Introduction to stable Istio-based APIRule v2 #322
Comments
strekm
added
kind/feature
|
This issue or PR has been automatically marked as stale due to the lack of recent activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /lifecycle stale |
kyma-bot
added
the
lifecycle/stale
strekm
removed
the
lifecycle/stale
|
This issue or PR has been automatically marked as stale due to the lack of recent activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /lifecycle stale |
kyma-bot
added
the
lifecycle/stale
strekm
removed
the
lifecycle/stale
|
This issue or PR has been automatically marked as stale due to the lack of recent activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /lifecycle stale |
kyma-bot
added
the
lifecycle/stale
|
This issue or PR has been automatically closed due to the lack of activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /close |
|
@kyma-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
strekm
removed
the
lifecycle/stale
|
At this moment we are focusing on introduction of APIRule v1beta2, progress can be tracked #939. |
|
We have stabilised first version of APIRule. atm we are working on renaming that can be tracked in #1088 |
strekm
changed the title
|
We are closing scope for first version of APIRule with no auth and jwt handlers with support for zero downtime migration |
|
Happy to announce that we just released API Gateway 2.4.0, which introduces first version of APIRule v2alpha1. This version contains noAuth and jwt handlers purely based on Istio. Next releases will introduce support for mutators and extAuth. Stay tuned! |
|
APIRule v1beta1 has been deprecated and scheduled for deletion. Read more on release notes: https://github.com/kyma-project/api-gateway/releases/tag/2.7.0, deprecation note: https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?q=API+Gateway+module:+Deprecation+of+APIRule+v1beta1&locale=en-US&Software_Lifecycle=Deprecated and deletion note: https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?locale=en-US&Component=Kyma+Runtime&Valid_as_Of=2025-05-12:2025-05-12 |
|
API Gateway 2.8.0 introducing UI supporting APIRule v2alpha1 in Kyma dashboard was rolled out to fast channel on 29.10 and it is scheduled to be promoted to regular channel on 12.11 for managed Kyma offering. This closed first big milestone in journey to stable APIRule v2. |
Description
Provide stable version of APIRule CRD based on istio. It should include reworked JWT handler based on Istio RequestAuthentication and AuthorizationPolicy CRs and reworked oauth2 flows based on Istio extension provider and oauth2proxy component. Introduced API won't be fully backward compatible.
Early adopters
To accommodate customers is making that shift firstly feature toggle will be introduced to allow early adopters for testing. There will be documentation provided describing CRD and incompatibilities. OS back and internal backlog should be used to report feedback. Team will provide support on best effort.
Introducing v2alpha1
To simplify quick adoption and shift into v1 direction v1beta2 will be introduced. API design should be promoted to v2 without significant changes allowing users to start migrating and getting familiar with changes.
Introducing v2
For reasonable amount of time both versions of APIRule CRD will be available to make transition smoother. Tutorial will showcase v2 version but previous version also be available. Migration script will be provided for upgrades.
Tasks
Reasons
Provide stable API for workloads exposure based on Istio. Introduce reliable and simple way for users to expose and secure their workload. Unify all handler by utilising Istio features. Reduce not necessary hops by eliminating ORY oathkeeper pushing responsibilities to Istio itself. Promote security good practices that are easy utilised by using APIRule CR.
Attachments
https://istio.io/latest/docs/reference/config/security/request_authentication/
https://istio.io/latest/docs/reference/config/security/authorization-policy
https://istio.io/latest/docs/tasks/security/authorization/authz-custom/
The text was updated successfully, but these errors were encountered: