Adding istio samples

envoyfilter.yaml

@@ -0,0 +1,36 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: ext-authz
+spec:
+  workloadLabels:
+    app: httpbin
+  filters:
+  - listenerMatch:
+      portNumber: 8000
+      listenerType: SIDECAR_INBOUND
+    filterName: envoy.ext_authz
+    filterType: HTTP
+    filterConfig:
+      http_service:
+        server_uri:
+          uri: http://wso2apim-with-analytics-apim-service.wso2.svc:9763
+          cluster: outbound|9763||wso2apim-with-analytics-apim-service.wso2.svc
+          timeout: 0.25s
+          # failure_mode_allow: false
+        path_prefix: /oauth2/introspect
+        # authorization_headers_to_add: 
+        # - key: "pub1"
+        #   value: "test"
+        allowed_request_headers: ["foo1","authorization","foo34","bar43"]
+        # authorization_request: 
+        #   allowed_headers: 
+        #     patterns: 
+        #     - exact: baz
+        #     - prefix: x-
+        #   headers_to_add:
+        #   - key: foo34
+        #     value: bar43
+        #   - key: bar43
+        #     value: foo43
+        authorization_headers_to_add: [{"key": "foo34", "value": "bar43"}]

gw.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: httpbin-gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: httpbin
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - httpbin-gateway
+  http:
+  - match:
+    route:
+    - destination:
+        host: httpbin
+        port:
+          number: 8000

httpapispec.yaml

@@ -0,0 +1,52 @@
+# Defines an "API" in Istio.
+# An API identifies specific requests to services and binds API attributes
+# and behavior to that request.
+# In the definition below, we've defined an API named "helloworldapi" that defines
+# an operation we've called "/hello" when a request calls: GET /hello.
+# Then, in the binding, we've bound our API to the "helloworld" service.
+# The result is that GET request to /hello on the helloworld service will be
+# assigned the attributes and functions we define for the API.
+# One key feature is being able to map an incoming API Key from a header or
+# query parameter to the request.api_key
+# This can be used to very specifically map requests to Apigee policies and
+# analytics.
+---
+# Define an API
+apiVersion: config.istio.io/v1alpha2
+kind: HTTPAPISpec
+metadata:
+  creationTimestamp: null
+  name: helloworldapi
+  namespace: default
+spec:
+  apiKeys:
+  - query: apikey
+  - header: x-api-key
+  attributes:
+    attributes:
+      api.service:
+        stringValue: helloworld.default.svc.cluster.local
+      api.version:
+        stringValue: v1
+  patterns:
+  - attributes:
+      attributes:
+        api.operation:
+            stringValue: /hello
+    httpMethod: GET
+    uriTemplate: /hello
+---
+# Bind the API to a service
+apiVersion: config.istio.io/v1alpha2
+kind: HTTPAPISpecBinding
+metadata:
+  creationTimestamp: null
+  name: helloworldapi-binding
+  namespace: default
+spec:
+  api_specs:
+  - name: helloworldapi
+    namespace: default
+  services:
+  - name: httpbin
+    namespace: default

httpbin.yaml

@@ -0,0 +1,49 @@
+# Copyright 2017 Istio Authors
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+##################################################################################################
+# httpbin service
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+  name: httpbin
+  labels:
+    app: httpbin
+spec:
+  ports:
+  - name: http
+    port: 8000
+    targetPort: 80
+  selector:
+    app: httpbin
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: httpbin
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: httpbin
+        version: v1
+    spec:
+      containers:
+      - image: docker.io/kennethreitz/httpbin
+        imagePullPolicy: IfNotPresent
+        name: httpbin
+        ports:
+        - containerPort: 80

introspect-envoyfilter-ingressgateway.yaml

@@ -0,0 +1,101 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: wso2-introspect-filter-ingressgateway
+  namespace: istio-system
+spec:
+  filters:
+  - listenerMatch:
+      listenerType: GATEWAY
+    filterName: envoy.lua
+    filterType: HTTP
+    filterConfig:
+      inlineCode: |
+
+          function envoy_on_request(request_handle)
+
+            local oauth = request_handle:headers():get("Authorization")
+
+            if oauth == nil then
+               request_handle:respond(
+              {[":status"] = "401", ["Content-type"] = "application/json"},
+              "{\"fault\": { \"code\": 900902, \"message\": \"Missing Credentials\"," ..
+              " \"description\": \"Required OAuth credentials not provided. Make sure " ..
+              "your API invocation call has a header: \\\"Authorization: Bearer ACCESS_TOKEN\\\"\"}}")
+            end
+
+            words = {}
+            for word in oauth:gmatch("%S+") do table.insert(words, word) end
+
+            if words[2] == nil then
+                request_handle:respond(
+              {[":status"] = "401", ["Content-type"] = "application/json"},
+              "{\"fault\": { \"code\": 900902, \"message\": \"Missing Credentials\"," ..
+              " \"description\": \"Required OAuth credentials not provided. Make sure " ..
+              "your API invocation call has a header: \\\"Authorization: Bearer ACCESS_TOKEN\\\"\"}}")
+            end
+
+            payload = "token=" .. words[2]
+
+            local headers, body = request_handle:httpCall(
+            "outbound|9443||wso2apim-with-analytics-apim-service.wso2.svc",
+            {
+              [":method"] = "POST",
+              [":path"] = "/oauth2/introspect",
+              [":authority"] = "wso2apim-with-analytics-apim-service.wso2.svc",
+              ["authorization"] = "Basic YWRtaW46YWRtaW4="
+            },
+            payload,
+            5000)
+
+            local activeString
+            for word in body:gmatch('([^,]+)') 
+            do
+              if string.match(word, "active") then
+                activeString = word 
+              end
+            end
+            local resVal = {}
+
+            if activeString == nil then
+               request_handle:respond(
+              {[":status"] = "500", ["Content-type"] = "application/json"},
+              "{\"fault\": { \"code\": 900900, \"message\": \"Internal Server Error\"," ..
+              " \"description\": \"Internal Server Error Occurred\"}}")
+            end
+
+            for word in activeString:gmatch("([^:]+)") do table.insert(resVal, word) end
+
+            if string.match(resVal[2], "false") then
+             request_handle:respond(
+              {[":status"] = "401", ["Content-type"] = "application/json"},
+              "{\"fault\": { \"code\": 900901, \"message\": \"Invalid Credentials\"," ..
+              " \"description\": \"Invalid Credentials. Make sure you have given the correct access token\"}}")
+            end
+          end
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: wso2-endpoint-dr
+  namespace: istio-system
+spec:
+  host: "wso2apim-with-analytics-apim-service.wso2.svc"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: wso2-endpoint-se
+  namespace: istio-system
+spec:
+  hosts:
+  - wso2apim-with-analytics-apim-service.wso2.svc
+  ports:
+  - number: 9443
+    name: https
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL

