K
Q

API key auth for Ambassador

4/14/2019

I'm trying to figure out how to create a simple API key protected proxy with Ambassador on k8s, yet can't seem to find any docs on this.

Specifically, I just want to set it up so it can take a request with API-KEY header, authenticate it, and if API-KEY is valid for some client, pass it onto my backend.

-- kozyr
api-gateway
authentication
kubernetes

Similar Questions

kubernetes: Unable to change deployment strategy
Deploying Helm workloads with Terraform on GKE cluster
Resolving kubernetes endpoints hostname to a given cluster, from within
Prometheus Email Notification
How to connect microservice with NATS docker image inside kubernetes cluster
k8s Pv is not created
Grafana Dashboards Backup
Kubernetes: How can i get namespace which is running more than 3 days?

1 Answer

4/15/2019

I suggest you do the following:

  1. Create an Authentication Application: for each protected endpoint, this app will be responsible for validating the Api Key.

  2. Configuring Ambassador to redirect requests to this service: you just need to annotate your authentication app service definition. Example:

    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: auth-app
      annotations:
        getambassador.io/config: |
          ---
          apiVersion: ambassador/v1
          kind:  AuthService
          name:  authentication
          auth_service: "auth-app:8080"
          allowed_request_headers:
          - "API-KEY"
    spec:
      type: ClusterIP
      selector:
        app: auth-app
      ports:
      - port: 8080
        name: auth-app
        targetPort: auth-app
  1. Configure an endpoint in auth-app corresponding to the endpoint of the app you want to authenticate. Suppose you have an app with a Mapping like this:
    apiVersion: ambassador/v1
    kind:  Mapping
    name:  myapp-mapping
    prefix: /myapp/
    service: myapp:8000

Then you need to have an endpoint "/myapp/" in auth-app. You will read your API-KEY header there. If the key is valid, return a HTTP 200 (OK). Ambassador will then send the original message to myapp. If auth-app returns any other thing besides a HTTP 200, Ambassador will return that response to the client.

  1. Bypass the authentication in needed apps. For example you might need a login app, responsible for providing an API Key to the clients. You can bypass authentication for these apps using bypass_auth: true in the mapping:
    apiVersion: ambassador/v1
    kind:  Mapping
    name:  login-mapping
    prefix: /login/
    service: login-app:8080
    bypass_auth: true

Check this if you want to know more about authentication in Ambassador

EDIT: According to this answer it is a good practice if you use as header Authorization: Bearer {base64-API-KEY}. In Ambassador the Authorization header is allowed by default, so you don't need to pass it in the allowed_request_headers field.

-- victortv
Source: StackOverflow