我们已经在开发和生产环境中使用 helm-chart 部署了 Istio 1.11.0。 我们在 istio configmap 中使用以下配置,我们已通过 istio-control helm-chart 对其进行了更新。
meshConfig:
extensionProviders:
- name: "ext-authz-grpc"
envoyExtAuthzGrpc:
service: "ext-auth-service.default.svc.cluster.local"
port: "50051"
includeHeadersInCheck: [ "authorization", "ws-protocol" ]
headersToUpstreamOnAllow: [ "authorization", "x-role", "x-id" ]
accessLogFile: /dev/stdout
enablePrometheusMerge: true
基本上我们使用 grpc 服务作为外部授权服务器。 以上配置工作正常。 我们的一位客户使用 operator 部署了 Istio 1.9.8。 (他们有自己的 Istio 部署模型。不允许我们使用 helm-chart 部署 istio) 当我们尝试使用运算符应用上述更改时,它给我们以下错误:
2022-04-05T10:23:09.657830Z info installer Loading values from compiled in VFS at path profiles/minimal.yaml
2022-04-05T10:23:09.657837Z info installer Loading values from compiled in VFS at path profiles/default.yaml
2022-04-05T10:23:09.679340Z error installer failed to merge base profile with user IstioOperator CR profile-poc-customized, failed to unmarshall mesh config: unknown field "includeHeadersInCheck" in v1alpha1.MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider moreInfo=The values in the selected spec.profile could not be merged with the user IstioOperator resource. impact=The operator controller cannot create and act upon the user defined IstioOperator resource. The Istio control plane will not be installed or updated. action=Check that the IstioOperator resource has the correct syntax. If you are sure your configuration is correct, see https://istio.io/latest/about/bugs for possible solutions. likelyCause=The likely cause is an incorrect or badly formatted configuration.Another possible cause could be an issue with the Istio code.
如果我们直接编辑 configmap 并进行更改,那么它就能够应用这些更改。 但是当我们从运算符(operator)更新它时它会出错。 谁能帮我理解为什么它不能与运营商合作?
最佳答案
includeHeadersInCheck 只适用于 http 而不是 grpc: https://istio.io/v1.10/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider
关于Istio Operator 的 Istio 外部授权错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/71780101/