...
| Page Properties | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
Resources & Remarks Modification History
|
...
| Section | ||||||
|---|---|---|---|---|---|---|
| ||||||
|
Introduction
The AUTHENTICATION service manages the access to the yuuvis® Momentum API gateway. With a suitable configuration, also the access to external services running in the same Kubernetes cluster can be managed via the AUTHENTICATION service of yuuvis® Momentum.
...
The service has its own endpoints that are configured in the file authentication-prod.yml in the sections routing.endpoints and authorization.accesses.
Only The AUTHENTICATION service endpoints are only available for endpoints listed in routing.endpoints the AUTHENTICATION service endpoints are available.
In authorization.accesses, permissions can be defined for the access to the individual endpoints and sub-paths.
>> Access Authorization for Endpointsauthentication-prod.yml
API Gateway
The API gateway uses the Spring Cloud Kubernetes DiscoveryClient in order to dynamically create routes. This DiscoveryClient sends requests to the Kubernetes API. The corresponding permissions are configured via the Kubernetes objects ServiceAccount, RoleBinding and Role.
...
In order to create a route for a service in the API gateway, in the file authentication-service.yaml in the section 
labels the entry yuuvis: true has to be added in the <externalservice>-service.yaml file in the labels section.
Example Configuration
In this example scenario, the required steps of configuration are shown. Afterwards, the external service app in the namespace other will be available via the AUTHENTICATION service.
...
Deploy the pod for the external service
appin the namespaceother.Code Block language yml title app-deployment.yaml linenumbers true apiVersion: apps/v1 kind: Deployment metadata: namespace: other name: app spec: replicas: 1 selector: matchLabels: name: app template: metadata: labels: name: app spec: containers: - name: app ... ports: - containerPort: 80 ...Create a Kubernetes Service for cognisphere
appin the namespaceother, e.g.,app-svc.Code Block language yml title service in the namespace otherapp-service.yaml linenumbers true apiVersion: v1 kind: Service metadata: name: app-svc labels: name: app-svc namespace: other spec: ports: - name: "http" port: 80 targetPort: 80 selector: name: app type: ClusterIPCreate the Kubernetes Service in the namespace
yuuvis. Use the typeexternalNamethat references the namespaceother.Code Block language yml title service im namespace yuuvis type externalName:<externalservice>-service.yaml linenumbers true apiVersion: v1 kind: Service metadata: name: app labels: yuuvis: "true" namespace: yuuvis spec: type: ExternalName externalName: app-svc.other.svc.cluster.local ports: - port: 80Add the external service
appto the sectionsrouting.endpoints:androuting.access:in the fileauthentication-prod.ymlfile.Code Block language yml title authentiaction-prod.yml linenumbers true routing.endpoints: - 'app' # external service added to the list ... authorization.accesses: - endpoints: /app/** # add # optionally restrict to a method, e.g.: method: Post # optionally restrict to users with specific roles, e.g.: hasAuthority('COGNISPHERE')- Restart the AUTHENTICATION service.
Summary
External services running in the same Kubernetes cluster together with yuuvis® Momentum, access authorization can be managed via the AUTHENTICATION service. The required configuration steps were shown for an example scenario.
| Info | |||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||
Read on
|
...