Route-level JWT policy
Learn how to set up JWT authentication and claim-based authorization for specific routes.
This feature is an Enterprise-only feature that requires a Gloo Gateway Enterprise license.
You can create a JWT policy that applies to specific routes with the RouteOption resource.
About
Review how the RouteOption and VirtualHostOption configurations interact with each other in the following table.
The scenarios correspond with the steps in this guide. Each builds upon the last, updating the resources to test different scenarios. For example, you might update the stage of a JWT policy in a VirtualHostOption, or create a RouteOption with a JWT policy for a different issuer and JWKS provider.
Scenario | RouteOption | VirtualHostOption | Behavior |
---|---|---|---|
1 - Protect all routes on the gateway | No JWT policy | JWT policy | All routes on the gateway require a JWT from the provider in the VirtualHostOption. |
2 - Protect a specific route | JWT policy | No JWT policy | Only the routes that are configured by the RouteOption require a JWT. |
3 - Revise same stage conflicts | JWT policy same stage | JWT policy same stage | For routes configured by the RouteOption, the RouteOption configuration overrides the VirtualHostOption configuration. These routes require only the JWT that meets the RouteOption JWT policy. JWTs that meet the VirtualHostOption do not work on these routes. Other routes on the gateway still require a JWT that meets the VirtualHostOption JWT policy. You cannot use a JWT with the provider from the RouteOption for the other routes on the gateway. |
4 - Set up separate stages | JWT policy different stage | JWT policy different stage | The routes that are configured by the RouteOption require two JWTs: one from the provider in the RouteOption, and one from the provider in the VirtualHostOption. Make sure to configure the token source to come from different headers so that requests can pass in both tokens. Note that if you also configure RBAC policies on both options, the RouteOption RBAC policy takes precedence because only one RBAC policy is supported per route. |
5 - Add validation policy | JWT policy different stage | JWT policy different stage with validation policy | Depending on the validation policy, the routes that are configured by the RouteOption require at least one JWT. When the validationPolicy field is set to ALLOW_MISSING or ALLOW_MISSING_OR_FAILED , the JWT can be for the provider that is configured in either the RouteOption or the VirtualHostOption. Note that if you set a permissive validation policy on both options, the route does not require any JWT authentication. Make sure to set up the validation policy according to your security requirements. |
6 - Delegated routes | Different JWT policies select delegated routes | N/A | For delegated routes, the JWT policies in the parent RouteOption override the child RouteOption when they differ. The same configuration interactions between the route-level RouteOption and the gateway-level VirtualHostOption apply, as described in the previous scenarios. |
1: All routes on gateway
Protect multiple routes that are configured on the gateway.
Complete the JWT policy at the gateway level guide. As part of this guide, you set up the following:
- If you haven’t already, install Gloo Gateway, a Gateway resource, and the httpbin sample app.
- Create a local JWKS and two sample tokens for Alice and Bob.
- Apply a JWT policy for all routes on the gateway with a VirtualHostOption.
- Set up claims-based RBAC with a RouteOption.
Update the HTTPRoute for the httpbin app to create two routes,
/get
and/status/200
.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin namespace: httpbin labels: example: httpbin-route spec: parentRefs: - name: http namespace: gloo-system hostnames: - "www.example.com" rules: - backendRefs: - name: httpbin port: 8000 matches: - path: type: PathPrefix value: /status/200 - backendRefs: - name: httpbin port: 8000 matches: - path: type: PathPrefix value: /get EOF
Send unauthenticated requests to both routes to verify that the JWT policy in the VirtualHostOption applies to all routes on the gateway.
Example output:
HTTP/1.1 401 Unauthorized www-authenticate: Bearer realm="http://www.example.com:8080/get" Jwt is missing ... HTTP/1.1 401 Unauthorized www-authenticate: Bearer realm="http://www.example.com:8080/status/200" Jwt is missing ...
2: Specific routes
Use a RouteOption to protect a specific route with a JWT policy.
Update the RouteOption from the previous scenario as follows.
- Configure the JWT policy by using the
jwtProvidersStaged
option, instead of thejwt
option. Thejwt
option does not support configuring a route-level JWT policy. - Set up a different provider than what is used in the VirtualHostOption.
- Remove the target reference to the HTTPRoute, which you update in the next step.
- To simplify for testing purposes, also remove the RBAC policy (although route-level JWT policies also support setting RBAC policies at the same time).
