External auth service

With the external auth service, you can protect your APIs by enforcing auth. For more information, see External authentication and authorization.

  1. Check that the pod is running. Note that your add-ons might exist in the gloo-mesh-addons namespace instead.

      kubectl get po -n gloo-mesh -l app=ext-auth-service
      
  2. Make sure that you created all of the external auth-related custom resources, such as server and policy configs.

      kubectl get extauthpolicies,extauthserver -A
      
  3. Check that the AuthConfig internal custom resource is created and in an Accepted state.

      kubectl get authconfigs -A
      
  4. To get detailed logs for the external auth service, change the log level to DEBUG.

    1. Edit the external auth service.
        kubectl get deploy -n gloo-mesh ext-auth-service -o yaml > ext-auth.yaml
        
    2. In the spec.container.env section, find the LOG_LEVEL environment variable and set it to DEBUG.
        ...
      spec:
        containers:
        - env:
          - name: LOG_LEVEL
            value: DEBUG
        
    3. Apply the updated configuration.
        kubectl apply -f ext-auth.yaml
        
    4. Make sure that the external auth service pod restarts.
        kubectl get po -n gloo-mesh -l app=ext-auth-service
        
    5. Optional: To generate fresh logs, send a request to a service that is protected by an external auth policy.
  5. Check the logs of the Gloo external auth server in your workload cluster.

      kubectl logs -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}')
      

    Optionally, you can format the output with jq or save it in a local file so that you can read and analyze the output more easily.

      kubectl logs -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}') > ext-auth-service.json
      
  6. If you enabled the OPA server sidecar, check that the OPA server is healthy. If the OPA server is not healthy, try the OPA troubleshooting docs. Common errors include misconfiguration such as the wrong credentials to download a bundle. Note the following example command pipes the output to jq for readability.

      kubectl logs -n gloo-mesh deploy/ext-auth-service -c opa-auth | jq
      

Rate limiter

With the rate limiter, you can protect your APIs by enforcing limits on the number of requests within a certain timeframe, such as 100 requests per minute. For more information, see Rate limiting.

  1. Check that the pod is running. Note that your add-ons might exist in the gloo-mesh-addons namespace instead.
      kubectl get po -n gloo-mesh -l app=rate-limiter
      
  2. Make sure that you created all of the rate limiting-related custom resources, such as server and client configs.
      kubectl get ratelimitserverconfigs,RatelimitConfigs,ratelimitserversettings,ratelimitclientconfigs,ratelimitpolicies -A
      
  3. Check the logs of the Gloo rate limiter in your workload cluster. To view logs recorded since a relative duration such as 5s, 2m, or 3h, you can specify the --since <duration> flag.
      meshctl logs rate-limiter -l error [--since DURATION]
      
    Optionally, you can format the output with jq or save it in a local file so that you can read and analyze the output more easily.
      meshctl logs rate-limiter -l error > rate-limiter-logs.json