External Authorization in Tier-1 Gateways
TSB provides authorization capability to authorize every request coming to your service from a public network. This document will describe how to configure Tier-1 Gateway authorization using Open Policy Agent (OPA) as an example.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts.
✓ Completed Tier-1 Gateway routing to Tier-2 Gateway with httpbin already configured in TSB.
✓ Created a Tenant, and understand Workspaces and Config Groups.
✓ Configured tctl
for your TSB environment.
The following diagram shows the request/response flow using OPA with Tier-1 Gateways. Requests that come to Tier-1 Gateway will be checked by OPA. If the request is deemed unauthorized, then the request will be denied with a 403 (Forbidden) response, otherwise they are sent to the Tier-2 Gateways.
Deploy httpbin
Service
Follow the instructions in this document to create the httpbin
service, and make sure the service is exposed at httpbin.tetrate.com
.
Configuring OPA
For this example you will be deploying OPA as its own standalone service. Create a namespace for the OPA service, if you have not already done so:
kubectl create namespace opa
Follow the instructions in the OPA document to create an OPA policy using Basic Authentication, and deploy the OPA service and agent in the opa
namespace.
kubectl apply -f opa.yaml
Then update your Tier-1 Gateway configuration your OpenAPI spec by adding the following section to the Tier-1 Gateway and use tctl to apply them
apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
organization: tetrate
tenant: tetrate
workspace: tier1
group: tier1
name: tier1gw
spec:
workloadSelector:
namespace: tier1
labels:
app: tier1gw
istio: ingressgateway
externalServers:
- name: httpbin
hostname: httpbin.tetrate.com
port: 443
tls:
mode: SIMPLE
secretName: tier1-cert
clusters:
- labels:
network: tier2
authorization:
external:
uri: grpc://opa.opa.svc.cluster.local:9191
Testing
You can test the external authorization by following the instructions in the "Configuring External Authorization in Ingress Gateways", except you need to obtain the Tier-1 Gateway IP address instead of the Ingress Gateway address.
To obtain the Tier-1 Gateway address, execute the following command:
kubectl -n tier1 get service tier1-gateway \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}'
Then follow the instructions but replace the value for gateway-ip
with the address of the Tier-1 Gateway.