External auth server
Review how the Gloo external authentication server backs up data and your setup options to make the backing database more resilient.
For more information about the feature, see External authentication and authorization.
Planning to use the external auth server with Gloo Portal? The details for the backing storage database must match for both components. For more information, see the Backing Redis databases guide in the Gloo Mesh Gateway docs.
What data gets stored
The external auth server stores the following data in the backing database. For an example of how to check the data that gets stored, see Review data in Redis.
- API keys that end users can use to authenticate to destinations and routes that are protected by an external auth policy that the external auth server enforces.
Backing storage options
Review the following options for setting up backing storage with RedisĀ®*
1 instances.
Option | Use case | Benefits | Drawbacks |
---|---|---|---|
Default (no backing storage) | Local testing in single clusters |
|
|
Built-in local Redis | Proof of concept and staging environments in single clusters |
|
|
Bring your own Redis | Production-level, multicluster environments |
|
|
Shared or separate instances
In Gloo Mesh Gateway, many components use Redis to store data. Several of these components must share the same instance in order to function properly, as follows:
- Management server, UI, and insights engine (which is also used as part of the OTel pipeline).
- External auth service and developer portal server.
- Rate limiter, which is often shared with the external auth service and portal server, but does not have to be.
If you enable the default, Solo-provided, local Redis options, these Redis instances are created separately.
If you bring your own Redis, you can choose to share the Redis instances or not. For internal compliance or security purposes, you might want separate Redis instances for each of these use cases. As such, the following guide assumes a separate deployment, and uses separate secrets. However, you can also share a single external Redis instance and update the names accordingly.
Default (no backing storage)
By default, no backing storage is configured for the external auth server. For testing purposes, you can manually create backing storage, such as saving an API key’s details in a Kubernetes secret (for example steps, see Require API key external auth for Gloo Portal).
Otherwise, set up one of the backing storage options.
Built-in local Redis
When you install Gloo Mesh Gateway, a local Redis instance redis
is set up in the gloo-mesh
namespace of the workload cluster. The rate limiting server automatically reads and writes to this Redis instance. However, you must manually configure the Gloo external auth and Gloo portal servers to read from and write data to this Redis instance.
Using a local Redis instance is not a recommended practice for production. To achieve higher availability, disaster recovery and add other security features, bring your own Redis instance instead.
Include the same local Redis settings for the external auth and portal servers when you install or upgrade Gloo Mesh Gateway. Review the following table to understand the matching settings. For more information, check the Helm reference.
extAuthService.extAuth setting glooPortalServer setting Description apiKeyStorage.name and apiKeyStorage.enabled apiKeyStorage.redis.enabled Use Redis as the backing storage for API keys. apiKeyStorage.secretKey apiKeyStorage.secretKey The string value that you want to use to hash API keys before they are stored in the Redis database. N/A apiKeyStorage.configPath The path to the Redis configuration file. apiKeyStorage.config.host apiKeyStorage.redis.address The host that the Redis instance is available on. When you use the built-in Redis instance, this value is set to the local redis
service in thegloo-mesh
namespace:redis.gloo-mesh:6379
.- Helm command:
helm upgrade --install gloo-agent-addons gloo-platform/gloo-platform \ --namespace gloo-mesh \ --create-namespace \ --version $GLOO_VERSION \ --set common.cluster=$CLUSTER_NAME \ --set extAuthService.enabled=true \ --set rateLimiter.enabled=true \ --set glooPortalServer.enabled=true \ --set glooPortalServer.apiKeyStorage.redis.enabled=true \ --set glooPortalServer.apiKeyStorage.secretKey="ThisIsSecret" \ --set glooPortalServer.apiKeyStorage.configPath="/etc/redis-client-config/config.yaml" \ --set glooPortalServer.apiKeyStorage.redis.address="redis.gloo-mesh:6379" \ --set extAuthService.extAuth.apiKeyStorage.name=redis \ --set extAuthService.extAuth.apiKeyStorage.enabled=true \ --set extAuthService.extAuth.apiKeyStorage.config.host="redis.gloo-mesh:6379" \ --set extAuthService.extAuth.apiKeyStorage.config.db=0 \ --set extAuthService.extAuth.apiKeyStorage.secretKey="ThisIsSecret"
- Helm values file:
If you use a Helm values file, make sure that the following settings are enabled.
