Question: how to deploy to istio and config

[WestFarmer]

Hi I am looking for a oauth BFF for SPA.
first thing I found was oauth2-proxy, but it will add extra network paths.
I am excited to find this one, but the docs really lacks.

what I already tried is deploy this filter to istio like this:

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: openid-connect
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  url: http://x.x.x.x:8081/repository/raw-hosted/wasmhub/authn/0.1/filter.wasm
  sha256: 409b3c7b0276846d22c2e1ffd38e2a19adeb80c26a79dba9afaaa35e03f41205
  phase: AUTHN
  pluginConfig:
    auth_url: https://keycloak.xxx.com/realms/centauri/protocol/openid-connect/auth
    token_url: https://keycloak.xxx.com/realms/centauri/protocol/openid-connect/token
    client_id: istio
    client_secret: dfmXh2EHOdaYZLHtMbuy3rAqHsd9mETP

but got this error:

2022-12-20T08:30:04.126928Z error envoy wasm wasm log: ERROR parsing config during initialization = missing field `auth_cluster` at line 1 column 250
2022-12-20T08:30:04.126998Z error envoy wasm Wasm VM failed Failed to configure base Wasm plugin
2022-12-20T08:30:04.130289Z critical envoy wasm Plugin configured to fail closed failed to load

[WestFarmer]

my config:

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: openid-connect
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  url: http://172.25.128.67:8081/repository/raw-hosted/wasmhub/authn/0.4/authn_filter.wasm
  sha256: efae8407e6a7e1d2d2cc29a2c2f6bff44145117ebc26733a9f4684a61ee35e07
  phase: AUTHN
  pluginConfig:
    auth_url: https://keycloak.xxx.com/realms/centauri/protocol/openid-connect/auth
    token_url: https://keycloak.xxx.com/realms/centauri/protocol/openid-connect/token
    client_id: istio
    client_secret: dfmXh2EHOdaYZLHtMbuy3rAqHsd9mETP
    auth_cluster: outbound|8080||keycloak.devops.svc.cluster.local
    issuer: https://keycloak.xxx.com/realms/centauri

log:

2022-12-21T06:59:08.046922Z     error   envoy wasm      wasm log: HTTP request to cluster=outbound|8080||keycloak.devops.svc.cluster.local  request=HttpRequest { url: Url { scheme: "https", username: "", password: None, host: Some(Domain("keycloak.bgzchina.com")), port: None, path: "/realms/.well-known/openid-configuration", query: None, fragment: None }, headers: [("accept", "application/json"), (":method", "GET"), (":path", "/realms/.well-known/openid-configuration"), (":authority", "keycloak.bgzchina.com")], body: [] }

don't know why realm name get ignored ?

[WestFarmer]

my config:

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: openid-connect
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  url: http://x.x.x.x:8081/repository/raw-hosted/wasmhub/authn/0.4/authn_filter.wasm
  sha256: efae8407e6a7e1d2d2cc29a2c2f6bff44145117ebc26733a9f4684a61ee35e07
  phase: AUTHN
  pluginConfig:
    auth_url: https://keycloak.xxx.com/realms/centauri/protocol/openid-connect/auth
    token_url: https://keycloak.xxx.com/realms/centauri/protocol/openid-connect/token
    client_id: istio
    client_secret: dfmXh2EHOdaYZLHtMbuy3rAqHsd9mETP
    auth_cluster: outbound|8080||keycloak.devops.svc.cluster.local
    issuer: https://keycloak.xxx.com/realms/centauri

log:

2022-12-21T06:59:08.046922Z     error   envoy wasm      wasm log: HTTP request to cluster=outbound|8080||keycloak.devops.svc.cluster.local  request=HttpRequest { url: Url { scheme: "https", username: "", password: None, host: Some(Domain("keycloak.bgzchina.com")), port: None, path: "/realms/.well-known/openid-configuration", query: None, fragment: None }, headers: [("accept", "application/json"), (":method", "GET"), (":path", "/realms/.well-known/openid-configuration"), (":authority", "keycloak.bgzchina.com")], body: [] }

don't know why realm name get ignored ?
change:

issuer: https://keycloak.xxx.com/realms/centauri

to

issuer: https://keycloak.xxx.com/realms/centauri/

fixed this, but don't know why, I don't know rust.

[WestFarmer]

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: openid-connect
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  url: http://x.x.x.x:8081/repository/raw-hosted/wasmhub/authn/0.8/authn_filter.wasm
  sha256: 3f75ca25e99dc28ba5aa70b577de2b89dcd2c5a0dce41d9f32c6752d6bfa8a0f
  phase: AUTHN
  pluginConfig:
    auth_url: https://keycloak.xxx.com/realms/centauri/protocol/openid-connect/auth
    token_url: https://keycloak.xxx.com/realms/centauri/protocol/openid-connect/token
    client_id: istio
    client_secret: dfmXh2EHOdaYZLHtMbuy3rAqHsd9mETP
    auth_cluster: outbound|8080||keycloak.devops.svc.cluster.local
    issuer: https://keycloak.xxx.com/realms/centauri/
    redirect_uri: http://apis.xxx.com/callback

this lead to:

2022-12-28T01:48:29.695252Z     error   envoy wasm      wasm log istio-system.openid-connect: {
  "status": 500,
  "body": "No session for this request"
}