Use Case Istio Allowed JWT - GoogleCloudPlatform/anthos-appconfig GitHub Wiki
Use Case - Istio - Allowed - JWT - Required
- Namespace: uc-allowed-jwt-istio
Application is provided via docker to be able to run without dependencies that gets a Google ID Token and adds it to header.
gsutil cat gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-allowed-jwt-istio/deploy-apps.yaml | kubectl apply -f -
| WARNING:You will need a GCP key.json, and change the command line as required!! |
|---|
You will need a GCP key.json, and change the command line as required in the <>, KEY_PATH=
| Allowed Services View |
|---|
| Dev Service -> All |
| Svc 1 -> Svc 2 |
| Svc 2 -> Svc 1, Svc 3, Svc 4, Pubsub |
| Svc 3 -> No One |
| Svc 4 -> Svc 2, Svc 3 |
| No Istio External Access |
Svc 2 -> Svc 3 -> Outbound Should Work (oops no JWT)
curl "http://${INGRESS_ISTIO_HOST}/testcallseq?call1=http://app-allowed-jwt-istio-appconfigv2-service-sm-2.uc-allowed-jwt-istio/testcallseq&call2=http://app-allowed-jwt-istio-appconfigv2-service-sm-3/testcallseq"
Response (Oops 401)
host:hello-app-drv-py-1-bd44c96c8-rzxpc
*Error*-Happened - Making the request-url[http://devtest.anthos-crd-demo.example.com/testcallseq?call1=http:%2F%2Fapp-allowed-jwt-istio-appconfigv2-service-sm-2.uc-allowed-jwt-istio%2Ftestcallseq&call2=http:%2F%2Fapp-allowed-jwt-istio-appconfigv2-service-sm-3%2Ftestcallseq]
Traceback (most recent call last):
File "/app/hello_app_sm_py.py", line 141, in testcallseq
result_text = RestHelper.call_with_sequence(next_call, collection, headers=headers_dict)
File "/app/http_rest_helper.py", line 54, in call_with_sequence
raise Exception("Respose Failure for HTTP - {} - {}".format(result.status_code, result.text))
Exception: Respose Failure for HTTP - 401 - Origin authentication failed.
Svc 2 -> Svc 3 -> Outbound Should Work (with JWT)
Assume current directory has key.json
KEY_PATH=`pwd`
docker run -it --rm -v ${KEY_PATH}:/my/credentials -e INGRESS_ISTIO_HOST=$INGRESS_ISTIO_HOST -e GOOGLE_APPLICATION_CREDENTIALS=/my/credentials/key.json gcr.io/anthos-appconfig/hello-app-sm-py:v3.0.20 python hello_app_ext_client_py.py --host='devtest.anthos-crd-demo.example.com' --service_name='app-allowed-jwt-istio-appconfigv2-service-sm-' --namespace_name='uc-allowed-jwt-istio' --nested_calls='2,3'
Response (OK)
full_url http://35.232.240.11/testcallseq?call1=http://app-allowed-jwt-istio-appconfigv2-service-sm-2.uc-allowed-jwt-istio/testcallseq&call2=http://app-allowed-jwt-istio-appconfigv2-service-sm-3.uc-allowed-jwt-istio/testcallseq&call3=https://httpbin.org/get
get_text
host:hello-app-drv-py-1-bd44c96c8-rzxpc
host:appconfigv2-service-sm-2-5b6d96f659-k6lwv
host:appconfigv2-service-sm-3-679bd586dc-tp7lk
Last Call Successful
####Svc 2 -> Svc 3 -> Outbound Fail don’t include jwt (--skip_jwt parameter)
docker run -it --rm -v ${KEY_PATH}:/my/credentials -e INGRESS_ISTIO_HOST=$INGRESS_ISTIO_HOST -e GOOGLE_APPLICATION_CREDENTIALS=/my/credentials/key.json gcr.io/anthos-appconfig/hello-app-sm-py:v3.0.20 python hello_app_ext_client_py.py --host='devtest.anthos-crd-demo.example.com' --service_name='app-allowed-jwt-istio-appconfigv2-service-sm-' --namespace_name='uc-allowed-jwt-istio' --nested_calls='2,3' --skip_jwt=X
Response (Error)
Empty JWT
full_url http://35.197.81.170/testcallseq?call1=http://app-allowed-jwt-istio-appconfigv2-service-sm-2.uc-allowed-jwt-istio/testcallseq&call2=http://app-allowed-jwt-istio-appconfigv2-service-sm-3.uc-allowed-jwt-istio/testcallseq& host devtest.anthos-crd-demo.example.com
get_text
host:hello-app-drv-py-1-5456794d44-t7qh9
*Error*-Happened - Making the request-url[http://devtest.anthos-crd-demo.example.com/testcallseq?call1=http:%2F%2Fapp-allowed-jwt-istio-appconfigv2-service-sm-2.uc-allowed-jwt-istio%2Ftestcallseq&call2=http:%2F%2Fapp-allowed-jwt-istio-appconfigv2-service-sm-3.uc-allowed-jwt-istio%2Ftestcallseq&]
Traceback (most recent call last):
File "/app/hello_app_sm_py.py", line 141, in testcallseq
result_text = RestHelper.call_with_sequence(next_call, collection, headers=headers_dict)
File "/app/http_rest_helper.py", line 54, in call_with_sequence
raise Exception("Respose Failure for HTTP - {} - {}".format(result.status_code, result.text))
Exception: Respose Failure for HTTP - 401 - Origin authentication failed.