extAuthService: enabled: true extAuth: apiKeyStorage: # Use the local gloo-mesh Redis for backing storage name: redis enabled: true config: host: "redis.gloo-mesh:6379" # Replace with a random string to use to generate hash values for other keys secretKey: "ThisIsSecret" # Optionally enable authentication for Redis with the username and password in the referenced secret. redis: auth: enabled: true secretName: extauth-redis-auth-secret glooPortalServer: enabled: true apiKeyStorage: # Use the local gloo-mesh Redis for backing storage redis: enabled: true address: redis.gloo-mesh:6379 # Optionally enable authentication for Redis with the username and password in the referenced secret. auth: enabled: true secretName: portal-redis-auth-secret # Path for API key storage config file in the gloo-mesh backing Redis configPath: /etc/redis-client-config/config.yaml # Replace with a random string to use to generate hash values for other keys secretKey: "ThisIsSecret" rateLimiter: enabled: true # Configuration for the managed north-south (ingress) gateway. Requires a Gloo Mesh Gateway license. northSouthGateways: - # Install the gateway in the cluster. enabled: true
- Helm command:
Continue with the Install or Upgrade guides for more instructions to finish your installation or upgrade.
Bring your own Redis
Instead of using the built-in local Redis instance, you can achieve higher availability, disaster recovery, and enhanced control and security by bringing your own Redis cluster. Unlike for the Gloo management server or UI, do not install a local instance of Redis. Instead, create an instance outside your cluster environment, such as Redis Enterprise or a cloud provider service like AWS ElastiCache. Then, you include the settings for your external Redis instance when you install or upgrade your Gloo Helm chart. This way, you can support multicluster use cases to use the same external Redis for the API keys shared by the Gloo external auth and portal servers.
Using a Redis or AWS ElastiCache instance in cluster mode is currently not supported.
Create or use an existing Redis cluster, such as AWS ElastiCache or Google Cloud Memorystore.
Make sure that you can connect to your instance from the Gloo management cluster. For example, your cloud provider might require for the cluster and Redis instance to share the same virtual private network (VPC). For more information, consult your cloud provider documentation, such as AWS ElastiCache or Google Cloud Memorystore.
Include the same external Redis settings for the external auth and portal servers when you install or upgrade Gloo Mesh Gateway. Review the following table to understand the matching settings. For advanced settings, check the Helm reference.
extAuthService.extAuth setting glooPortalServer setting Description apiKeyStorage.name and apiKeyStorage.enabled apiKeyStorage.redis.enabled Use Redis as the backing storage for API keys. apiKeyStorage.secretKey apiKeyStorage.secretKey The string value that you want to use to hash API keys before they are stored in the Redis database. N/A apiKeyStorage.configPath The path to the Redis configuration file. apiKeyStorage.config.host apiKeyStorage.redis.address Replace $REDIS_HOST
with the host and port that the Redis instance is available on. This host might need to be on the same virtual private network as your cluster or need to have a VPN connection.- An example Amazon ElastiCache host might look like
redis-cluster.ameaqx.0001.use1.cache.amazonaws.com
. For more information, see the Amazon ElastiCache docs. - An example Google Cloud Memorystore host might look like
10.xxx.xx.xx:6379
in the same VPC as your cluster. For more information, see the Google Cloud Memorystore docs.
