feat(kubernetes): add Istio ambient mode ext-authz service#27
Open
jzills wants to merge 4 commits into
Open
Conversation
Adds services/HmacManager.Kubernetes — a containerized ASP.NET Core minimal API that implements the Envoy HTTP ext-authz protocol. The Istio waypoint proxy calls POST /check before forwarding any inbound request; verification is delegated to IHmacManager.VerifyAsync via the existing IHmacAuthenticationContextProvider. Includes Kubernetes deployment manifests and Istio configuration: - deploy/mesh-config-patch.yaml registers the service as an extensionProvider with withRequestBody enabled (body hash is required for full HMAC integrity) - deploy/authorization-policy.yaml targets the namespace waypoint with action: CUSTOM, covering all inbound requests
Use SDK 10.0 in the build stage so the multi-TFM project (net8.0;net10.0)
restores and builds correctly; publish explicitly for net8.0 so the
aspnet:8.0 runtime image is still used.
Replace the fixed MapPost("/check") route with a MapMethods catch-all
for all HTTP verbs on /{**path}. Envoy HTTP ext-authz forwards the
original request's method and path to the ext-authz service verbatim,
so the service must match any method/path rather than only POST /check.
The /sign Development route remains a specific route and takes precedence
over the catch-all.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
services/HmacManager.Kubernetes/— a containerized ASP.NET Core minimal API that acts as a centralized HMAC verification service for Kubernetes clusters running Istio in ambient modePOST /checkbefore forwarding any inbound request; the service delegates toIHmacManager.VerifyAsyncvia the existingIHmacAuthenticationContextProviderChanges
services/HmacManager.Kubernetes/Program.cs— minimal API host withAddHmacManagerDI registration and single/checkendpointservices/HmacManager.Kubernetes/ExtAuthzHandler.cs— reconstructs the originalHttpRequestMessagefrom Envoy-forwarded headers (usingx-forwarded-protofor scheme), then callsVerifyAsync; returns 200 on success or 403 on failure/unknown policyservices/HmacManager.Kubernetes/appsettings.json— sample policy config using the existingIConfigurationSection-based binding formatservices/HmacManager.Kubernetes/Dockerfile— multi-stage build targetingnet8.0services/HmacManager.Kubernetes/deploy/mesh-config-patch.yaml— registers the service as an EnvoyextensionProviderwithwithRequestBodyenabled (required for full body-hash verification)services/HmacManager.Kubernetes/deploy/authorization-policy.yaml—AuthorizationPolicytargeting the namespace waypoint withaction: CUSTOMservices/HmacManager.Kubernetes/deploy/deployment.yaml+service.yaml— standard K8s manifests; service runs inhmac-systemnamespace to avoid a circular ext-authz loopTest plan
dotnet build services/HmacManager.Kubernetes/HmacManager.Kubernetes.csprojpasses on bothnet8.0andnet10.0dotnet runand send a request signed byHmacDelegatingHandlertoPOST /check; confirm 200 for valid HMAC, 403 for missing/invalid auth headerkind/k3dcluster with Istio ambient mode, enroll a workload under the waypoint, and verify that signed requests are forwarded while unsigned ones are rejected at the waypoint