App Identity and Access Adapter for Istio Mixer I/O timeout

Question

Following the install documentation at https://github.com/ibm-cloud-security/app-identity-and-access-adapter . Everything seems to be installed correctly (though I did have to update the oidc-config.yaml and policy.yaml template files to prevent errors with the discoveryUrl pattern.

I am using the sample policies for OIDC from the sample folders, update with my URLs and client secret.

In Mixer I get the following error:

2020-01-11T16:26:43.920036Z info    grpc: addrConn.createTransport failed to connect to {svc-appidentityandaccessadapter:47304 0  <nil>}. Err :connection error: desc = "transport: Error while dialing dial tcp 10.43.152.188:47304: i/o timeout". Reconnecting...
2020-01-11T16:26:43.920168Z info    base.baseBalancer: handle SubConn state change: 0xc000646bc0, TRANSIENT_FAILURE
2020-01-11T16:26:44.920497Z info    base.baseBalancer: handle SubConn state change: 0xc000646bc0, CONNECTING
2020-01-11T16:26:44.920804Z info    roundrobinPicker: newPicker called with readySCs: map[]
2020-01-11T16:26:44.924250Z info    base.baseBalancer: handle SubConn state change: 0xc000646bc0, READY
2020-01-11T16:26:44.924615Z info    roundrobinPicker: newPicker called with readySCs: map[{svc-appidentityandaccessadapter:47304 0  <nil>}:0xc000646bc0]

It looks like it is in a READY state, however when I load the application in the web browser, nothing happens, I get direct access to the application.

adapter logs:

2020-01-11T16:26:24.518Z    info    initializer/policyinitializer.go:112    Successfully constructed k8s client {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:24.562Z    info    web/web.go:390  Synced secret: appidentityandaccessadapter-cookie-sig-enc-keys  {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:24.562Z    info    adapter/adapter.go:142  Listening on: [::]:47304    {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:33.160Z    info    keyset/keyset.go:117    Synced public keys  {"source": "appidentityandaccessadapter-adapter", "url": "https:///auth/realms//protocol/openid-connect/certs"}
2020-01-11T16:26:33.160Z    info    keyset/keyset.go:50 Synced JWKs successfully.   {"source": "appidentityandaccessadapter-adapter", "url": "https:///auth/realms//protocol/openid-connect/certs"}
2020-01-11T16:26:33.160Z    info    crdeventhandler/add_event.go:55 OidcConfig created/updated  {"source": "appidentityandaccessadapter-adapter", "ID": "5b90d600-0ed4-4a42-b97f-379a502732f4", "name": "oidc-provider-config", "namespace": "default"}
2020-01-11T16:26:37.091Z    info    crdeventhandler/add_event.go:67 Policy created/updated  {"source": "appidentityandaccessadapter-adapter", "ID": "440e5c32-fb39-4e24-8f99-eab62dcf2502"}

Answer 1

Check disablePolicyCheck by running

kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks

if it returns disablePolicyCheck: true , run the following:

istioctl manifest apply --set values.global.disablePolicyChecks=false \
 --set values.mixer.policy.enabled=true \
 --set values.pilot.policy.enabled=true

Istio does not currently respect the global.disablePolicyCheck config without also setting pilot.policy.enabled=true .

Additionally, the default profile in Istio sets mixer.policy.enabled to false for performance reasons.

Once you've run the above command, the kubectl command to return disablePolicyChecks: false