Following the install documentation at https://github.com/ibm-cloud-security/app-identity-and-access-adapter . Everything seems to be installed correctly (though I did have to update the oidc-config.yaml and policy.yaml template files to prevent errors with the discoveryUrl pattern.
I am using the sample policies for OIDC from the sample folders, update with my URLs and client secret.
In Mixer I get the following error:
2020-01-11T16:26:43.920036Z info grpc: addrConn.createTransport failed to connect to {svc-appidentityandaccessadapter:47304 0 <nil>}. Err :connection error: desc = "transport: Error while dialing dial tcp 10.43.152.188:47304: i/o timeout". Reconnecting...
2020-01-11T16:26:43.920168Z info base.baseBalancer: handle SubConn state change: 0xc000646bc0, TRANSIENT_FAILURE
2020-01-11T16:26:44.920497Z info base.baseBalancer: handle SubConn state change: 0xc000646bc0, CONNECTING
2020-01-11T16:26:44.920804Z info roundrobinPicker: newPicker called with readySCs: map[]
2020-01-11T16:26:44.924250Z info base.baseBalancer: handle SubConn state change: 0xc000646bc0, READY
2020-01-11T16:26:44.924615Z info roundrobinPicker: newPicker called with readySCs: map[{svc-appidentityandaccessadapter:47304 0 <nil>}:0xc000646bc0]
It looks like it is in a READY state, however when I load the application in the web browser, nothing happens, I get direct access to the application.
adapter logs:
2020-01-11T16:26:24.518Z info initializer/policyinitializer.go:112 Successfully constructed k8s client {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:24.562Z info web/web.go:390 Synced secret: appidentityandaccessadapter-cookie-sig-enc-keys {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:24.562Z info adapter/adapter.go:142 Listening on: [::]:47304 {"source": "appidentityandaccessadapter-adapter"}
2020-01-11T16:26:33.160Z info keyset/keyset.go:117 Synced public keys {"source": "appidentityandaccessadapter-adapter", "url": "https:///auth/realms//protocol/openid-connect/certs"}
2020-01-11T16:26:33.160Z info keyset/keyset.go:50 Synced JWKs successfully. {"source": "appidentityandaccessadapter-adapter", "url": "https:///auth/realms//protocol/openid-connect/certs"}
2020-01-11T16:26:33.160Z info crdeventhandler/add_event.go:55 OidcConfig created/updated {"source": "appidentityandaccessadapter-adapter", "ID": "5b90d600-0ed4-4a42-b97f-379a502732f4", "name": "oidc-provider-config", "namespace": "default"}
2020-01-11T16:26:37.091Z info crdeventhandler/add_event.go:67 Policy created/updated {"source": "appidentityandaccessadapter-adapter", "ID": "440e5c32-fb39-4e24-8f99-eab62dcf2502"}
Check disablePolicyCheck
by running
kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
if it returns disablePolicyCheck: true
, run the following:
istioctl manifest apply --set values.global.disablePolicyChecks=false \
--set values.mixer.policy.enabled=true \
--set values.pilot.policy.enabled=true
Istio does not currently respect the global.disablePolicyCheck
config without also setting pilot.policy.enabled=true
.
Additionally, the default profile in Istio sets mixer.policy.enabled
to false
for performance reasons.
Once you've run the above command, the kubectl
command to return disablePolicyChecks: false
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.