在一个应用程序中,我有2个api在不同的路径(相同的端口)上服务
我正在尝试将标准JWT身份验证策略应用于/ base / jclient / remoting而不是/ base
我已经设置了标准网关和以下虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: jm-gateway-vs
spec:
hosts:
- "*"
gateways:
- jm-gateway
http:
- match:
- uri:
exact: /base/jclient/remoting
route:
- destination:
host: jclient-remoting
port:
number: 8080
- match:
- uri:
prefix: /base
route:
- destination:
host: jm-cc-service
port:
number: 8080
服务设置为...
---
apiVersion: v1
kind: Service
metadata:
name: jm-cc-service
spec:
ports:
- port: 8080
name: http-jm-cc-service
selector:
app: jm-cc-pod
---
apiVersion: v1
kind: Service
metadata:
name: jclient-remoting
spec:
ports:
- port: 8080
name: http-jclient-remoting
selector:
app: jm-cc-pod
---
目的地规则...
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: jclient-remoting
spec:
host: jclient-remoting
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: jm-cc-service
spec:
host: jm-cc-service
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
...最后是政策...
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: jclient-remoting
spec:
targets:
- name: jclient-remoting
peers:
- mtls: {}
origins:
- jwt:
issuer: "https://xxx-jm.eu.auth0.com/"
jwksUri: "https://xxx-jm.eu.auth0.com/.well-known/jwks.json"
principalBinding: USE_ORIGIN
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: jm-cc-service
spec:
targets:
- name: jm-cc-service
peers:
- mtls: {}
---
无论我做什么,两条路径都给出“原始身份验证失败”。但我希望/ base / jclient / remoting给出“原始身份验证失败”。而不是/ base路径?
任何想法如何实现这一目标?
非常感谢。
答案 0 :(得分:1)
我以错误的方式解决了这个问题。创建2个击中相同Pod的服务没有任何意义。
我只需要1个服务。然后在策略中添加触发规则,以便该策略仅适用于特定路径
{
request1: { key: '1', value: 'a' },
request2: { key: '2', value: 'b' },
request3: { key: '3', value: 'c' }
}
欢呼