ambassador 學習二 認證

ambassador 能夠在請求路由以前進行認證處理，通常的咱們可能會使用第三方的認證服務

基本的環境安裝能夠參考相關文檔

安裝&&運行qotm 服務

能夠參考官方文檔，或者https://github.com/rongfengliang/ambassador-learning

安裝運行認證服務

• demo 地址

https://github.com/datawire/ambassador-auth-service

• 運行(我使用k8s 運行)

---
apiVersion: v1
kind: Service
metadata:
  name: example-auth
spec:
  type: ClusterIP
  selector:
    app: example-auth
  ports:
  - port: 3000
    name: http-example-auth
    targetPort: http-api
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: example-auth
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: example-auth
    spec:
      containers:
      - name: example-auth
        image: datawire/ambassador-auth-service:1.1.1
        imagePullPolicy: Always
        ports:
        - name: http-api
          containerPort: 3000
        resources:
          limits:
            cpu: "0.1"
            memory: 100Mi
kubectl apply -f https://www.getambassador.io/yaml/demo/demo-auth.yaml

認證配置服務說明

• 認證服務監聽的端口3000
• 認證服務請求起始是 /extauth/;
• /qotm/quote/ 開頭的請求都會進行basic auth
• 請求只容許用戶名密碼格式
• 同時須要一個x-qotm-session header

auth 服務配置

---
apiVersion: v1
kind: Service
metadata:
  name: example-auth
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v0
      kind:  AuthService
      name:  authentication
      auth_service: "example-auth:3000"
      path_prefix: "/extauth"
      allowed_headers:
      - "x-qotm-session"
spec:
  type: ClusterIP
  selector:
    app: example-auth
  ports:
  - port: 3000
    name: http-example-auth
    targetPort: http-api
使用官方提供的配置文件
kubectl apply -f https://www.getambassador.io/yaml/demo/demo-auth-enable.yaml

測試服務

• 服務部署狀態
  
• 測試
  沒有使用用戶密碼
  
  使用用戶密碼
  

說明

總的來講仍是比較簡單的，同時比較方便

參考資料

https://www.getambassador.io/user-guide/auth-tutorial
https://github.com/rongfengliang/ambassador-learning