We launched new developer portal. For the latest documentation visit developer.cloudentity.com

Istio Authorizer configuration reference

Learn how to configure your Istio Authorizer's settings to adjust the authorizer's behavior to your needs.

About Istio Authorizer configuration

Istio Authorizer configuration changes are done by adjusting the Istio Authorizer’s values.yaml file and upgrading your Helm Chart release. To know which settings are available for your authorizer, see the Configuration reference section.

Commonly used properties like, for example, issuerURL, client credentials, and more are easily available top-level properties.

The following snippet shows a simple configuration with some of the popular options tuned.

  enabled: true
  enabled: true
  - default
      reload_interval: 1m0s # reload interval
      allow_unkown: false

Values case

Note that top-level settings are provided using camelCase and settings in the extraConfig value are provided with underscores.

If you want to change more advanced settings of the authorizer, you can use the extraConfig value. Properties in the extraConfig value correspond to the raw configuration passed to the istio-authorizer binary.

Configuration order

Properties defined through top-level properties take precedence over configuration provided in the extraConfig value.

You can apply your changes to the configuration using the helm upgrade release-name chart-name -f ValuesYamlFile. See example below:

helm upgrade istio-authorizer acp/istio-authorizer \
   --values ./values/istio-authorizer.yaml \
   --namespace acp-istio-authorizer \
   --timeout 5m \

Helm upgrade help

If you need help with upgrading Helm Charts, use the helm upgrade --help command in your terminal.

Use policy and request metrics

To enable the metrics endpoint for Istio Authorizer, adapt the metrics parameter in values.yaml as follows:

  enabled: true # enable metrics endpoint
  port: 9000 # metrics endpoint port

As a result, after Istio deployment, the /metrics endpoint can be queried on Istio Authorizer to return the acp_authorizer_policy_duration_seconds and acp_authorizer_request_duration_seconds histograms.

acp_authorizer_policy_duration_seconds shows the amount of policy validation requests within specific time length ranges (for example, {name="nist-aal-1_system_api",le="0.001"} 2 means there were 2 requests processed by nist-aal-1_system_api policy that took between 0.001 and the next threshold, which is 0.01s).

acp_authorizer_request_duration_seconds represents requests made to specific API groups.

Below you can find the sample query output.

curl -sSLk -D - http://localhost:9000/metrics
  HTTP/1.1 200 OK
  Content-Type: text/plain; version=0.0.4; charset=utf-8
  Date: Thu, 21 Apr 2022 22:43:29 GMT
  Transfer-Encoding: chunked

  # HELP acp_authorizer_policy_duration_seconds
  # TYPE acp_authorizer_policy_duration_seconds histogram
  acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.001"} 2
  acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.01"} 2
  acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.05"} 2
  acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.1"} 2
  acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.5"} 2
  acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="1"} 2
  acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="+Inf"} 2
  acp_authorizer_policy_duration_seconds_sum{name="nist-aal-1_system_api"} 4.1651e-05
  acp_authorizer_policy_duration_seconds_count{name="nist-aal-1_system_api"} 2
  # HELP acp_authorizer_request_duration_seconds
  # TYPE acp_authorizer_request_duration_seconds histogram
  acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.001"} 3
  acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.01"} 3
  acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.05"} 3
  acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.1"} 3
  acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.5"} 3
  acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="1"} 3
  acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="+Inf"} 3
  acp_authorizer_request_duration_seconds_sum{group="api-group-id"} 5.3740000000000004e-05
  acp_authorizer_request_duration_seconds_count{group="api-group-id"} 3

Configuration reference

 # acp
    reload_interval: 1m0s # reload interval
    reload_timeout: 30s # reload configuration timeout
    issuer_url: https://localhost:8443/sample/system # issuer url
    client_id: bqesdrc4m4co2s81mpu0 # client id
    client_secret: LH6mAb6PNljvjYMIF-A5RP2bElA5a5bnQah8sG0fsLA # client secret
    tenant_id: "" # tenant id
    server_id: "" # server id
    force_introspection: false # force token introspection even for jwts
# http client
    timeout: 10s # http client timeout
    retry_wait_min: 0s # minimum time to wait between retries
    retry_wait_max: 0s # maximum time to wait between retries
    retry_max: 0 # maximum number of retries
    root_ca: "" # root ca that this client should trust (defaults to system root ca)
    insecure_skip_verify: false # disable cert verification
    disable_follow_redirects: false # disable follow redirects
    disable_retry: true # disable retry
# metrics
    enabled: false # enable metrics endpoint
    port: 9000 # metrics endpoint port
# analytics
    enabled: true # when enabled, events are sent to audit log
    # event format
        include_policy_output: false # when enabled, policy evaluation output is sent to audit log
    # sampling
        probability: 1 # Probability of an event to be published (0.0-1.0)
        batch_inverval: 1s # Max duration to wait for a batch to publish
        batch_limit: 100 # Max number of events in a batch
        limit: 5 # Max number of batches per second to be published
        timeout: 5s # Timeout for a single batch to send
        workers: 8 # Number of sending workers
# cache
    ttl: 10s # ttl
    max_size: 100 # max size
# logging config
    level: info # log level severity
# token echange config
    enabled: false # enable token exchange
    # cache
        ttl: 1m0s # ttl
        max_size: 1000 # max size
    # inject config (supported only for istio authorizer)
        mode: "" # Defines what token should be sent to the target service when token is exchanged
        # headers config
            exchanged_token: "" # Defines the name of the header that contains an exchanged token.
            original_token: "" # Defines the name of the header that contains an original token.
            strip_bearer: false # Allows to strip the bearer prefix in headers
# enforcement config
    allow_unknown: false # allow requests with no matching rule
    client_certificate_header_name: X-SSL-CERT # client certificate header name
    client_certificate_format_header_name: X-SSL-CERT-FORMAT # client certificate format header name
# discovery config
    enabled: true # when true, API discovery is enabled
    timeout: 10s # discovery process timeout
    interval: 30s # how often discovery is performed
    disable_proxy: false # disable proxy in discovery
    open_api_endpoint: "" # if your service is self-hosting an OpenAPI endpoint, you need to provide the path to this endpoint to enable Istio authorizer to call this endpoint and automatically discover your APIs
    # discover services in a given namespaces
        - default
    grpc_reflection_calls: false # allow grpc reflection calls
# http server
    port: 9002 # http port
    dangerous_disable_tls: true # diables TLS
    # certificate configuration
        password: "" # key passphrase
        cert_path: "" # path to the certificate PEM file
        key_path: "" # path to the key PEM file
        cert: "" # base64 encoded cert PEM
        key: "" # base64 encoded key PEM
        generated_key_type: "" # type for generated key if cert and key are not provided (rsa or ecda)
    client_auth_type: 0 # client auth type
# grpc server
    port: 9001 # gRPC port
# target service config
    # inject config
        # headers config
            custom_data_prefix: x-output- # custom data header name prefix used to propage global variables defined in a policy
            auth_ctx: x-auth-ctx # header name containing base64 encoded authentication context json object
trust_domain: cluster.local
kubeconfig: "" # absolute path to the kubeconfig file