As the title suggests, our requirement is to expose a kubernetes deployment both internally through the Apigee adapter for envoy Istio and publicly in the edge portal. Our current architecture is composed of a managed Kubernetes cluster by google (GKE) with Istio 1.6 installed via istioctl and the adapter’s version is 1.0.0.

The problem in the current configuration is related to the mandatory authentication step required by the envoy proxy. An EnvoyFIlter captures all traffic reaching the workload and performs api-key authentication through the apigee-remote-service-envoy service that communicates with the edge. Below is an extract of the EnvoyFilter configured during the adapter installation.

The EnvoyFilter is an http level filter that inserts the authentication step for all the workloads which are assigned the managed-by: apigee label.

The problem with this configuration is a double authentication step required for the client request, the first step of api-key verification takes place on the edge portal while the second one occurs with the apigee envoy adapter when the request is received by the workload. Below a diagram that summarizes the authentication flow.

Below is a list of possible workarounds solutions that we have identified to overcome such limitations, either managing the double authentication or avoiding it.

• Configure 2 Kubernetes deployments, only one has the label managed-by: apigee assigned. In this case, only the workload with the label would be exposed via apigee envoy adapter while the second one would be responsible for the traffic arriving from the edge portal without further authentication steps.
• Expose the containerized application on 2 ports and update of the envoy filter adding an additional match rule on the workload port. In this case, only the traffic directed to one of the ports would be forwarded to the apigee remote service while the rest of the traffic (coming from the edge portal) would be directly directed to the app.
• Apigee Edge Portal Configuration. For each Apigee Product configured to expose Edge Portal services it would be feasible to add the remote-service proxy whitelisting paths to the microservice exposed via apigee adapter. In this case the api-key used by the client for requests to the Apigee Edge Portal would also pass the further authentication step performed by the Adapter Istio in target servers.

All the solutions described above have tradeoffs in terms of performance or overhead in configuration and maintainability. Our request is to have a solution that allows a double exposure of the same workload without relying on one of the workarounds described above.

A draft of the desired solution is the following:

Would it be possible to achieve such configuration by leveraging either an Istio or Apigee configuration/feature?