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: jwt namespace: httpbin spec: options: jwtProvidersStaged: afterExtAuth: providers: selfminted: issuer: solo.io jwks: local: key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/ZO8Qhfj6kB5BxndHds x12rgJ2DyU0lvlbC4Ip1zTlULV/Fuy1uAqKbBRC9IyoFiYxuWTLbvpLv5SLnrIPy f4nvX4oHGdyFrcwvCtKvcgtttB363HWiG0PZwSwEn0yMa7s4Rhmy9/ZSYm+sMZQw 8wKv40pYnBuqRv1DpfvZLOXvICCkd5f03zv1HQXIfO3YjXOy58vOkajpzTmx4q2A UilrCJcR6tBMoAph5FiJxgRmdLziKx3QXukUSNWfrFVSL+D/BoQV+2TJDZjKfPgj DDMKeb2OsonQ0me3VSw2gkdnE9cyIklXcne/+oKEqineG8a12JSfEibf29iLiIXO gQIDAQAB -----END PUBLIC KEY----- EOF
- Configure the JWT policy by using the
Update the HTTPRoute to apply the RouteOption to only the
/get
route by using anExtensionRef
filter.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin namespace: httpbin labels: example: httpbin-route spec: parentRefs: - name: http namespace: gloo-system hostnames: - "www.example.com" rules: - backendRefs: - name: httpbin port: 8000 matches: - path: type: PathPrefix value: /status/200 - backendRefs: - name: httpbin port: 8000 matches: - path: type: PathPrefix value: /get filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: jwt EOF
Send a request to the
/status/200
route with a JWT for the provider in the VirtualHostOption, such as Bob. The request succeeds because the JWT policy from the VirtualHostOption still applies.Example output:
< HTTP/1.1 200 OK ...
Repeat the previous request to the
/get
endpoint. Now, the request fails because you need a JWT from the provider in the RouteOption.Example output:
< HTTP/1.1 401 Unauthorized ... Jwt verification fails
Create an environment variable to save a JWT token for the user Carol. Carol’s JWT comes from the provider in the RouteOption. Optionally, you can review the token information by debugging the token in jwt.io.
export CAROL_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyAiaXNzIjogInNvbG8uaW8iLCAib3JnIjogInNvbG8uaW8iLCAic3ViIjogImNhcm9sIiwgInRlYW0iOiAiZmluYW5jZSIsICJsbG1zIjogeyAib3BlbmFpIjogWyAiZ3B0LTRvIiBdIH0gfQ.UdcOin9UrFdw_42eoypGsAi2eYE4Cr_oe0GYUPD6MePwr6TnWnny3cEQHFFRA9KdntjWBSPtZGKqNlOqg5Juf2-lt7NBLC3ly4esNEKrx_Ul5iKPxelKjNKzdOLdjITOa9FoZ9hZEn2lsn4MG-iftTXPeVn66-nWZryY0BE0Gt2fL1xvZe4Otbj598IY6Z5iPSxQ_fGNRe6f8boW31ePUgTiOthHs7OQv25-eiL8dl1BPBFYywFVGdiiSWrgd_hwRblMegJRhAiOZHRig1sK-NTKRKJpbLhukspM-CZaT1PJgjiOQb_1seeW7mvwUTlqDQA5FZKBCbhihb0TPfo6cw
Repeat the previous request to the
/get
endpoint, this time with Carol’s token. Now, the request succeeds.Example output:
< HTTP/1.1 200 OK ...
Still with Carol’s token, send a request to the
/status/200
endpoint. This time, the request fails because Carol’s token is not from the provider in the VirtualHostOption.Example output:
< HTTP/1.1 401 Unauthorized ... Jwt verification fails
Delete the VirtualHostOption.
kubectl delete VirtualHostOption jwt -n gloo-system
Repeat the request to the
/status/200
route with Carol’s token. Now, the request succeeds because the gateway no longer enforces a JWT policy on all its routes.Example output:
< HTTP/1.1 200 OK ...
3: Same stage conflicts
As you saw in the previous scenario, route-level JWT policies configured in the RouteOption use the jwtProvidersStaged
option to provide the JWT provider and server details. However, what happens if the gateway-level JWT policies in the VirtualHostOption are set at the same stage as the RouteOption, such as before or after external auth? In this case, the route-level JWT policy takes precedence.
Update the stage of the JWT policy on the RouteOption. Note that the token source is set to the
x-after-ext-auth-bearer-token
header instead of the defaultAuthorization
header. This way, you can pass in both tokens on requests to the/get
endpoint.kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: jwt namespace: httpbin spec: options: jwtProvidersStaged: afterExtAuth: providers: selfminted: tokenSource: headers: - header: x-after-ext-auth-bearer-token issuer: solo.io jwks: local: key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/ZO8Qhfj6kB5BxndHds x12rgJ2DyU0lvlbC4Ip1zTlULV/Fuy1uAqKbBRC9IyoFiYxuWTLbvpLv5SLnrIPy f4nvX4oHGdyFrcwvCtKvcgtttB363HWiG0PZwSwEn0yMa7s4Rhmy9/ZSYm+sMZQw 8wKv40pYnBuqRv1DpfvZLOXvICCkd5f03zv1HQXIfO3YjXOy58vOkajpzTmx4q2A UilrCJcR6tBMoAph5FiJxgRmdLziKx3QXukUSNWfrFVSL+D/BoQV+2TJDZjKfPgj DDMKeb2OsonQ0me3VSw2gkdnE9cyIklXcne/+oKEqineG8a12JSfEibf29iLiIXO gQIDAQAB -----END PUBLIC KEY----- EOF
Re-create the VirtualHostOption, this time with a
jwtStaged
option that is set to the same stage as the RouteOption.kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: VirtualHostOption metadata: name: jwt namespace: gloo-system spec: targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: http namespace: gloo-system options: jwtStaged: afterExtAuth: providers: selfminted: issuer: solo.io jwks: local: key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAskFAGESgB22iOsGk/UgX BXTmMtd8R0vphvZ4RkXySOIra/vsg1UKay6aESBoZzeLX3MbBp5laQenjaYJ3U8P QLCcellbaiyUuE6+obPQVIa9GEJl37GQmZIMQj4y68KHZ4m2WbQVlZVIw/Uw52cw eGtitLMztiTnsve0xtgdUzV0TaynaQrRW7REF+PtLWitnvp9evweOrzHhQiPLcdm fxfxCbEJHa0LRyyYatCZETOeZgkOHlYSU0ziyMhHBqpDH1vzXrM573MQ5MtrKkWR T4ZQKuEe0Acyd2GhRg9ZAxNqs/gbb8bukDPXv4JnFLtWZ/7EooKbUC/QBKhQYAsK bQIDAQAB -----END PUBLIC KEY----- EOF
Repeat the request to the
/get
endpoint with Carol’s token. The request succeeds with only Carol’s token, because the RouteOption policy takes precedence and overwrites the VirtualHostOption configuration at the same stage.Example output:
< HTTP/1.1 200 OK ...
Send a request to the
/status/200
endpoint without a valid token for the gateway-level JWT policy. Even though the VirtualHostOption configures a gateway-level JWT policy, the request succeeds, because the RouteOption policy takes precedence.Example output:
< HTTP/1.1 200 OK ... Jwt is missing
4: Separate stages
Set up the RouteOption and VirtualHostOption to configure JWT policies at different stages before and after external auth. This way, the protected routes require both tokens.
Update the VirtualHostOption as follows:
- Use the
beforeExtAuth
stage in thejwtStage
option so that the stage is different than the stage that is configured in the RouteOption. - Add an RBAC policy to allow tokens from the
ops
team, which corresponds to Bob’s token.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: VirtualHostOption metadata: name: jwt namespace: gloo-system spec: targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: http namespace: gloo-system options: jwtStaged: beforeExtAuth: providers: selfminted: issuer: solo.io jwks: local: key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAskFAGESgB22iOsGk/UgX BXTmMtd8R0vphvZ4RkXySOIra/vsg1UKay6aESBoZzeLX3MbBp5laQenjaYJ3U8P QLCcellbaiyUuE6+obPQVIa9GEJl37GQmZIMQj4y68KHZ4m2WbQVlZVIw/Uw52cw eGtitLMztiTnsve0xtgdUzV0TaynaQrRW7REF+PtLWitnvp9evweOrzHhQiPLcdm fxfxCbEJHa0LRyyYatCZETOeZgkOHlYSU0ziyMhHBqpDH1vzXrM573MQ5MtrKkWR T4ZQKuEe0Acyd2GhRg9ZAxNqs/gbb8bukDPXv4JnFLtWZ/7EooKbUC/QBKhQYAsK bQIDAQAB -----END PUBLIC KEY----- rbac: policies: viewer: nestedClaimDelimiter: . principals: - jwtPrincipal: claims: team: ops EOF
- Use the
Update the RouteOption to include an RBAC policy that allows tokens from the
finance
