Istio External Authorization Error with Istio Operator

471 views Asked by At

We have deployed Istio 1.11.0 using helm-chart in our dev and production environment. We are using below configuration in istio configmap, which we have updated via istio-control helm-chart.

meshConfig:
  extensionProviders:
  - name: "ext-authz-grpc"
    envoyExtAuthzGrpc:
      service: "ext-auth-service.default.svc.cluster.local"
      port: "50051"
      includeHeadersInCheck: [ "authorization", "ws-protocol" ]
      headersToUpstreamOnAllow: [ "authorization", "x-role", "x-id" ]
  accessLogFile: /dev/stdout
  enablePrometheusMerge: true

Basically we are using grpc service for external authorization server. Above configuration is working fine. One of our client has deployed Istio 1.9.8 using operator. (They have their own deployment model for Istio. Not allowing us to deploy istio using helm-chart) When we try to apply above changes using operator it gives us below error :

2022-04-05T10:23:09.657830Z info installer Loading values from compiled in VFS at path profiles/minimal.yaml
2022-04-05T10:23:09.657837Z info installer Loading values from compiled in VFS at path profiles/default.yaml
2022-04-05T10:23:09.679340Z error installer failed to merge base profile with user IstioOperator CR profile-poc-customized, failed to unmarshall mesh config: unknown field "includeHeadersInCheck" in v1alpha1.MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider moreInfo=The values in the selected spec.profile could not be merged with the user IstioOperator resource. impact=The operator controller cannot create and act upon the user defined IstioOperator resource. The Istio control plane will not be installed or updated. action=Check that the IstioOperator resource has the correct syntax. If you are sure your configuration is correct, see https://istio.io/latest/about/bugs for possible solutions. likelyCause=The likely cause is an incorrect or badly formatted configuration.Another possible cause could be an issue with the Istio code.

If we directly edit the configmap and make changes then it is able to apply those changes. But its giving error when we are updating it from operator. Can anybody help me to understand why its not working with operator?

1

There are 1 answers

0
Nitish On