- Helm command:
helm upgrade --install gloo-agent-addons gloo-platform/gloo-platform \ --namespace gloo-mesh \ --create-namespace \ --version $GLOO_VERSION \ --set common.cluster=$CLUSTER_NAME \ --set extAuthService.enabled=true \ --set rateLimiter.enabled=true \ --set glooPortalServer.enabled=true \ --set glooPortalServer.apiKeyStorage.redis.enabled=redis \ --set glooPortalServer.apiKeyStorage.secretKey="ThisIsSecret" \ --set glooPortalServer.apiKeyStorage.configPath="/etc/redis-client-config/config.yaml" \ --set glooPortalServer.apiKeyStorage.redis.address="$REDIS_HOST" \ --set glooPortalServer.apiKeyStorage.redis.auth.enabled=true \ --set extAuthService.extAuth.apiKeyStorage.name=redis \ --set extAuthService.extAuth.apiKeyStorage.enabled=true \ --set extAuthService.extAuth.apiKeyStorage.config.host="$REDIS_HOST" \ --set extAuthService.extAuth.apiKeyStorage.config.db=0 \ --set extAuthService.extAuth.apiKeyStorage.secretKey="ThisIsSecret"
- Helm values file:
If you use a Helm values file, make sure that the following settings are enabled.
extAuthService: enabled: true extAuth: apiKeyStorage: # Use an external Redis instance for backing storage name: redis config: # Provide the host to your external Redis instance, such as AWS ElastiCache or Google Cloud Memorystore host: "$REDIS_HOST" # Replace with a random string to use to generate hash values for other keys secretKey: "ThisIsSecret" glooPortalServer: enabled: true apiKeyStorage: # Path for the config file to use for the backing Redis database configPath: /etc/redis-client-config/config.yaml # Replace with a random string to use to generate hash values for other keys secretKey: "ThisIsSecret" # Use an external Redis instance for backing storage redis: enabled: true # Provide the host to your external Redis instance, such as AWS ElastiCache or Google Cloud Memorystore address: "$REDIS_HOST" # Optionally enable authentication for Redis with the username and password in the referenced secret. # To authenticate by using TLS certificates, replace the auth section with a certs section instead. auth: enabled: true rateLimiter: enabled: true # Configuration for the managed north-south (ingress) gateway. Requires a Gloo Mesh Gateway license. northSouthGateways: - # Install the gateway in the cluster. enabled: true
- An example Amazon ElastiCache host might look like
Continue with the Install or Upgrade guides for more instructions to finish your installation or upgrade.
Optional: Verify that the external auth and portal server are configured with your external Redis instance details.
Verify that the secrets are created.
kubectl get secrets -n gloo-mesh
Example output:
NAME TYPE DATA AGE ext-auth-service-api-key-secret-key Opaque 1 47s ext-auth-service-api-key-storage Opaque 1 47s ext-auth-service-signing-key Opaque 1 47s portal-storage-config Opaque 1 47s
Log in to the portal server pod, and verify that the host information is stored along the config path that you set.
- Log in to the portal server pod.
kubectl exec -it -n gloo-mesh pods/$(kubectl get pod -l app=gloo-mesh-portal-server -A -o jsonpath='{.items[0].metadata.name}') -- /bin/sh
- Check the file contents at the config path that you set, such as
/etc/redis-client-config/config.yaml
.cat /etc/redis-client-config/config.yaml
- Confirm that the value matches the host address for your external Redis instance (
$REDIS_HOST
). - To log out of the pod, enter
exit
.
- Log in to the portal server pod.
Log in to the external auth server pod, and verify that the host information is stored along the config path that you set.
- Log in to the external auth server pod.
kubectl exec -it -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}') -- /bin/sh
- Check the file contents at the config path that you set, such as
/etc/apikeys/storage-config.yaml
.cat /etc/apikeys/storage-config.yaml
- Confirm that the value matches the host address for your external Redis instance (
$REDIS_HOST
). - To log out of the pod, enter
exit
.
- Log in to the external auth server pod.
Optional: Verify that API keys are stored in your external Redis database.
*
Redis is a registered trademark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by Solo.io, Inc. is for referential purposes only and does not indicate any sponsorship, endorsement or affiliation between Redis and Solo.io. ↩︎