API Key Storage Configuration
Configure where Gloo Portal stores the API keys that control user access for your usage plans.
With Gloo Portal, you create an API Product for your API services and Usage Plans to decide how users and groups can access your API Product. One of the authentication policy options for your usage plan is to control access with API keys. When you set the authPolicy
to apiKey
, Portal deterministically generates an authorization configuration that enforces the policy.
By default, Portal stores the API keys in a Kubernetes secret within the cluster. However, you can use the Storage custom resource to change where the API keys are stored. You might want to change the default storage for increased security external to your cluster, or to use an existing database.
Gloo Portal supports configuring Aerospike Database as external storage for API keys.
Before you begin
- Install Gloo Edge Enterprise version 1.14.0 or later in a Kubernetes cluster.
- Install Gloo Portal in the same cluster.
- Follow the Create an API Product and Create a Portal guides to set up an Environment and Portal.
- Follow the Users and Groups Guide to create a Usage Plan with an
apiKey
Auth Policy for the Environment.
Set up your Aerospike backing storage
You can create an Aerospike database as the backing storage for your Gloo Portal API keys.
- Install Aerospike in a location that is reachable from the Portal Controller, such as in a virtual machine with a public IP address or in a pod in the cluster.
shell
into your Aerospike deployment's machine.- Configure a namespace in your Aerospike database for Gloo Portal to use. The preferred name is
solo-namespace
, as shown in the following example file.cat /etc/aerospike/aerospike.conf # Aerospike database configuration file for use with systemd. service { proto-fd-max 15000 } logging { console { context any info } } network { service { address any port 3000 } heartbeat { mode multicast multicast-group 239.1.99.222 port 9918 # To use unicast-mesh heartbeats, remove the 3 lines above, and see # aerospike_mesh.conf for alternative. interval 150 timeout 10 } fabric { port 3001 } info { port 3003 } } namespace solo-namespace { memory-size 4G replication-factor 2 storage-engine memory }
- Restart Aerospike to pick up the new namespace configuration.
systemctl restart aerospike
- To run queries, install the Aerospike Quick Look (AQL) tool.
Customize your API key storage
-
Define your custom storage configuration in a
Storage
custom resource, such as the following example. For more information, see the Gloo Portal Storage API docs and the Gloo Edge external auth for Aerospike API docs.cat << EOF | kubectl apply -f- apiVersion: portal.gloo.solo.io/v1beta1 kind: Storage metadata: name: aerospike-storage namespace: gloo-system spec: apikeyStorage: aerospike: hostname: <Aerospike IP/Hostname> port: <Aerospike Port> # namespace: <namespace> # namespace must be specified if not solo-namespace EOF
-
Restart the Portal controller to pick up your Storage configuration changes.
$ kubectl rollout restart deployment -n gloo-portal gloo-portal-controller
-
Verify that the generated
AuthConfig
for thedev
environment has the customaerospikeApikeyStorage
details that you set in the Storage configuration.$ kubectl get -n default authconfig default-petstore-product-dev -oyaml
Example output:
apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: ... labels: apiproducts.portal.gloo.solo.io: petstore-product.default environments.portal.gloo.solo.io: dev.default name: default-petstore-product-dev namespace: default ownerReferences: - apiVersion: portal.gloo.solo.io/v1beta1 blockOwnerDeletion: true controller: true kind: Environment name: dev ... spec: booleanExpr: apiKeys configs: - apiKeyAuth: headerName: api-key aerospikeApikeyStorage: hostname: <Aerospike IP/Hostname> port: <Aerospike Port> namespace: <namespace> headersFromMetadata: x-solo-email: name: email x-solo-plan: name: plan required: true x-solo-username: name: username required: true labelSelector: apiproducts.portal.gloo.solo.io: petstore-product.default environments.portal.gloo.solo.io: dev.default name: apiKeys status: statuses: gloo-portal: reportedBy: gloo state: 1
-
Create an API key such as by using the sample Petstore portal.
-
In Aerospike, verify that the new API key is stored in the database. For example, you might use the following Aerospike Quick Look (AQL) query. For more information, see the Aerospike docs.
aql> SELECT * FROM solo-namespace.apikeys;
Example output:
+---------+----------+------------------+--------------------------- +---------------+-------------+ | plan | username | email | product | environment | api-key | +---------+----------+------------------+--------------------------- +---------------+-------------+ | "basic" | "dev1" | "user@email.com" | "petstore-product.default" | "dev.default" | "<api-key>" | +---------+----------+------------------+--------------------------- +---------------+-------------+
Known limitations
- You must restart the Portal controller to pick up any changes to your Storage custom resource.
- If you misconfigure the Storage custom resource, no error message is returned in the status. Instead, check the
gloo-portal-controller
logs for an error message for the Storage custom resource. You might not be able to create or delete API keys until you fix the Storage configuration.
Next steps
Your API keys are now stored in an external Aerospike database. You can set up the following components in Gloo Edge to use the same Aerospike database:
- External auth to enforce API key access policies for your API Product.
- Rate limiting to limit the number of requests your API Product gets in a certain time.