cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Istio Configmap automatically change to default config after a certain time period

ReinertM
Explorer

on ‎12-28-2023 7:24 AM

Hello,

while configuring an extension provider as part of a mesh config in Kyma, I encountered a problem with the configmap "istio" in the istio-system namespace (and the corresponding istio-operator "installed-state-default-operator") changing back their config to the default after a certain time.


What am I trying to configure? 

meshConfig:
  extensionProviders:
  - name: oauth2-proxy
    envoyExtAuthzHttp:
      service: oauth2-proxy.oauth2-proxy.svc.cluster.local
      port: 4180
      includeRequestHeadersInCheck:
      - cookie
      headersToUpstreamOnAllow:
      - authorization
      headersToDownstreamOnDeny:
      - set-cookie

Expected behaviour:
Changes stay valid

Actual behaviour:
Configmap and operator change to original config, resulting in an "rbac: access denied" error when trying to authenticate via oauth2-proxy.

I would appreciate if someone could point me to the resource that has to be changed in order for my changes to stay valid.

Thank you.

PS: I have checked to cluster for any scheduling tasks or cron-jobs but didn't find anything.

Show replies
Show replies
strekm
Advisor
Advisor
‎12-28-2023 9:18 AM
0 Kudos

hello Matthias,
Istio is Kyma managed module and any changes to Istio configuration will be reconciled back to original state provided by Istio module.
At this moment it is not possible to configure extension providers but this topic is on our roadmap.
Please let me know how we can support you, i'm open to meet and discuss matters.

Cheers,
Magda

ReinertM
Explorer
‎12-28-2023 9:43 AM
0 Kudos

Hi Magda,

thanks you for the swift response.
Maybe I am a bit ahead of time but implementation of the extension provider did actually work and I was able to authenticate via OIDC provider, however the reconsiliation of istio makes it unsuitable for productive deployments.
Nevertheless, I am interested to find out about the reconciliation process.
Feel free to send me an invite via my mail address mreinert@gambit.de or connect via LinkedIn.

Thanks a lot,
Matthias

gabbi
Product and Topic Expert
Product and Topic Expert
‎12-28-2023 10:27 AM
0 Kudos

Hi Matthias,

I have sent you an invitation.

BR

Gaurav

Answer

Accepted Solutions (0)

Answers (0)

Ask a Question