{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • APIM on Istio /
avatar image
0
Question by Abhinandan Nandi · Oct 15, 2018 at 05:00 PM · 270 Views istio

Issue implementing API Key/Quota validation with the Apigee Istio adapter

I've had an issue with the implementation of the API key/quota validation using the apigee-istio adapter.

The authorization is configured in the default definitions.yaml file provided in the adapter installation directory:

# instance configuration for template 'apigee.authorization'
apiVersion: config.istio.io/v1alpha2
kind: authorization
metadata:
  name: apigee
  namespace: istio-system
spec:
  subject:
    user: ""
    groups: ""
    properties:
      api_key: request.api_key | request.headers["x-api-key"] | ""
      json_claims: request.auth.raw_claims | ""
  action:
    namespace: destination.namespace | "default"
    service: api.service | destination.service.host | ""
    path: api.operation | request.path | ""
    method: request.method | ""

And the following default rule.yaml file defines the rule:

# Defines rules to apply the Apigee mixer adapter to requests.
# In the rule below, we apply Apigee authorization and analytics
# as defined in the apigee-handler (handler.yaml) to all intra-mesh
# requests.
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: apigee-rule
  namespace: istio-system
spec:
  match: context.reporter.kind == "inbound" && destination.namespace == "default"
  actions:
  - handler: apigee-handler.apigee.istio-system
    instances:
    - apigee.authorization
    - apigee.analytics

I have mutual TLS enabled in my Istio installation, and the rule is preventing my services from communicating with each other, specifically my services cannot access my mongo db service that is running on the same cluster in the same namespace. I have implemented the default JWT authentication with no issues, but the apikey authentication causes this issue.

In the configuration, I feel that the match: context.reporter.kind == "inbound" specification should only target inbound services, and not communication between services. Still, it seems that the intra-mesh communication is being affected. Is there a way to configure this rule or otherwise implement this feature while using mTLS in the mesh?

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

1 Answer

  • Sort: 
avatar image
2
Best Answer

Answer by theganyo · Oct 16, 2018 at 03:47 PM

Yes, the attribute names can be confusing. The "context.reporter.kind" is really just filtering between kinds of Mixer traffic from the proxies, so it's not useful in your context. To limit the rule to just applying at ingress, you'll need a rule that looks like this:

source.labels["istio"] == "ingressgateway"
Comment
Add comment Show 3 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Abhinandan Nandi · Oct 16, 2018 at 04:00 PM 0
Link

Thank you, from my initial testing this condition has made the implementation work as intended.

avatar image Dino-at-Google ♦♦   · Oct 16, 2018 at 04:04 PM 0
Link

In the match, Like this?

# Defines rules to apply the Apigee mixer adapter to requests.
# In the rule below, we apply Apigee authorization and analytics
# as defined in the apigee-handler (handler.yaml) to all intra-mesh
# requests.
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: apigee-rule
  namespace: istio-system
spec:
  match: source.labels["istio"] == "ingressgateway"
  actions:
  - handler: apigee-handler.apigee.istio-system
    instances:
    - apigee.authorization
    - apigee.analytics
avatar image Abhinandan Nandi · Oct 16, 2018 at 04:07 PM 1
Link

Yes, in the match, I left the other default conditions in for my implementation like this:

match: context.reporter.kind == "inbound" && destination.namespace == "default" && source.labels["istio"] == "ingressgateway"

Follow this Question

Answers Answers and Comments

38 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Error al configurar samples/apigee/handler.yaml 3 Answers

Istio + Apigee : API authorization using OAuth? 1 Answer

What is recommended: Apigee's Adaptor for Istio or Apigee Edge Proxies? 1 Answer

Apigee Istio Adapter throws 400 Bundle is invalid. Empty bundle 2 Answers

Apigee Istio 1.0.5 gives 500 error on Provision Cmd 0 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges