Navigation :

API Key Storage Configuration

Configure where Gloo Portal stores the API keys that control user access for your usage plans.

With Gloo Portal, you create an API Product for your API services and Usage Plans to decide how users and groups can access your API Product. One of the authentication policy options for your usage plan is to control access with API keys. When you set the authPolicy to apiKey, Portal deterministically generates an authorization configuration that enforces the policy.

By default, Portal stores the API keys in a Kubernetes secret within the cluster. However, you can use the Storage custom resource to change where the API keys are stored. You might want to change the default storage for increased security external to your cluster, or to use an existing database.

Gloo Portal supports configuring Aerospike Database as external storage for API keys.

Before you begin

  1. Install Gloo Edge Enterprise version 1.14.0 or later in a Kubernetes cluster.
  2. Install Gloo Portal in the same cluster.
  3. Follow the Create an API Product and Create a Portal guides to set up an Environment and Portal.
  4. Follow the Users and Groups Guide to create a Usage Plan with an apiKey Auth Policy for the Environment.

Set up your Aerospike backing storage

You can create an Aerospike database as the backing storage for your Gloo Portal API keys.

  1. Install Aerospike in a location that is reachable from the Portal Controller, such as in a virtual machine with a public IP address or in a pod in the cluster.
  2. shell into your Aerospike deployment's machine.
  3. Configure a namespace in your Aerospike database for Gloo Portal to use. The preferred name is solo-namespace, as shown in the following example file. 
    cat /etc/aerospike/aerospike.conf 
# Aerospike database configuration file for use with systemd.
   
service {
 proto-fd-max 15000
}
   
logging {
 console {
     context any info
 }
}
   
network {
 service {
     address any
     port 3000
 }
   
 heartbeat {
     mode multicast
     multicast-group 239.1.99.222
     port 9918
   
     # To use unicast-mesh heartbeats, remove the 3 lines above, and see
     # aerospike_mesh.conf for alternative.
   
     interval 150
     timeout 10
 }
   
 fabric {
     port 3001
 }
   
 info {
     port 3003
 }
}
   
namespace solo-namespace {
 memory-size 4G
 replication-factor 2
 storage-engine memory
}
  4. Restart Aerospike to pick up the new namespace configuration. 
    systemctl restart aerospike
  5. To run queries, install the Aerospike Quick Look (AQL) tool.

Customize your API key storage

  1. Define your custom storage configuration in a Storage custom resource, such as the following example. For more information, see the Gloo Portal Storage API docs and the Gloo Edge external auth for Aerospike API docs.

    cat << EOF | kubectl apply -f-
apiVersion: portal.gloo.solo.io/v1beta1
kind: Storage
metadata:
  name: aerospike-storage
  namespace: gloo-system
spec:
  apikeyStorage:
    aerospike:
      hostname: <Aerospike IP/Hostname>
      port: <Aerospike Port>
      # namespace: <namespace> # namespace must be specified if not solo-namespace
EOF

  2. Restart the Portal controller to pick up your Storage configuration changes.

    $ kubectl rollout restart deployment -n gloo-portal gloo-portal-controller

  3. Verify that the generated AuthConfig for the dev environment has the custom aerospikeApikeyStorage details that you set in the Storage configuration.

    $ kubectl get -n default authconfig default-petstore-product-dev -oyaml

    Example output: 

    apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
...
  labels:
    apiproducts.portal.gloo.solo.io: petstore-product.default
    environments.portal.gloo.solo.io: dev.default
  name: default-petstore-product-dev
  namespace: default
  ownerReferences:
  - apiVersion: portal.gloo.solo.io/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: Environment
    name: dev
...
spec:
  booleanExpr: apiKeys
  configs:
  - apiKeyAuth:
      headerName: api-key
      aerospikeApikeyStorage:
        hostname: <Aerospike IP/Hostname>
        port: <Aerospike Port>
        namespace: <namespace>
      headersFromMetadata:
        x-solo-email:
          name: email
        x-solo-plan:
          name: plan
          required: true
        x-solo-username:
          name: username
          required: true
      labelSelector:
        apiproducts.portal.gloo.solo.io: petstore-product.default
        environments.portal.gloo.solo.io: dev.default
    name: apiKeys
status:
  statuses:
    gloo-portal:
      reportedBy: gloo
      state: 1

  4. Create an API key such as by using the sample Petstore portal.

  5. In Aerospike, verify that the new API key is stored in the database. For example, you might use the following Aerospike Quick Look (AQL) query. For more information, see the Aerospike docs.

    aql> SELECT * FROM solo-namespace.apikeys;

    Example output:

    +---------+----------+------------------+--------------------------- +---------------+-------------+
| plan    | username | email            | product                    | environment   | api-key     |
+---------+----------+------------------+--------------------------- +---------------+-------------+
| "basic" | "dev1"   | "user@email.com" | "petstore-product.default" | "dev.default" | "<api-key>" |
+---------+----------+------------------+--------------------------- +---------------+-------------+

Known limitations

Next steps

Your API keys are now stored in an external Aerospike database. You can set up the following components in Gloo Edge to use the same Aerospike database: