We launched new developer portal. For the latest documentation visit developer.cloudentity.com

Discovering APIs on Istio

Understand the principles behind the discovery of APIs deployed on Kubernetes with Istio by ACP.

API discovery with Istio Authorizer

ACP Istio Authorizer supports automatic service discovery based on the OpenAPI specification.

Services hosting OpenAPI endpoints

For services that host an OpenAPI endpoint, it is possible to provide this endpoint’s path as the value for the openAPIEndpoint parameter in Istio Authorizer’s configuration. By doing so, you can instruct Istio Authorizer to add this path to the whitelist enabling the API discovery functionality to work without being blocked by the authorization layer.

A service can use the services.k8s.cloudentity.com/spec-url annotation on a deployed k8s resource to specify a URL where its OpenAPI or Proto specification is available, for example:

kind: Deployment
  name: hello
    app: hello
  namespace: default
    services.k8s.cloudentity.com/spec-url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"

Istio Authorizer scans k8s deployments and, once it has found the annotation described above, it fetches the specification, parses it to get a list of APIs that a service is exposing, and then it’s sending this information to ACP.

By default, Istio Authorizer is configured to perform service discovery only in the default namespace. To make Istio Authorizer perform the service discovery in other namespaces, edit the values.yaml file. In th data.config section, add your namespaces:

    - default
    - namespace1
    - namespace2

With the above settings, Istio performs service discovery in all of the following namespaces: default, namespace1, and namespace2.

Istio Authorizer API discovery configuration

To learn how you can configure API discovery for Istio Authorizer, see it’s configuration reference.

Further reading

The ACP Istio Authorizer is using Istio external authorization with custom action and Authorization Policy features.