API Key Storage Configuration

Configure where Gloo Portal stores the API keys that control user access for your usage plans.

With Gloo Portal, you create an API Product for your API services and Usage Plans to decide how users and groups can access your API Product. One of the authentication policy options for your usage plan is to control access with API keys. When you set the authPolicy to apiKey, Portal deterministically generates an authorization configuration that enforces the policy.

By default, Portal stores the API keys in a Kubernetes secret within the cluster. However, you can use the Storage custom resource to change where the API keys are stored. You might want to change the default storage for increased security external to your cluster, or to use an existing database.

Gloo Portal supports configuring Aerospike Database as external storage for API keys.

Before you begin

  1. Install Gloo Edge Enterprise version 1.14.0 or later in a Kubernetes cluster.
  2. Install Gloo Portal in the same cluster.
  3. Follow the Create an API Product and Create a Portal guides to set up an Environment and Portal.
  4. Follow the Users and Groups Guide to create a Usage Plan with an apiKey Auth Policy for the Environment.

Set up your Aerospike backing storage

You can create an Aerospike database as the backing storage for your Gloo Portal API keys.

  1. Install Aerospike in a location that is reachable from the Portal Controller, such as in a virtual machine with a public IP address or in a pod in the cluster.
  2. shell into your Aerospike deployment's machine.
  3. Configure a namespace in your Aerospike database for Gloo Portal to use. The preferred name is solo-namespace, as shown in the following example file.
    cat /etc/aerospike/aerospike.conf 
    # Aerospike database configuration file for use with systemd.
       
    service {
     proto-fd-max 15000
    }
       
    logging {
     console {
         context any info
     }
    }
       
    network {
     service {
         address any
         port 3000
     }
       
     heartbeat {
         mode multicast
         multicast-group 239.1.99.222
         port 9918
       
         # To use unicast-mesh heartbeats, remove the 3 lines above, and see
         # aerospike_mesh.conf for alternative.
       
         interval 150
         timeout 10
     }
       
     fabric {
         port 3001
     }
       
     info {
         port 3003
     }
    }
       
    namespace solo-namespace {
     memory-size 4G
     replication-factor 2
     storage-engine memory
    }
    
  4. Restart Aerospike to pick up the new namespace configuration.
    systemctl restart aerospike
    
  5. To run queries, install the Aerospike Quick Look (AQL) tool.

Customize your API key storage

  1. Define your custom storage configuration in a Storage custom resource, such as the following example. For more information, see the Gloo Portal Storage API docs and the Gloo Edge external auth for Aerospike API docs.

    cat << EOF | kubectl apply -f-
    apiVersion: portal.gloo.solo.io/v1beta1
    kind: Storage
    metadata:
      name: aerospike-storage
      namespace: gloo-system
    spec:
      apikeyStorage:
        aerospike:
          hostname: <Aerospike IP/Hostname>
          port: <Aerospike Port>
          # namespace: <namespace> # namespace must be specified if not solo-namespace
    EOF
    
  2. Restart the Portal controller to pick up your Storage configuration changes.

    $ kubectl rollout restart deployment -n gloo-portal gloo-portal-controller
    
  3. Verify that the generated AuthConfig for the dev environment has the custom aerospikeApikeyStorage details that you set in the Storage configuration.

    $ kubectl get -n default authconfig default-petstore-product-dev -oyaml
    

    Example output:

    apiVersion: enterprise.gloo.solo.io/v1
    kind: AuthConfig
    metadata:
    ...
      labels:
        apiproducts.portal.gloo.solo.io: petstore-product.default
        environments.portal.gloo.solo.io: dev.default
      name: default-petstore-product-dev
      namespace: default
      ownerReferences:
      - apiVersion: portal.gloo.solo.io/v1beta1
        blockOwnerDeletion: true
        controller: true
        kind: Environment
        name: dev
    ...
    spec:
      booleanExpr: apiKeys
      configs:
      - apiKeyAuth:
          headerName: api-key
          aerospikeApikeyStorage:
            hostname: <Aerospike IP/Hostname>
            port: <Aerospike Port>
            namespace: <namespace>
          headersFromMetadata:
            x-solo-email:
              name: email
            x-solo-plan:
              name: plan
              required: true
            x-solo-username:
              name: username
              required: true
          labelSelector:
            apiproducts.portal.gloo.solo.io: petstore-product.default
            environments.portal.gloo.solo.io: dev.default
        name: apiKeys
    status:
      statuses:
        gloo-portal:
          reportedBy: gloo
          state: 1
       

  4. Create an API key such as by using the sample Petstore portal.

  5. In Aerospike, verify that the new API key is stored in the database. For example, you might use the following Aerospike Quick Look (AQL) query. For more information, see the Aerospike docs.

    aql> SELECT * FROM solo-namespace.apikeys;
    

    Example output:

    +---------+----------+------------------+--------------------------- +---------------+-------------+
    | plan    | username | email            | product                    | environment   | api-key     |
    +---------+----------+------------------+--------------------------- +---------------+-------------+
    | "basic" | "dev1"   | "user@email.com" | "petstore-product.default" | "dev.default" | "<api-key>" |
    +---------+----------+------------------+--------------------------- +---------------+-------------+
    

Known limitations

Next steps

Your API keys are now stored in an external Aerospike database. You can set up the following components in Gloo Edge to use the same Aerospike database: