External auth server setup
Set up the default or customize your own external auth server.
To enforce external authentication policies, your service mesh environment must have an external auth server. Choose from the following options.
Set up the Gloo Mesh (Gloo Platform APIs) external auth server
To enforce external auth policies across your service mesh environment, each Gloo Mesh (Gloo Platform APIs) workspace must have one and only one external auth server. You can configure an ExtAuthServer resource to customize the server behavior, or use the default settings.
Optional: Prepare the Helm values file to use to install the external auth service. Review the following commonly used settings:
extAuthService.extAuth.serviceAccount.extraAnnotations: Add extra annotations to theext-auth-serviceservice account. For example, you might need annotations to let the external auth service (or related components such as the OPA sidecar server) to authenticate to resources in a cloud provider, such as AWS S3 buckets or Azure Blob Storage.- Override the default
ext-auth-servicedeployment settings. For example, you might want to update the config maps, volumes, or resource limits for CPU and memory. - Review the
extAuthServiceHelm docs for more settings.
Install the external auth service in your workload clusters. Gloo Mesh (Gloo Platform APIs) automatically creates a deployment and service in the
gloo-meshnamespace.Optional: To group the external auth services across clusters, create a virtual destination. This way, you get traffic management benefits like location-aware, priority-based routing. Keep in mind that all external auth services must use the same signing key to balance external auth requests across clusters.
kubectl apply --context ${REMOTE_CONTEXT2} -f - <<EOF apiVersion: networking.gloo.solo.io/v2 kind: VirtualDestination metadata: name: ext-auth-service-global namespace: gloo-mesh spec: hosts: - ext-auth-service.vd ports: - number: 8083 protocol: GRPC services: - labels: app: ext-auth-service EOFReview the following table to understand this configuration. For more information, see the API reference.
Setting Description --context ${REMOTE_CONTEXT2}The virtual destination is created in cluster2to demonstrate how virtual destinations group services across clusters.app: ext-auth-serviceThe virtual destination elects the default ext-auth-servicethat you enabled during installation. This default installation meets the requirements to use a virtual destination as the destination server:- The service name (
ext-auth-service) and namespace (gloo-mesh) match across clusters. - The namespace is Istio-injected so that the ext auth service pods have sidecars.
- The service name (
Create an
Review the following table to understand this configuration.ExtAuthServerresource for your workspace. This resource points to the destination server to use for external auth policies. The destination server can be the defaultext-auth-servicefrom your Gloo Mesh (Gloo Platform APIs) installation, your own custom server, or the virtual destination that you optionally created in the previous step.You can also use theExtAuthServerresource to customize certain behaviors such as request timeouts, buffering, and HTTP status codes. For more information, see the API reference.Setting Description metadataThe name and namespace for this external auth server resource. You can have only one external auth server resource per workspace. This resource does not have to be in the same namespace as the destination server. However, if this resource and the destination server are not in the same workspace, this resource’s workspace must import the destination server’s service. destinationServerThe external auth server for Gloo Mesh (Gloo Platform APIs) to use to enforce external auth policies. The examples select either a virtual destination or the default Gloo Mesh (Gloo Platform APIs) Kubernetes service. If unset, Gloo Mesh (Gloo Platform APIs) looks for a service with the name extauthin the same namespace as the Gloo Mesh (Gloo Platform APIs) agent on each cluster where the selected workload is deployed. This destination server does not have to be in the same workspace as the external auth server configuration or external auth policies. However, you must export the destination server’s service to those workspaces.In your external auth policies, refer to the
ExtAuthServerto use. In the example, the server configuration is referred to only by name because the policy is created in the same namespace.
Bring your own external auth server
Gloo Mesh (Gloo Platform APIs) comes with an external auth server that implements a wide array of authentication and authorization models. However, you can deploy your own external auth server. Then, configure Gloo Mesh (Gloo Platform APIs) to use this custom server to secure routes with external auth policies.
For example, you might create a custom external auth server to implement custom logic or to accept requests on certain routes.
The following steps demonstrate how to create a simple HTTP external auth server. Use these steps as a model to deploy your own gRPC server that implements the Envoy spec for an external authorization server.
Before you begin
This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.
Complete the multicluster getting started guide to set up the following testing environment.
- Three clusters along with environment variables for the clusters and their Kubernetes contexts.
- The Gloo
meshctlCLI, along with other CLI tools such askubectlandistioctl. - The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
- Istio installed in the workload clusters.
- A simple Gloo workspace setup.
- Install Bookinfo and other sample apps.
Get the external address of your ingress gateway. The steps vary depending on the type of load balancer that backs the ingress gateway.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n istio-ingress istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESSNote: Depending on your environment, you might see
<pending>instead of an external IP address. For example, if you are testing locally in kind or minikube, or if you have insufficient permissions in your cloud platform, you can instead port-forward the service port of the ingress gateway:kubectl -n istio-ingress port-forward deploy/istio-ingressgateway-main 8081Send a request to verify that you can reach the
ratingsapp without authorization. By default, Gloo allows any request on routes that do not specify authentication. Note that you are sending the request along/ratings/2.Example output:
{"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}}
Create a simple HTTP external auth server
When a request matches a route that has an external auth policy applied, Gloo Mesh (Gloo Platform APIs) forwards the request to an external auth service.
If that external auth service returns a 200 OK response, Gloo Mesh (Gloo Platform APIs) considers the request to be authorized and sends it to its original destination. If not, Gloo Mesh (Gloo Platform APIs) denies the request.
You can fine tune settings such as sending headers or forwarding the body by configuring the ExtAuthServer resource as shown in the previous section. Or, you can create your own external auth server to handle requests.
The following example uses a sample app for demonstration purposes only. You can use the app to try out the feature and to help design your own app. The app is not intended for production use and might not have updated dependencies or security patches.
Implement your external auth server. For example, you might use the following Python app for a simple HTTP server. In this example, only requests to
/ratings/1are authorized. All other requests are denied with a401response.import http.server import socketserver class Server(http.server.SimpleHTTPRequestHandler): def do_GET(self): path = self.path print("path", path) if path.startswith("/ratings/1"): self.send_response(200, 'OK') else: self.send_response(401, 'Not authorized') self.send_header('x-server', 'pythonauth') self.end_headers() def serve_forever(port): socketserver.TCPServer(('', port), Server).serve_forever() if __name__ == "__main__": serve_forever(8000)Verify that the namespace has Istio auto-injection enabled either through the
istio-injection=enabledoristio.io/rev=$REVISIONlabel.kubectl get ns -L istio-injection,istio.io/rev --context ${REMOTE_CONTEXT1}If not, enable auto-injection for the namespace in one of the following ways. For more information, see the Istio docs.
- If you use Istio revisions to manage Istio upgrades, label the namespace with
istio.io/rev=$REVISION.export REVISION=$(kubectl get pod -L app=istiod -n istio-system --context $REMOTE_CONTEXT1 -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}') echo $REVISION kubectl label namespace istio.io/rev=$REVISION --overwrite <namespace> - If you do not use revisions, label the namespace with
istio-injection=enabled.kubectl label namespace istio-injection=enabled --overwrite <namespace> - If you do not want to enable auto-injection, manually inject the Istio sidecar after you complete the next step.
