Review how the Gloo external authentication server backs up data and your setup options to make the backing database more resilient.
For more information about the feature, see External authentication and authorization .
What data gets stored link The external auth server stores the following data in the backing database. For an example of how to check the data that gets stored, see Review data in Redis .
API keys that end users can use to authenticate to destinations and routes that are protected by an external auth policy that the external auth server enforces. Backing storage options link Review the following options for setting up backing storage.
Option Use case Benefits Drawbacks Default (no backing storage) Local testing in single clusters Complete control of where data is stored Fast read/write speed as the database is local to the management server Updatable via Gloo Platform Helm chart Data is not stored anywhere by default If you also use the Portal server, you cannot apply external auth policies until you configure backing storage Manual creation, error-prone Not scalable, highly available, or recoverable Built-in local Redis Proof of concept and staging environments in single clusters The Redis instance is deployed for you as part of the default installation Fast read/write speed as the database is local to the management server Updatable via Gloo Platform Helm chart Redis GUI- and CLI-based tools help you monitor data Only as highly available as your cluster setup Has the same disaster recovery as your cluster setup Might not meet your organization’s compliance requirements Bring your own Redis Production-level, multicluster environments Enhanced high availability and disaster recovery (HA/DR) Service level agreement (SLA) from your provider Meet your organization’s compliance requirements Redis GUI- and CLI-based tools help you monitor data More complicated setup Not covered by Solo support (contact your external Redis provider)
Default (no backing storage) link By default, no backing storage is configured for the external auth server. For testing purposes, you can manually create backing storage, such as saving an API key’s details in a Kubernetes secret (for example steps, see Require API key external auth for Gloo Portal ).
Otherwise, set up one of the backing storage options.
Built-in local Redis link When you install Gloo Mesh Enterprise, a local Redis instance redis
is set up in the gloo-mesh
namespace of the workload cluster. The rate limiting server automatically reads and writes to this Redis instance. However, you must manually configure the Gloo external auth server to read from and write data to this Redis instance.
info
Using a local Redis instance is not a recommended practice for production. To achieve higher availability, disaster recovery and add other security features, bring your own Redis instance instead.
Include the same local Redis settings for the external auth and portal servers when you install or upgrade Gloo Mesh Enterprise. Review the following table to understand the settings. For more information, check the Helm reference .Ext auth setting Description extAuthService.extAuth.apiKeyStorage.name Use Redis as the backing storage for API keys. extAuthService.extAuth.apiKeyStorage.secretKey Replace with a random string to use to generate hash values for other keys extAuthService.extAuth.apiKeyStorage.config.connection.host The host that the Redis instance is available on, set to the local redis
service in the gloo-mesh
namespace: redis.gloo-mesh:6379
. extAuthService.extAuth.apiKeyStorage.config.connection.db The Redis database to use. The default value is 0
.
<a class="nav-link active"
id="edcbafTab" data-bs-toggle="tab" data-bs-target="#edcbaf"
type="button" role="tab" aria-controls="edcbaf" aria-selected="true">Helm command</a>
<a class="nav-link "
id="afcdbeTab" data-bs-toggle="tab" data-bs-target="#afcdbe"
type="button" role="tab" aria-controls="afcdbe" aria-selected="true">Helm values file</a>
</div>
helm upgrade --install gloo-agent-addons gloo-platform/gloo-platform \
--namespace gloo-mesh \
--create-namespace \
--version $GLOO_VERSION \
--set common.cluster=$CLUSTER_NAME \
--set extAuthService.enabled=true \
--set rateLimiter.enabled=true \
--set extAuthService.extAuth.apiKeyStorage.name=redis \
--set extAuthService.extAuth.apiKeyStorage.config.connection.host="redis.gloo-mesh:6379" \
--set extAuthService.extAuth.apiKeyStorage.config.connection.db=0 \
--set extAuthService.extAuth.apiKeyStorage.secretKey="ThisIsSecret"
<p>If you use a Helm values file, make sure that the following settings are enabled.</p>
extAuthService
enabled: true
extAuth:
apiKeyStorage:
# Use the local gloo-mesh Redis for backing storage
name: redis
config:
connection:
host: "redis.gloo-mesh:6379"
# Set to 0 to match the default database for the 'glooPortalServer.apiKeyStorage' configuration
db: 0
# Replace with a random string to use to generate hash values for other keys
secretKey: "ThisIsSecret"
2. Continue with the [Install](
/gloo-mesh-enterprise/main//setup/install/enterprise_installation/) or [Upgrade guides](
/gloo-mesh-enterprise/main//setup/upgrade/) for more instructions to finish your installation or upgrade.
Bring your own Redis link Instead of using the built-in local Redis instance, you can achieve higher availability, disaster recovery, and enhanced control and security by bringing your own Redis cluster. Unlike for the Gloo management server or UI, do not install a local instance of Redis. Instead, create an instance outside your cluster environment, such as Redis Enterprise or a cloud provider service like AWS ElastiCache . Then, you include the settings for your external Redis instance when you install or upgrade your Gloo Helm chart. This way, you can support multicluster use cases to use the same external Redis for the API keys shared by the Gloo external auth and portal servers.
info
Using a Redis or AWS ElastiCache instance in cluster mode is currently not supported.
When you bring your own Redis cluster, you can also customize the following aspects:
Authentication : To authenticate with your Redis instance, you can configure Gloo Mesh to use a username and password when connecting to Redis. Depending on your Redis provider, you might only need to specify a password to authenticate with Redis. You store these credentials in a Kubernetes secret in the same namespace as the external auth server deployment.info
Keep in mind that your external Redis database usually must be in the same cloud provider as your Gloo cluster, such as AWS ElastiCache and EC2 instances.
