Istio Authorizer configuration reference

Learn how to configure your Istio Authorizer's settings to adjust the authorizer's behavior to your needs

About Istio Authorizer configuration

For Istio Authorizer, changes in its configuration are done by changing the manifest.yaml file. For example, you can use the --client-id, the --client-secret, and the --issuer-url flags to specify the required configuration. See example below:

          args:
          - --client-id
          - "$(CLIENT_ID)"
          - --client-secret
          - "$(CLIENT_SECRET)"
          - --issuer-url
          - "$(ISSUER_URL)"

In this example, the values for your flags are provided in the kustomization.yaml file for the Istio Authorizer deployment.

Required configuration

Flag Type Default Description
issuer-url flag.String - Your authorizer issuer URL
client-id flag.String - Client identifier of your authorizer’s client application that is used for the purpose of authenticating your requests
client-secret flag.String - Client secret of your authorizer’s client application that is used for the purpose of authenticating your requests

Optional configuration

Flag Type Default Description
grpcPort flag.Int 9001 Specifies the port for your gRPC services.
httpPort flag.Int 9002 Specifies the port for your HTTP services.
tenant-id flag.String - If it is not possible to retrieve your tenant identifier from the issuer URL, you can use this flag to specify it.
server-id flag.String - If it is not possible to retrieve your server identifier from the issuer URL, you can use this flag to specify it.
namespace flag.String default Comma-separated namespaces where your services are deployed.
output-header-prefix flag.String x-output- Specifies the prefix for your output header.
auth-header flag.String x-auth-ctx Provides the name for your authentication context header.
domain flag.String cluster.local Specifies the cluster domain name
root-ca flag.String - Path in your Kubernetes cluster to the root certificate for your authorizer’s client application.
disable-service-discovery flag.Bool false Disables service discovery for your authorizer. If set to true, ACP cannot fetch services automatically
insecure-skip-verify flag.Bool false Disables certificate verification
interval flag.Duration 5*time.Second Represents the frequency of synchronizing the configuration for your Istio Authorizer
kubeconfig flag.String - Absolute path to the kubeconfig file.
log-level flag.String info Possible values from the most strict levels to the ones that give the most detailed information: error, warn, info, debug, trace.
http-client-timeout flag.Duration 3*time.Second HTTP client timeout in seconds to fetch API specification.
do-not-fail-on-matching-requests flag.Bool false If set to false, the authorizer blocks every API request that does not match the provided criteria. Set to true, if you need to use grpcurl for testing purposes. Learn more in the Deploying and protecting gRPC services documentation.
allow-grpc-reflection-calls flag.Bool false Specifies if gRPC reflection calls are allowed or not.
openapi-endpoint flag.String - Provides the path to the OpenAPI endpoint for services that use them. It makes it possible for the authorizer to discover APIs self-hosted on the OpenAPI endpoint.
cache-ttle flag.Duration 10*time.Second Server authorization engine instance time-to-live in the multi-tenant mode.
cache-max-size flag.Int 100 Maximum number or server authorization engine instances in the multi-tenant mode.
discovery-client-timeout flag.Duration 3*time.Second Defines the timeout for API discovery requests made by the client application.
discovery-disable-proxy flag.Bool false Disables proxy for API discovery if set to true.
disable-analitycs flag.Bool false If true, turnes off the analytics for the Istio Authorizer in ACP’s Admin Panel Analytics.