Discovering APIs on Istio

Understand the principles behind the discovery of APIs deployed on Kubernetes with Istio by ACP.

API discovery with Istio Authorizer

Note

To save time and quickly set up a k8s cluster with ACP and Istio, you can use the ACP on k8s repository which provides simple deployment commands you can use out of the box.

The ACP Istio Authorizer supports the automatic service discovery based on the OpenAPI specification. A service can use the services.k8s.cloudentity.com/spec-url annotation on a deployed k8s resource to specify a URL where its OpenAPI or Proto specification is available, for example:

kind: Deployment
metadata:
  name: hello
  labels:
    app: hello
  namespace: default
  annotations:
    services.k8s.cloudentity.com/spec-url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"

Istio Authorizer scans k8s deployments and, once it has found the annotation described above, it fetches the specification, parses it to get a list of APIs that a service is exposing, and then it’s sending this information to ACP.

By default, Istio Authorizer is configured to perform the service discovery only in the default namespace. To make Istio Authorizer perform the service discovery in more namespaces, configure them by adding the additional namespaces to the args of the istio-authorizer deployment in manifest.yaml, as in

args:
- --namespace
- default,namespace1,namespace2

In the context of the whole manifest file, the args input includint the --namespace list should be similar to the following:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: istio-authorizer
  namespace: acp-system
  name: istio-authorizer
spec:
  replicas: 1
  selector:
    matchLabels:
      app: istio-authorizer
  template:
    metadata:
      labels:
        app: istio-authorizer
      name: istio-authorizer
    spec:
      serviceAccountName: istio-authorizer
      containers:
        - image: docker.cloudentity.io/istio-authorizer:1.16.0
          imagePullPolicy: IfNotPresent
          name: istio-authorizer
          args:
          - --client-id
          - "$(CLIENT_ID)"
          - --client-secret
          - "$(CLIENT_SECRET)"
          - --issuer-url
          - "$(ISSUER_URL)"
          - --root-ca
          - /data/ca.pem
          - --namespace
          - default,namespace1,namespace2

If the above manifest is used, Istio perform service discovery in all of the following namespaces: default, namespace1, and namespace2.

Further reading

The ACP Istio Authorizer is using Istio external authorization with custom action and Authorization Policy features.