Create or use an existing Redis cluster, such as AWS ElastiCache or Google Cloud Memorystore . Make sure that you can connect to your instance from the Gloo management cluster. For example, your cloud provider might require for the cluster and Redis instance to share the same virtual private network (VPC). For more information, consult your cloud provider documentation, such as AWS ElastiCache or Google Cloud Memorystore . Choose how to authenticate with your Redis cluster. Depending on your Redis provider, you might be required to use a specific authentication method, such as a username and password.
Create a Kubernetes secret to store your Redis auth credentials. If you use Gloo Portal, you must create separate secrets with the same credentials for the portal and external auth servers.
kubectl apply -f- <<EOF
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: extauth-redis-auth-secret
namespace: gloo-mesh
data:
username: "<username>"
password: "<password>"
EOF
Setting Description name The name for the secret. namespace Create the secret in the same namespace as the server that the secret is for, such as gloo-mesh
. username The base64-encoded username of your Redis credentials. If your instance does not have a username, you can omit this field. password The base64-encoded password of your Redis credentials.
Include the external Redis settings for the external auth server when you install or upgrade Gloo Mesh Enterprise. Review the following table to understand the matching settings. For more information, check the [Helm reference](
/gloo-mesh-enterprise/main//reference/helm/gloo_platform_helm_values_reference/).
Ext auth setting Description extAuthService.extAuth.apiKeyStorage.name Use Redis as the backing storage for API keys. extAuthService.extAuth.apiKeyStorage.secretKey Replace with a random string to use to generate hash values for other keys extAuthService.extAuth.apiKeyStorage.config.connection.host Replace $REDIS_HOST
with the host and port that the Redis instance is available on. This host might need to be on the same virtual private network as your cluster or need to have a VPN connection.An example Amazon ElastiCache host might look like redis-cluster.ameaqx.0001.use1.cache.amazonaws.com
. For more information, see the Amazon ElastiCache docs . An example Google Cloud Memorystore host might look like 10.xxx.xx.xx:6379
in the same VPC as your cluster. For more information, see the Google Cloud Memorystore docs . extAuthService.extAuth.apiKeyStorage.config.connection.db The Redis database to use. The default value is 0
. extAuthService.extAuth.apiKeyStorage.redis.auth.enabled Optionally add this section to authenticate with your Redis cluster by using a username and password. extAuthService.extAuth.apiKeyStorage.redis.auth.secretName Specify the name of the secret that is in the same namespace as the external auth or portal server deployment, such as gloo-mesh
.
<a class="nav-link active"
id="abfdceTab" data-bs-toggle="tab" data-bs-target="#abfdce"
type="button" role="tab" aria-controls="abfdce" aria-selected="true">Helm command</a>
<a class="nav-link "
id="dbefacTab" data-bs-toggle="tab" data-bs-target="#dbefac"
type="button" role="tab" aria-controls="dbefac" aria-selected="true">Helm values file</a>
</div>
helm upgrade --install gloo-agent-addons gloo-platform/gloo-platform \
--namespace gloo-mesh \
--create-namespace \
--version $GLOO_VERSION \
--set common.cluster=$CLUSTER_NAME \
--set extAuthService.enabled=true \
--set rateLimiter.enabled=true \
--set extAuthService.extAuth.apiKeyStorage.config.connection.host="$REDIS_HOST" \
--set extAuthService.extAuth.apiKeyStorage.config.connection.db=0 \
--set extAuthService.extAuth.apiKeyStorage.secretKey="ThisIsSecret" \
--set extAuthService.extAuth.apiKeyStorage.redis.auth.enabled=true \
--set extAuthService.extAuth.apiKeyStorage.redis.auth.secretName=extauth-redis-auth-secret
<p>If you use a Helm values file, make sure that the following settings are enabled.</p>
extAuthService
enabled: true
extAuth:
apiKeyStorage:
# Use an external Redis database for backing storage
name: redis
enabled: true
config:
connection:
# Provide the host to your external Redis database, such as AWS ElastiCache or Google Cloud Memorystore
host: "$REDIS_HOST"
# Set to 0 to match the default database for the 'glooPortalServer.apiKeyStorage' configuration
db: 0
# Replace with a random string to use to generate hash values for other keys
secretKey: "ThisIsSecret"
# Optionally enable authentication for Redis with the username and password in the referenced secret.
redis:
auth:
enabled: true
secretName: extauth-redis-auth-secret
6. Continue with the [Install](
/gloo-mesh-enterprise/main//setup/install/enterprise_installation/) or [Upgrade guides](
/gloo-mesh-enterprise/main//setup/upgrade/) for more instructions to finish your installation or upgrade.
7. Optional: Verify that the external auth server is configured with your external Redis database details.
1. Verify that the secrets are created.
```sh
kubectl get secrets -n gloo-mesh
```
Example output:
```
NAME TYPE DATA AGE
ext-auth-service-api-key-secret-key Opaque 1 47s
ext-auth-service-api-key-storage Opaque 1 47s
ext-auth-service-signing-key Opaque 1 47s
```
Log in to the external auth server pod, and verify that the host information is stored along the config path that you set.Log in to the external auth server pod.
kubectl exec -it -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}') -- /bin/sh
Check the file contents at the config path that you set, such as /etc/apikeys/storage-config.yaml
.
cat /etc/apikeys/storage-config.yaml
Confirm that the value matches the host address for your external Redis database ($REDIS_HOST
). To log out of the pod, enter exit
.