Accessing External Services via AUTHENTICATION Service
Manage the access to an external service via the AUTHENTICATION service of yuuvis® Momentum.
Table of Contents
Introduction
The AUTHENTICATION service manages the access to the yuuvis® Momentum API gateway. With a suitable configuration, also the access to external services running in the same Kubernetes cluster can be managed via the AUTHENTICATION service of yuuvis® Momentum.
Involved Services
Two services of yuuvis® Momentum are responsible for the service routing:
- the AUTHENTICATION service and
- the API gateway.
After successful authentication of incoming requests, the AUTHENTICATION service sends the requests to the API gateway.
AUTHENTICATION Service
The service has its own endpoints that are configured in the file authentication-prod.yml
in the sections routing.endpoints
and authorization.accesses
.
The AUTHENTICATION service endpoints are only available for endpoints listed in routing.endpoints
.
In authorization.accesses
, permissions can be defined for the access to the individual endpoints and sub-paths.
>> authentication-prod.yml
API Gateway
The API gateway uses the Spring Cloud Kubernetes DiscoveryClient in order to dynamically create routes. This DiscoveryClient sends requests to the Kubernetes API. The corresponding permissions are configured via the Kubernetes objects ServiceAccount, RoleBinding and Role.
The pod for the API gateway is executed via the service account that is used by the DiscoveryClient to request namespaces.
The number of the Kubernetes Services can be limited. This can be configured in the file application-kubernetes.yml
in the filter for Kubernetes Services. Only for services matching the filter internal routes are created by the API gateway. Per default, the following filter is applied:
metadata!=null && metadata.labels!=null && metadata.labels['yuuvis']=="true"
In order to create a route for a service in the API gateway, the entry yuuvis:
true
has to be added in the <externalservice>-service.yaml
file in the labels
section.
Example Configuration
In this example scenario, the required steps of configuration are shown. Afterwards, the external service app
in the namespace other
will be available via the AUTHENTICATION service.
Follow these steps:
Deploy the pod for the external service
app
in the namespaceother
.app-deployment.yamlapiVersion: apps/v1 kind: Deployment metadata: namespace: other name: app spec: replicas: 1 selector: matchLabels: name: app template: metadata: labels: name: app spec: containers: - name: app ... ports: - containerPort: 80 ...
Create a Kubernetes Service for
app
in the namespaceother
, e.g.,app-svc
.app-service.yamlapiVersion: v1 kind: Service metadata: name: app-svc labels: name: app-svc namespace: other spec: ports: - name: "http" port: 80 targetPort: 80 selector: name: app type: ClusterIP
Create the Kubernetes Service in the namespace
yuuvis
. Use the typeexternalName
that references the namespaceother
.<externalservice>-service.yamlapiVersion: v1 kind: Service metadata: name: app labels: yuuvis: "true" namespace: yuuvis spec: type: ExternalName externalName: app-svc.other.svc.cluster.local ports: - port: 80
Add the external service
app
to the sectionsrouting.endpoints:
androuting.access:
in theauthentication-prod.yml
file.authentiaction-prod.ymlrouting.endpoints: - 'app' # external service added to the list ... authorization.accesses: - endpoints: /app/** # add # optionally restrict to a method, e.g.: method: Post # optionally restrict to users with specific roles, e.g.: hasAuthority('COGNISPHERE')
- Restart the AUTHENTICATION service.
Summary
External services running in the same Kubernetes cluster together with yuuvis® Momentum, access authorization can be managed via the AUTHENTICATION service. The required configuration steps were shown for an example scenario.