update 1.9.1

README.md

@@ -11,6 +11,7 @@ i understand something is to rewrite sections and only those sections from the g
 
 ## Istio version used
 
+* 03/19/21: Istio 1.9.1
 * 12/21/20: Istio 1.8.0
 * 09/22/20: Istio 1.7.2
 * 04/28/20: Istio 1.5.2
@@ -100,13 +101,12 @@ kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-ad
 
 kubectl create ns istio-system
 
-export ISTIO_VERSION=1.8.0
+export ISTIO_VERSION=1.9.1
 
-wget https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-linux-amd64.tar.gz
-tar xvf istio-$ISTIO_VERSION-linux-amd64.tar.gz
-rm istio-$ISTIO_VERSION-linux-amd64.tar.gz
+wget -O /tmp/istio-$ISTIO_VERSION-linux-amd64.tar.gz https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-linux-amd64.tar.gz
+tar xvf /tmp/istio-$ISTIO_VERSION-linux-amd64.tar.gz  -C /tmp/
 
-export PATH=`pwd`/istio-$ISTIO_VERSION/bin:$PATH
+export PATH=/tmp/istio-$ISTIO_VERSION/bin:$PATH
 
 
 istioctl install --set profile=demo \
@@ -118,16 +118,15 @@ istioctl install --set profile=demo \
 $ istioctl profile dump --config-path components.ingressGateways demo
 $ istioctl profile dump --config-path values.gateways.istio-ingressgateway demo
 
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/prometheus.yaml
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/grafana.yaml
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/jaeger.yaml
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/kiali.yaml
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.9/samples/addons/prometheus.yaml
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.9/samples/addons/grafana.yaml
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.9/samples/addons/jaeger.yaml
+sleep 10
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.9/samples/addons/kiali.yaml
 
 kubectl label namespace default istio-injection=enabled
 ```
 
-If you see an error: `no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"`, run the commands again
-
 Wait maybe 2 to 3 minutes and make sure all the Deployments are live:
 
 - For reference, here are the Istio [operator installation options](https://istio.io/docs/reference/config/istio.operator.v1alpha1/)
@@ -1373,7 +1372,7 @@ spec:
     match:
       context: SIDECAR_INBOUND
       proxy:
-        proxyVersion: '1\.7.*'      
+        proxyVersion: '1\.9.*'      
       listener:
         filterChain:
           filter:
@@ -1520,11 +1519,14 @@ export PROJECT_ID=`gcloud config get-value core/project`
 gcloud iam service-accounts create sa-istio --display-name "JWT issuer for Istio helloworld"
 export SA_EMAIL=sa-istio@$PROJECT_ID.iam.gserviceaccount.com
 gcloud iam service-accounts keys create svc_account.json --iam-account=$SA_EMAIL
-echo SA_EMAIL
+echo $SA_EMAIL
 ```
 
 Edit `auth-policy.yaml` file and replace the values where the service account email `$SA_EMAIL` is specified
 
+```bash
+ envsubst < "auth-policy.yaml.tmpl" > "auth-policy.yaml"
+```
 
 After you apply the policy
 
@@ -1573,8 +1575,10 @@ The policy above looks for a specific issuer and audience value.  THe `jwksUri`
 
 
 ```bash
-pip install -r requirements.txt
-python main.py
+virtualenv env
+source env/bin/activate
+pip3 install -r requirements.txt
+python3 main.py
 ```
 
 The command line utility will generate two tokens with different specifications.  For Alice, 
@@ -1636,7 +1640,7 @@ The request should now pass validation and you're in.  What we just did is have
 
 What that means is if you use Alice's token to access `svc2`, you'll see an authentication validation error because that token doesn't have `"https://svc2.example.com"` in the audience
 
-```
+```bash
 $ curl -k -H "Host: svc2.example.com" -H "Authorization: Bearer $TOKEN_ALICE" -w "\n" https://$GATEWAY_IP/version
    Audiences in Jwt are not allowed
 ```

auth_rbac_policy/auth-policy.yaml → auth_rbac_policy/auth-policy.yaml.tmpl

@@ -48,7 +48,7 @@ spec:
        methods: ["GET"]
    when:
    - key: request.auth.claims[iss]
-     values: ["$SA_EMAIL"]
+     values: ["[email protected]"]
 ---
 apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
@@ -118,7 +118,7 @@ spec:
      values: ["$SA_EMAIL"]
    - key: request.auth.claims[aud]
      values: ["https://svc2.example.com"]
-   - key: request.auth.claims[groups]
-     values: ["group1", "group2"]
+  # - key: request.auth.claims[groups]
+  #   values: ["group1", "group2"]
    - key: request.auth.claims[sub]
      values: ["bob"]

auth_rbac_policy/jwt_cli/main.py

@@ -36,8 +36,8 @@ def getToken(subject, audience, custom_claims):
   jwt = _urlsafe_b64encode(json.dumps(jwt_header)) + '.' +  _urlsafe_b64encode(json.dumps(payload))
 
   b = cred.sign_bytes(jwt)
-  assertion = jwt  +  '.' + _urlsafe_b64encode(b)
 
+  assertion = jwt  +  '.' +str(base64.urlsafe_b64encode(b).decode('utf-8')).rstrip('=')
   return assertion
 
 
@@ -51,29 +51,29 @@ def verifyToken(token,audience):
 
   if id_info['iss'] != cred.service_account_email:
       raise ValueError('Wrong issuer.')
-  print id_info['sub']
+  print(id_info['sub'])
 
 def _urlsafe_b64encode(raw_bytes):
-    return base64.urlsafe_b64encode(raw_bytes).rstrip('=')
+    return base64.urlsafe_b64encode(raw_bytes.encode('utf-8')).decode('utf-8').rstrip('=')
 
 def _urlsafe_b64decode(b64string):
     # Guard against unicode strings, which base64 can't handle.
-    b64string = b64string.encode('ascii')
+    b64string = b64string.encode('utf-8')
     padded = b64string + '=' * (4 - len(b64string) % 4)
     return base64.urlsafe_b64decode(padded)
 
 if __name__ == '__main__':
 
     cred = service_account.Credentials.from_service_account_file('svc_account.json')
     fbtok = getToken("alice", "https://svc1.example.com", {}) 
-    print "TOKEN_ALICE: " + fbtok
+    print("export TOKEN_ALICE=" + fbtok)
 
 
     fbtok = getToken("bob", "https://svc2.example.com", {'groups': ['group1','group2']}) 
-    print "TOKEN_BOB: " + fbtok
+    print("export TOKEN_BOB=" + fbtok)
 
     fbtok = getToken("bob", "https://svc2.example.com", {}) 
-    print "TOKEN_BOB NO GROUPS: " + fbtok
+    print("export TOKEN_BOB NO GROUPS=" + fbtok)
 
 
     #verifyToken(fbtok, "https://foo.bar")

fe-v1-wasm-inject.yaml

@@ -9,7 +9,7 @@ spec:
     match:
       context: SIDECAR_INBOUND
       proxy:
-        proxyVersion: '1\.7.*'      
+        proxyVersion: '1\.9.*'      
       listener:
         filterChain:
           filter:

istio-fev1-httpfilter-lua.yaml

@@ -9,7 +9,7 @@ spec:
     match:
       context: SIDECAR_INBOUND
       proxy:
-        proxyVersion: '1\.7.*'      
+        proxyVersion: '1\.9.*'      
       listener:
         filterChain:
           filter:

istio-route-version-fev1-bev1v2.yaml

@@ -83,4 +83,4 @@ spec:
   - name: v2
     labels:
       version: v2
----
+---