- If you use Istio revisions to manage Istio upgrades, label the namespace with
Create the a deployment for your HTTP server app. The following example uses the
gcr.io/solo-public/docs/sample-auth:latestsample image, which is based on the HTTP server Python code in the previous step. The deployment is created in thebookinfonamespace.kubectl apply --context $REMOTE_CONTEXT1 -f - <<EOF apiVersion: apps/v1 kind: Deployment metadata: name: sample-auth namespace: bookinfo labels: app: sample-auth spec: replicas: 1 selector: matchLabels: app: sample-auth template: metadata: labels: app: sample-auth spec: containers: - name: sample-auth image: gcr.io/solo-public/docs/sample-auth:latest imagePullPolicy: IfNotPresent ports: - containerPort: 8000 EOFCreate a service for your external auth server deployment.
kubectl apply --context $REMOTE_CONTEXT1 -f - <<EOF kind: Service apiVersion: v1 metadata: name: auth-service namespace: bookinfo labels: app: sample-auth spec: selector: app: sample-auth # Selects the external auth deployment ports: - protocol: TCP port: 80 # For HTTP traffic targetPort: 8000 # Matches the container port of the external auth deployment name: http # Include this name so that Gloo Mesh (Gloo Platform APIs) knows that this is the HTTP port to use EOFVerify that the external auth server is running.
kubectl get all -l app=sample-auth -n bookinfo --context $REMOTE_CONTEXT1Optional: Depending on your setup, repeat these steps for each workspace where you want to use the external auth server.
Configure Gloo to use your custom external auth server
Now that you have an external auth server running in your cluster, configure Gloo Mesh (Gloo Platform APIs) to use the server for authentication requests. You use an ExtAuthServer custom resource.
Create an
ExtAuthServerresource to configure the server.Review the following table to understand this configuration.kubectl apply --context $REMOTE_CONTEXT1 -f - <<EOF apiVersion: admin.gloo.solo.io/v2 kind: ExtAuthServer metadata: name: custom-server namespace: bookinfo labels: app: sample-auth spec: destinationServer: port: number: 8000 ref: cluster: ${CLUSTER_NAME} name: auth-service namespace: bookinfo EOFYou can also use theExtAuthServerresource to customize certain behaviors such as request timeouts, buffering, and HTTP status codes. For more information, see the API reference.Setting Description metadataThe name and namespace for this external auth server resource. You can have only one external auth server resource per workspace. This resource does not have to be in the same namespace as the destination server. However, if this resource and the destination server are not in the same workspace, this resource’s workspace must import the destination server’s service. destinationServerThe external auth server for Gloo Mesh (Gloo Platform APIs) to use to authentic requests with an external auth policy. If unset, Gloo Mesh (Gloo Platform APIs) looks for a service with the name extauthin the same namespace as the Gloo Mesh (Gloo Platform APIs) agent on each cluster where the selected workload is deployed. This destination server does not have to be in the same workspace as the external auth server configuration or external auth policies. However, you must export the destination server’s service to those workspaces.Create an external auth policy that uses your custom auth server.
kubectl apply --context $REMOTE_CONTEXT1 -f - <<EOF apiVersion: security.policy.gloo.solo.io/v2 kind: ExtAuthPolicy metadata: name: custom-auth namespace: bookinfo labels: app: sample-auth spec: applyToRoutes: - route: labels: route: ratings config: customAuth: {} server: name: custom-server EOFReview the following table to understand this configuration. For more information, see the API reference.
Setting Description applyToRoutesUse labels to configure which routes to apply the policy to. This example label matches the app and route from the example route table that you apply separately. If omitted and you do not have another selector such as applyToDestinations, the policy applies to all routes in the workspace.customAuthSet this field to use your own custom auth server. serverThe external auth server to use for the policy. Send a request to the
ratingsapp along the/ratings/2path. Now, your request is denied because the external auth server allows requests only along the/ratings/1path.curl -vik --resolve www.example.com:80:${INGRESS_GW_ADDRESS} http://www.example.com:80/ratings/2Repeat the previous request along the
/ratings/1path.curl -vik --resolve www.example.com:80:${INGRESS_GW_ADDRESS} http://www.example.com:80/ratings/1The request succeeds:
{"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}}
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete deploy,svc,extauthserver,extauthpolicy -n bookinfo -l app=sample-auth --context $REMOTE_CONTEXT1