Skip to content
home
2.1.x
Security
External authentication and authorization
You are viewing the latest documentation for Solo Enterprise for kgateway, formerly known as Gloo Gateway. To access the documentation for older Gloo Gateway versions, such as 2.0 and 1.x, use the version switcher.

External service

Page as Markdown
Authenticate requests to external services with basic auth.
You can apply external auth policies to services that run outside your cluster.
Before you begin

  1. Follow the Get started guide to install Solo Enterprise for kgateway.
  1. Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
  1. Get the external address of the gateway and save it in an environment variable.
    export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS  
    kubectl port-forward deployment/http -n kgateway-system 8080:8080
Step 1: Create an external service

Follow the Static backend guide to create an external service that runs outside your cluster.
Step 2: Apply the auth rules

Follow the Basic auth guide to apply the auth rules to your routes.
Step 3: Verify that your routes are secured

Send various requests to verify that external auth is enforced for your routes.
  1. Send a request to the httpbin app. Verify that your request is denied and that you get back a 401 HTTP response code.
    curl -vi http://$INGRESS_GW_ADDRESS:8080/posts -H "host: static.example:8080" 
    curl -vi localhost:8080/posts -H "host: static.example:8080" 
    Example output:
    HTTP/1.1 401 Unauthorized
  2. Encode the expected user credentials in base64 format.
    echo -n "user:password" | base64
    Example output:
    dXNlcjpwYXNzd29yZA==
  3. Send another request to the httpbin app. This time, you include the base64-encoded user:password credentials in the Authorization header. Verify that the request succeeds and that you get back a 200 HTTP response code.
    curl -vi http://$INGRESS_GW_ADDRESS:8080/posts -H "host: static.example:8080" -H "Authorization: basic dXNlcjpwYXNzd29yZA=="
    curl -vi localhost:8080/posts -H "host: static.example:8080" -H "Authorization: basic dXNlcjpwYXNzd29yZA=="
    Example output:
    HTTP/1.1 200 OK
Cleanup

You can optionally remove the resources that you set up as part of this guide.
  1. Delete the external service.
    kubectl delete httproute static-backend
kubectl delete backend json-backend
  2. Delete the external auth resources.
    kubectl delete authconfig basic-auth -n kgateway-system
kubectl delete EnterpriseKgatewayTrafficPolicy test-extauth-policy -n kgateway-system
Basic authPassthrough auth