introspect-envoyfilter.yaml

@@ -0,0 +1,102 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: wso2-introspect-filter
+spec:
+  workloadLabels:
+    app: httpbin
+  filters:
+  - listenerMatch:
+      portNumber: 8000
+      listenerType: SIDECAR_INBOUND
+    filterName: envoy.lua
+    filterType: HTTP
+    filterConfig:
+      inlineCode: |
+
+          function envoy_on_request(request_handle)
+
+
+            local oauth = request_handle:headers():get("Authorization")
+
+            if oauth == nil then
+               request_handle:respond(
+              {[":status"] = "401", ["Content-type"] = "application/json"},
+              "{\"fault\": { \"code\": 900902, \"message\": \"Missing Credentials\"," ..
+              " \"description\": \"Required OAuth credentials not provided. Make sure " ..
+              "your API invocation call has a header: \\\"Authorization: Bearer ACCESS_TOKEN\\\"\"}}")
+            end
+
+            words = {}
+            for word in oauth:gmatch("%S+") do table.insert(words, word) end
+
+            if words[2] == nil then
+                request_handle:respond(
+              {[":status"] = "401", ["Content-type"] = "application/json"},
+              "{\"fault\": { \"code\": 900902, \"message\": \"Missing Credentials\"," ..
+              " \"description\": \"Required OAuth credentials not provided. Make sure " ..
+              "your API invocation call has a header: \\\"Authorization: Bearer ACCESS_TOKEN\\\"\"}}")
+            end
+
+            payload = "token=" .. words[2]
+
+            local headers, body = request_handle:httpCall(
+            "outbound|9443||wso2apim-with-analytics-apim-service.wso2.svc",
+            {
+              [":method"] = "POST",
+              [":path"] = "/oauth2/introspect",
+              [":authority"] = "wso2apim-with-analytics-apim-service.wso2.svc",
+              ["authorization"] = "Basic YWRtaW46YWRtaW4="
+            },
+            payload,
+            5000)
+
+            local activeString
+            for word in body:gmatch('([^,]+)') 
+            do
+              if string.match(word, "active") then
+                activeString = word 
+              end
+            end
+            local resVal = {}
+
+            if activeString == nil then
+               request_handle:respond(
+              {[":status"] = "500", ["Content-type"] = "application/json"},
+              "{\"fault\": { \"code\": 900900, \"message\": \"Internal Server Error\"," ..
+              " \"description\": \"Internal Server Error Occurred\"}}")
+            end
+
+            for word in activeString:gmatch("([^:]+)") do table.insert(resVal, word) end
+
+            if string.match(resVal[2], "false") then
+             request_handle:respond(
+              {[":status"] = "401", ["Content-type"] = "application/json"},
+              "{\"fault\": { \"code\": 900901, \"message\": \"Invalid Credentials\"," ..
+              " \"description\": \"Invalid Credentials. Make sure you have given the correct access token\"}}")
+            end
+          end
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: wso2-endpoint-dr
+spec:
+  host: "wso2apim-with-analytics-apim-service.wso2.svc"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: wso2-endpoint-se
+spec:
+  hosts:
+  - wso2apim-with-analytics-apim-service.wso2.svc
+  ports:
+  - number: 9443
+    name: https
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL

jwks-policy-httpbin.yaml

@@ -0,0 +1,16 @@
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "wso2-jwks-policy"
+  namespace: default
+spec:
+  targets:
+  - name: httpbin
+  peers:
+  - mtls: 
+      mode: PERMISSIVE
+  origins:
+  - jwt:
+      issuer: "https://localhost:9443/oauth2/token"
+      jwksUri: "http://wso2apim-with-analytics-apim-service.wso2.svc:9763/oauth2/jwks"
+  principalBinding: USE_ORIGIN