针对一些没有认证又需要开放到公网的服务,可以在 Istio Ingress 的请求过程中增加一个 Lua 脚本来进行简单的认证流程。
下面的 Basic xxxx 替换成实际的用户名密码(base64(username:password)),host:find(“xxxx.xxx.com”) 替换成实际需要增加认证的 Host 域名:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-basic-auth-lua
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: ANY
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inline_code: |
function envoy_on_request(request_handle)
local host = request_handle:headers():get("host")
if host and host:find("xxxx.xxx.com") then
local auth = request_handle:headers():get("authorization")
local expected_auth = "Basic xxxx"
if auth == nil or auth ~= expected_auth then
request_handle:respond(
{
[":status"] = "401",
["www-authenticate"] = 'Basic realm="Restricted"'
},
"Unauthorized"
)
end
end
end