HTTP
Authenticate requests with your own HTTP server.
Before you begin
Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Create an HTTP auth server
Deploy the HTTP auth server.
kubectl apply -f - <<EOF apiVersion: apps/v1 kind: Deployment metadata: name: extauth-httpservice namespace: httpbin spec: selector: matchLabels: app: http-extauth replicas: 1 template: metadata: labels: app: http-extauth spec: containers: - name: http-extauth image: gcr.io/solo-public/passthrough-http-service-example imagePullPolicy: IfNotPresent ports: - containerPort: 9001 --- apiVersion: v1 kind: Service metadata: name: example-http-auth-service namespace: httpbin labels: app: http-extauth spec: ports: - port: 9001 protocol: TCP selector: app: http-extauth EOFVerify that the HTTP auth server is up and running.
kubectl get pods -n gloo-system
Set up external auth
Create an AuthConfig resource and add your external authentication rules.
kubectl apply -f- <<EOF apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: name: passthrough-auth namespace: httpbin spec: configs: - passThroughAuth: http: url: http://example-http-auth-service.httpbin.svc.cluster.local:9001/auth connectionTimeout: 3s request: allowedHeaders: - authorization tlsConfig: {} EOFReview the following table to understand this configuration.
Setting Description urlThe URL of the HTTP auth server to use for authentication. The example server that you previously setup expects requests along the authpath.connectionTimeoutThe connection timeout to the HTTP auth server. request.allowedHeadersThe headers that are allowed to be passed through to the HTTP auth server. The example server that you previously setup expects an authorization: authorize meheader.tlsConfigUse simple TLS when connecting to the passthrough server. You can also configure the passthrough server for mutual TLS. For more information, see the API reference. Create a RouteOption resource and reference the AuthConfig resource that you just created.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: passthrough-auth namespace: httpbin spec: options: extauth: configRef: name: passthrough-auth namespace: httpbin EOFCreate an HTTPRoute resource for the httpbin app that requires authentication for requests on the
extauth.exampledomain.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin-passthrough-auth namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - extauth.example rules: - filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: passthrough-auth backendRefs: - name: httpbin port: 8000 EOFSend a request to the httpbin app on the
extauth.exampledomain. Verify that your request is denied and that you get back a 401 HTTP response code.Example output:
* Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < www-authenticate: Basic realm="gloo" < date: Fri, 19 Apr 2024 17:41:01 GMT < server: envoy < content-length: 0Send another request to the httpbin app. This time, you include the
authorization: authorize meheader that the example server expects. Verify that the request succeeds and that you get back a 200 HTTP response code.Example output:
... > GET /status/200 HTTP/1.1 > Host: extauth.example > User-Agent: curl/8.7.1 > Accept: */* > authorization: authorize me > * Request completely sent off < HTTP/1.1 200 OK
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete authconfig passthrough-auth -n httpbin
kubectl delete routeoption passthrough-auth -n httpbin
kubectl delete httproute httpbin-passthrough-auth -n httpbin