ambassador 学习二 认证

ambassador 可以在请求路由之前进行认证处理，一般的我们可能会使用第三方的认证服务

基本的环境安装可以参考相关文档

安装&&运行qotm 服务

可以参考官方文档，或者https://github.com/rongfengliang/ambassador-learning

安装运行认证服务

• demo 地址

https://github.com/datawire/ambassador-auth-service

• 运行(我使用k8s 运行)

---
apiVersion: v1
kind: Service
metadata:
  name: example-auth
spec:
  type: ClusterIP
  selector:
    app: example-auth
  ports:
  - port: 3000
    name: http-example-auth
    targetPort: http-api
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: example-auth
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: example-auth
    spec:
      containers:
      - name: example-auth
        image: datawire/ambassador-auth-service:1.1.1
        imagePullPolicy: Always
        ports:
        - name: http-api
          containerPort: 3000
        resources:
          limits:
            cpu: "0.1"
            memory: 100Mi
kubectl apply -f https://www.getambassador.io/yaml/demo/demo-auth.yaml

认证配置服务说明

• 认证服务监听的端口3000
• 认证服务请求起始是 /extauth/;
• /qotm/quote/ 开头的请求都会进行basic auth
• 请求只允许用户名密码格式
• 同时需要一个x-qotm-session header

auth 服务配置

---
apiVersion: v1
kind: Service
metadata:
  name: example-auth
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v0
      kind:  AuthService
      name:  authentication
      auth_service: "example-auth:3000"
      path_prefix: "/extauth"
      allowed_headers:
      - "x-qotm-session"
spec:
  type: ClusterIP
  selector:
    app: example-auth
  ports:
  - port: 3000
    name: http-example-auth
    targetPort: http-api
使用官方提供的配置文件
kubectl apply -f https://www.getambassador.io/yaml/demo/demo-auth-enable.yaml

测试服务

• 服务部署状态
  
• 测试
  没有使用用户密码
  
  使用用户密码
  

说明

总的来说还是比较简单的，同时比较方便

参考资料

https://www.getambassador.io/user-guide/auth-tutorial
https://github.com/rongfengliang/ambassador-learning