Discovering APIs on Istio
Understand the principles behind the discovery of APIs deployed on Kubernetes with Istio by ACP.
API discovery with Istio Authorizer
Note
To save time and quickly set up a k8s cluster with ACP and Istio, you can use the ACP on k8s repository which provides simple deployment commands you can use out of the box.
The ACP Istio Authorizer supports the automatic service discovery based on the
OpenAPI specification.
A service can use the services.k8s.cloudentity.com/spec-url
annotation on a deployed k8s resource
to specify a URL where its OpenAPI or Proto specification is available, for example:
kind: Deployment
metadata:
name: hello
labels:
app: hello
namespace: default
annotations:
services.k8s.cloudentity.com/spec-url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"
Istio Authorizer scans k8s deployments and, once it has found the annotation described above, it fetches the specification, parses it to get a list of APIs that a service is exposing, and then it’s sending this information to ACP.
By default, Istio Authorizer is configured to perform the service
discovery only in the default namespace. To make Istio Authorizer perform the service
discovery in more namespaces, configure them by adding the additional namespaces to the args
of
the istio-authorizer
deployment in
manifest.yaml
, as in
args:
- --namespace
- default,namespace1,namespace2
In the context of the whole manifest file, the args
input includint the --namespace
list should be
similar to the following:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istio-authorizer
namespace: acp-system
name: istio-authorizer
spec:
replicas: 1
selector:
matchLabels:
app: istio-authorizer
template:
metadata:
labels:
app: istio-authorizer
name: istio-authorizer
spec:
serviceAccountName: istio-authorizer
containers:
- image: docker.cloudentity.io/istio-authorizer:1.16.0
imagePullPolicy: IfNotPresent
name: istio-authorizer
args:
- --client-id
- "$(CLIENT_ID)"
- --client-secret
- "$(CLIENT_SECRET)"
- --issuer-url
- "$(ISSUER_URL)"
- --root-ca
- /data/ca.pem
- --namespace
- default,namespace1,namespace2
If the above manifest is used, Istio perform service discovery in all of the following namespaces:
default
, namespace1
, and namespace2
.
Further reading
The ACP Istio Authorizer is using Istio external authorization with custom action and Authorization Policy features.