Discovering APIs on Istio
Understand the principles behind the discovery of APIs deployed on Kubernetes with Istio by ACP.
API discovery with Istio Authorizer
ACP Istio Authorizer supports automatic service discovery based on the OpenAPI specification.
Services hosting OpenAPI endpoints
For services that host an OpenAPI endpoint, it is possible to provide this endpoint’s path as the value for the
openAPIEndpointparameter in Istio Authorizer’s configuration. By doing so, you can instruct Istio Authorizer to add this path to the whitelist enabling the API discovery functionality to work without being blocked by the authorization layer.
A service can use the
services.k8s.cloudentity.com/spec-url annotation on a deployed k8s resource
to specify a URL where its OpenAPI or Proto specification is available, for example:
kind: Deployment metadata: name: hello labels: app: hello namespace: default annotations: services.k8s.cloudentity.com/spec-url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"
Istio Authorizer scans k8s deployments and, once it has found the annotation described above, it fetches the specification, parses it to get a list of APIs that a service is exposing, and then it’s sending this information to ACP.
By default, Istio Authorizer is configured to perform service
discovery only in the default namespace. To make Istio Authorizer perform the service
discovery in other namespaces, edit the values.yaml
file. In th
data.config section, add your namespaces:
discovery: namespaces: - default - namespace1 - namespace2
With the above settings, Istio performs service discovery in all of the following namespaces:
Istio Authorizer API discovery configuration
To learn how you can configure API discovery for Istio Authorizer, see it’s configuration reference.