Use Case Istio Allowed Egress Secrets GCP - GoogleCloudPlatform/anthos-appconfig GitHub Wiki

Use Case - Allowed Services (Istio Mixer Rules) + Secrets-GCP + Egress

  • Namespace: uc-secrets-istio
gsutil cat  gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-secrets-istio/deploy-apps.yaml | kubectl apply -f -

*NOTE - Assume you have name the secrets consistently as in appconfig.yaml

Dev Service -> All
Svc 1 -> Svc 2
Svc 2 -> Svc 1, Svc 3, Svc 4, Pubsub
Svc 3 -> No One
Svc 4 -> Svc 2, Svc 3

External Access from Mesh Restricted

Svc 2 -> Svc 3 -> Pubsub - Outbound Should Work

curl --header 'Host: devtest.anthos-crd-demo.example.com' "http://${INGRESS_ISTIO_HOST}/testcallseq?call1=http://app-secrets-istio-appconfigv2-service-sm-2.uc-secrets-istio/testcallseq&call2=http://app-secrets-istio-appconfigv2-service-sm-3/testcallseq"

Response (success)

host:hello-app-drv-py-1-bd44c96c8-rzxpc
host:appconfigv2-service-sm-2-779c7d9f5b-c4sbj
host:appconfigv2-service-sm-3-cc8b5b8d-rd9nm

Svc 2 -> Svc 3 -> Outbound Should Fail except googleapis.com

curl "http://${INGRESS_ISTIO_HOST}/testcallseq?call1=http://app-secrets-istio-appconfigv2-service-sm-2.uc-secrets-istio/testcallseq&call2=http://app-secrets-istio-appconfigv2-service-sm-3/testcallseq&call3=https://httbin.org/get"

Response (error)


host:hello-app-drv-py-1-bd44c96c8-rzxpc
host:appconfigv2-service-sm-2-779c7d9f5b-c4sbj
host:appconfigv2-service-sm-3-cc8b5b8d-rd9nm
*Error*-Happened - Making the request-url[http://app-secrets-istio-appconfigv2-service-sm-3/testcallseq?call3=https%3A%2F%2Fhttbin.org%2Fget]
Traceback (most recent call last):

...

Svc 2 -> Svc 3 -> Outbound Should Work

curl "http://${INGRESS_ISTIO_HOST}/testcallseq?call1=http://app-secrets-istio-appconfigv2-service-sm-2.uc-secrets-istio/testcallseq&call2=http://app-secrets-istio-appconfigv2-service-sm-3/testcallseq&call3=http://app-secrets-istio-appconfigv2-service-pubsub?gcpProjectID=${PROJECT_NAME}&topic=appconfigcrd-demo-topic2&message=hello1"

Response (success)

host:hello-app-drv-py-1-bd44c96c8-rzxpc
host:appconfigv2-service-sm-2-779c7d9f5b-c4sbj
host:appconfigv2-service-sm-3-cc8b5b8d-rd9nm
Publish Success: 608880961460857joseret-macbookpro2:acm-all-env 

gcloud pubsub subscriptions pull --auto-ack  appconfigcrd-demo-topic2 --project $PROJECT_NAME

Different Topic (fail)

curl "http://${INGRESS_ISTIO_HOST}/testcallseq?call1=http://app-secrets-istio-appconfigv2-service-sm-2.uc-secrets-istio/testcallseq&call2=http://app-secrets-istio-appconfigv2-service-sm-3/testcallseq&call3=http://app-secrets-istio-appconfigv2-service-pubsub?gcpProjectID=${PROJECT_NAME}&topic=appconfigcrd-demo-topic1&message=hello2"

Response (error)

host:hello-app-drv-py-1-bd44c96c8-rzxpc
host:appconfigv2-service-sm-2-779c7d9f5b-c4sbj
host:appconfigv2-service-sm-3-cc8b5b8d-rd9nm
*Error*-Happened - Making the request-url[http://app-secrets-istio-appconfigv2-service-sm-3/testcallseq?call3=http%3A%2F%2Fapp-secrets-istio-appconfigv2-service-pubsub%3Ftopic%3Dappconfigcrd-demo-topic1&message=hello2]
Traceback (most recent call last):
  File "/app/hello_app_sm_py.py", line 141, in testcallseq
    result_text = RestHelper.call_with_sequence(next_call, collection, headers=headers_dict)
  File "/app/http_rest_helper.py", line 54, in call_with_sequence
    raise Exception("Respose Failure for HTTP - {} - {}".format(result.status_code, result.text))
Exception: Respose Failure for HTTP - 500 - Could not publish: rpc error: code = PermissionDenied desc = User not authorized to perform this action.Could not publish: rpc error: code = PermissionDenied desc = User not authorized to perform this action.