update istio envoy tutorial to use AuthorizationPolicy

Signed-off-by: tjons <[email protected]>

Author: tjons

docs/content/envoy-tutorial-istio.md

@@ -5,22 +5,23 @@ weight: 11
 ---
 
 [Istio](https://istio.io/latest/) is an open source service mesh for managing the different microservices that make
-up a cloud-native application. Istio provides a mechanism to customize the Envoy configuration generated by Istio Pilot
-using [EnvoyFilter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/).
+up a cloud-native application. Istio provides a mechanism to use a service as an external authorizer with the 
+[AuthorizationPolicy API](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/).
 
-This tutorial shows how Istio's EnvoyFilter can be configured to include Envoy's [External Authorization
-filter](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter.html) to delegate
-authorization decisions to OPA.
+This tutorial shows how Istio's AuthorizationPolicy can be configured to delegate authorization decisions to OPA.
 
 ## Prerequisites
 
 This tutorial requires Kubernetes 1.20 or later. To run the tutorial locally ensure you start a cluster with Kubernetes
 version 1.20+, we recommend using [minikube](https://kubernetes.io/docs/getting-started-guides/minikube) or
 [KIND](https://kind.sigs.k8s.io/).
 
-The tutorial also requires Istio v1.8.0 or later. It assumes you have Istio deployed on top of Kubernetes.
+The tutorial also requires Istio v1.19.0 or later. It assumes you have Istio deployed on top of Kubernetes.
 See Istio's [Quick Start](https://istio.io/docs/setup/kubernetes/install/kubernetes/) page to get started.
 
+If you are using an earlier version of Istio (1.9+), you will have to customize the `AuthorizationPolicy` in the
+`quick_start.yaml` file to use the `security.istio.io/v1beta1` API version instead of `security.istio.io/v1`.
+
 ## Steps
 
 ### 1. Install OPA-Envoy
@@ -31,7 +32,9 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/opa-envoy-p
 
 The `quick_start.yaml` manifest defines the following resources:
 
-* External Authorization Filter to direct authorization checks to the OPA-Envoy sidecar. See `kubectl -n istio-system get envoyfilter ext-authz` for details.
+* AuthorizationPolicy to direct authorization checks to the OPA-Envoy sidecar. See `kubectl -n {$NAMESPACE} get authorizationpolicy ext-authz` for details.
+
+* ServiceEntry to allow Istio to find the OPA-Envoy sidecars. See `kubectl -n {$NAMESPACE} get serviceentry opa-ext-authz-grpc-local` for details.
 
 * Kubernetes namespace (`opa-istio`) for OPA-Envoy control plane components.
 
@@ -128,14 +131,32 @@ The `quick_start.yaml` manifest defines the following resources:
     > API](https://www.openpolicyagent.org/docs/latest/bundles/). ConfigMaps are
     > used in this tutorial for test purposes.
 
-### 2. Enable automatic injection of the Istio Proxy and OPA-Envoy sidecars in the namespace where the app will be deployed, e.g., `default`
+### 2. Configure the mesh to define the external authorizer
+
+Edit the mesh configmap with `kubectl edit configmap -n istio-system istio` and define the external provider:
+
+```yaml
+data:
+  mesh: |-
+    # Add the following lines to define the ServiceEntry previously created as an external authorizer:
+    extensionProviders:
+    - name: opa-ext-authz-grpc
+      envoyExtAuthzGrpc:
+        service: opa-ext-authz-grpc.local
+        port: "9191"
+```
+
+See [the Istio Docs for AuthorizationPolicy](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/#define-the-external-authorizer) for 
+more details.
+
+### 3. Enable automatic injection of the Istio Proxy and OPA-Envoy sidecars in the namespace where the app will be deployed, e.g., `default`
 
 ```bash
 kubectl label namespace default opa-istio-injection="enabled"
 kubectl label namespace default istio-injection="enabled"
 ```
 
-### 3. Deploy the BookInfo application and make it accessible outside the cluster
+### 4. Deploy the BookInfo application and make it accessible outside the cluster
 
 ```bash
 kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
@@ -145,7 +166,7 @@ kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bo
 kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
 ```
 
-### 4. Set the `SERVICE_HOST` environment variable in your shell to the public IP/port of the Istio Ingress gateway
+### 5. Set the `SERVICE_HOST` environment variable in your shell to the public IP/port of the Istio Ingress gateway
 
 Run this command in a new terminal window to start a Minikube tunnel that sends traffic to your Istio Ingress Gateway:
 
@@ -171,7 +192,7 @@ export SERVICE_HOST=$(kubectl -n istio-system get service istio-ingressgateway -
 For other platforms see the [Istio documentation on determining ingress IP and ports.](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports)
 
 
-### 5. Exercise the OPA policy
+### 6. Exercise the OPA policy
 
 Check that **alice** can access `/productpage` **BUT NOT** `/api/v1/products`.