the catalog v1 when the roles claim contains the value teamA. But in practice, I observe that the trafic is always routed to catalog v2 even if the token has the required value in the claim.
Is there anything I missed in the configuration ?
Thanks :-)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论