I’ve started configuring external auth with envoy on connect following this doc. I also have acl’s/intentions enabled in my cluster.
I’m at a point where I make the request across the connect service mesh, and I see envoy asking the opa agent if its okay.
I’ve applied a very simple opa policy that just does an allow all.
What I’m seeing however, is that the mesh communication is abiding by the intentions set, not what the opa policy says. If there is no intention (server is configured default deny for acls), my request is met with “RBAC: Access Denied”, if an intention is added in consul, it works.
It seems like consul intentions are taking precedence over the OPA policy.
Is anyone using external auth with envoy in this way successfully?
I’m testing on consul 1.17.3