team, which corresponds to Carol’s token. In cases where multiple RBAC policies apply to a route, the RouteOption takes precedence.kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: jwt namespace: httpbin spec: options: jwtProvidersStaged: afterExtAuth: providers: selfminted: issuer: solo.io tokenSource: headers: - header: x-after-ext-auth-bearer-token jwks: local: key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/ZO8Qhfj6kB5BxndHds x12rgJ2DyU0lvlbC4Ip1zTlULV/Fuy1uAqKbBRC9IyoFiYxuWTLbvpLv5SLnrIPy f4nvX4oHGdyFrcwvCtKvcgtttB363HWiG0PZwSwEn0yMa7s4Rhmy9/ZSYm+sMZQw 8wKv40pYnBuqRv1DpfvZLOXvICCkd5f03zv1HQXIfO3YjXOy58vOkajpzTmx4q2A UilrCJcR6tBMoAph5FiJxgRmdLziKx3QXukUSNWfrFVSL+D/BoQV+2TJDZjKfPgj DDMKeb2OsonQ0me3VSw2gkdnE9cyIklXcne/+oKEqineG8a12JSfEibf29iLiIXO gQIDAQAB -----END PUBLIC KEY----- rbac: policies: viewer: nestedClaimDelimiter: . principals: - jwtPrincipal: claims: team: finance EOF
Send a request to the
/get
endpoint with Carol’s token. The request fails even though Carol’s token is valid and meets the route-level RBAC policy. Instead, you need both tokens as required by the different JWT stages of the RouteOption and VirtualHostOption.Example output:
< HTTP/1.1 401 Unauthorized ... Jwt is missing
Repeat the request to the
/get
endpoint with both Bob and Carol’s tokens. Now, the request succeeds. Both tokens are required to pass the JWT policy at the different stages. The claims from Carol’s token passes the RBAC policy.Example output:
< HTTP/1.1 200 OK ...
5: Validation policy
In the previous scenario, you protected a route by requiring JWT authentication at two stages of a request, before and after external auth. To do so, you configured separate JWT policies at the route and gateway layers with RouteOption and VirtualHostOption resources. But what if you want to enforce just one layer of JWT policy, without being picky about which JWT is used?
You can achieve that by setting up a validation policy. The validation policy has several options as follows. For more details, see the API reference docs.
REQUIRE_VALID
: The default value, which allows only requests that have a valid JWT.ALLOW_MISSING
: Let requests succeed when a JWT is missing. However, if an invalid JWT is provided, such as in an incorrect header or an expired token, the request fails.ALLOW_MISSING_OR_FAILED
: Let requests succeed even when a JWT is missing or fails verification, such as an expired JWT.
Verify that your current setup expects two JWT tokens by sending a request to the
/get
endpoint with Carol’s token. The request fails even though Carol’s token is valid and meets the route-level JWT policy. Instead, you need both tokens as required by the different JWT stages of the RouteOption and VirtualHostOption.Example output:
< HTTP/1.1 401 Unauthorized ... Jwt is missing
Update the VirtualHostOption to add a validation policy that allows for a missing token. This way, you only have to include the RouteOption JWT on the
/get
endpoint.kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: VirtualHostOption metadata: name: jwt namespace: gloo-system spec: targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: http namespace: gloo-system options: jwtStaged: beforeExtAuth: validationPolicy: ALLOW_MISSING providers: selfminted: issuer: solo.io jwks: local: key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAskFAGESgB22iOsGk/UgX BXTmMtd8R0vphvZ4RkXySOIra/vsg1UKay6aESBoZzeLX3MbBp5laQenjaYJ3U8P QLCcellbaiyUuE6+obPQVIa9GEJl37GQmZIMQj4y68KHZ4m2WbQVlZVIw/Uw52cw eGtitLMztiTnsve0xtgdUzV0TaynaQrRW7REF+PtLWitnvp9evweOrzHhQiPLcdm fxfxCbEJHa0LRyyYatCZETOeZgkOHlYSU0ziyMhHBqpDH1vzXrM573MQ5MtrKkWR T4ZQKuEe0Acyd2GhRg9ZAxNqs/gbb8bukDPXv4JnFLtWZ/7EooKbUC/QBKhQYAsK bQIDAQAB -----END PUBLIC KEY----- EOF
Repeat the request to the
/get
endpoint with Carol’s token. Now, the request succeeds, even without Bob’s token. The validation policy at the VirtualHostOption allows the JWT to be missing on requests.Example output:
< HTTP/1.1 200 OK ...
