ambassador 能夠在請求路由以前進行認證處理,通常的咱們可能會使用第三方的認證服務git
基本的環境安裝能夠參考相關文檔github
安裝&&運行qotm 服務
能夠參考官方文檔,或者https://github.com/rongfengliang/ambassador-learning
安裝運行認證服務
- demo 地址
https://github.com/datawire/ambassador-auth-service
- 運行(我使用k8s 運行)
---
apiVersion: v1
kind: Service
metadata:
name: example-auth
spec:
type: ClusterIP
selector:
app: example-auth
ports:
- port: 3000
name: http-example-auth
targetPort: http-api
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: example-auth
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: example-auth
spec:
containers:
- name: example-auth
image: datawire/ambassador-auth-service:1.1.1
imagePullPolicy: Always
ports:
- name: http-api
containerPort: 3000
resources:
limits:
cpu: "0.1"
memory: 100Mi
kubectl apply -f https://www.getambassador.io/yaml/demo/demo-auth.yaml
認證配置服務說明
- 認證服務監聽的端口3000
- 認證服務請求起始是 /extauth/;
- /qotm/quote/ 開頭的請求都會進行basic auth
- 請求只容許用戶名密碼格式
- 同時須要一個x-qotm-session header
auth 服務配置
---
apiVersion: v1
kind: Service
metadata:
name: example-auth
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: AuthService
name: authentication
auth_service: "example-auth:3000"
path_prefix: "/extauth"
allowed_headers:
- "x-qotm-session"
spec:
type: ClusterIP
selector:
app: example-auth
ports:
- port: 3000
name: http-example-auth
targetPort: http-api
使用官方提供的配置文件
kubectl apply -f https://www.getambassador.io/yaml/demo/demo-auth-enable.yaml
測試服務
- 服務部署狀態
- 測試
沒有使用用戶密碼
使用用戶密碼
說明
總的來講仍是比較簡單的,同時比較方便
參考資料
https://www.getambassador.io/user-guide/auth-tutorial
https://github.com/rongfengliang/ambassador-learningapi