6: Delegated routes
In a delegation scenario, the JWT policy of parent routes take precedence over child routes.
Note that this example focuses on setting up delegation with HTTPRoutes that have different RouteOption configurations. The example does not discuss gateway-level policies that are set by the VirtualHostOption. The same configuration interactions between the route-level RouteOption and the gateway-level VirtualHostOption as described in the previous scenarios still apply. For example, route-level JWT policies at the same stage as gateway-level JWT policies take precedence.
Update the
httpbin
HTTPRoute to delegate the/get
route to anhttpbin-child
child HTTPRoute. Leave thejwt
RouteOption configuration on the/get
route to keep the original route-level JWT policy.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin namespace: httpbin labels: example: httpbin-route spec: parentRefs: - name: http namespace: gloo-system hostnames: - "www.example.com" rules: - backendRefs: - name: httpbin port: 8000 matches: - path: type: PathPrefix value: /status/200 - matches: - path: type: PathPrefix value: /get backendRefs: - group: gateway.networking.k8s.io kind: HTTPRoute name: httpbin-child namespace: httpbin filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: jwt EOF
Create the child route with an
ExtensionRef
that selects a differentjwt-child
RouteOption.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin-child namespace: httpbin labels: example: httpbin-route spec: rules: - backendRefs: - name: httpbin port: 8000 matches: - path: type: PathPrefix value: /get filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: jwt-child EOF
Create the
jwt-child
RouteOption with a different JWT configuration than the parent. This JWKS has a differentdocs.xyz
issuer than thesolo.io
issuer that the parent route’s separate RouteOption resource configured.kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: jwt-child namespace: httpbin spec: options: jwtProvidersStaged: afterExtAuth: providers: selfminted: issuer: docs.xyz jwks: local: key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo 4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u +qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ 0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc mwIDAQAB -----END PUBLIC KEY----- EOF
Send a request to the
/get
child route with Carol’s token. The request succeeds, because Carol’s token is from thesolo.io
issuer as required by the JWT policy of the parent route, not thedocs.xyz
issuer of the child route.Example output:
< HTTP/1.1 200 OK ...
Create an environment variable to save a JWT token for the user Dan. Dan’s JWT comes from the
docs.xyz
provider in thejwt-child
RouteOption. Optionally, you can review the token information by debugging the token in jwt.io.export DAN_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmciOiJkb2NzLnh5eiIsInN1YiI6ImRhbiIsInRlYW0iOiJvcHMiLCJpc3N1ZXIiOiJkb2NzLnh5eiIsImxsbXMiOnsiY2xhdWRlIjpbIjMuNS1zb25uZXQiXX19.fg5uMTz8dGDaIAHjKUiw2kswAiI7XT6oOWDMYTTT0BqdcFugEPDHlyLbmKoMLOGRzU_3PguY-G_NbuuooGBiLAVi4-eMv1CeZmpH68EoJy25MHSlLLHNJpgkTEwZfTISyRewgKbQYUESf20iIFwbZol-zgG_YgkO3PDTSyHmlubVUOuZCpNJgeloQO3NctxjpyC0ubBErthrES09jkS12qXWLfJI-G6TuiajZ-hLr9205_EMd4OUb6NsAORJe3TEPJuDRsgWmfScOLzruRdk_8wk32IlHBF88EmEedOmaWdyc6Rxtk-_QxUl-K4zLtg5djlGiAjv_6rP1tU-ewNDpA
Send a request to the
/get
child route with Dan’s token. The request fails, because the child policy is overwritten by the parent route, which requires a token from thesolo.io
issuer, not thedocs.xyz
issuer.Example output:
< HTTP/1.1 401 Unauthorized Jwt issuer is not configured ...
Next steps
Good job on testing so many JWT scenarios.
Next, try out an example that uses an IAM provider, such as Auth0, instead of an inline JWKS.
Cleanup
You can optionally remove the resources that you set up as part of this guide.Update the httpbin HTTPRoute resource to restore the original routing rules from the getting started guide.
kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin namespace: httpbin labels: example: httpbin-route spec: parentRefs: - name: http namespace: gloo-system hostnames: - "www.example.com" rules: - backendRefs: - name: httpbin port: 8000 EOF
Delete the resources that you created in this guide.
kubectl delete RouteOption jwt -n httpbin kubectl delete VirtualHostOption jwt -n gloo-system kubectl delete RouteOption jwt-child -n httpbin kubectl delete HTTPRoute httpbin-child -n httpbin