ambassador 可以在请求路由之前进行认证处理,一般的我们可能会使用第三方的认证服务
基本的环境安装可以参考相关文档
安装&&运行qotm 服务
可以参考官方文档,或者https://github.com/rongfengliang/ambassador-learning安装运行认证服务
- demo 地址
https://github.com/datawire/ambassador-auth-service- 运行(我使用k8s 运行)
---
apiVersion: v1
kind: Service
metadata:
name: example-auth
spec:
type: ClusterIP
selector:
app: example-auth
ports:
- port: 3000
name: http-example-auth
targetPort: http-api
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: example-auth
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: example-auth
spec:
containers:
- name: example-auth
image: datawire/ambassador-auth-service:1.1.1
imagePullPolicy: Always
ports:
- name: http-api
containerPort: 3000
resources:
limits:
cpu: "0.1"
memory: 100Mi
kubectl apply -f https://www.getambassador.io/yaml/demo/demo-auth.yaml认证配置服务说明
- 认证服务监听的端口3000
- 认证服务请求起始是 /extauth/;
- /qotm/quote/ 开头的请求都会进行basic auth
- 请求只允许用户名密码格式
- 同时需要一个x-qotm-session header
auth 服务配置
---
apiVersion: v1
kind: Service
metadata:
name: example-auth
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: AuthService
name: authentication
auth_service: "example-auth:3000"
path_prefix: "/extauth"
allowed_headers:
- "x-qotm-session"
spec:
type: ClusterIP
selector:
app: example-auth
ports:
- port: 3000
name: http-example-auth
targetPort: http-api
使用官方提供的配置文件
kubectl apply -f https://www.getambassador.io/yaml/demo/demo-auth-enable.yaml测试服务
- 服务部署状态
- 测试
没有使用用户密码
使用用户密码
说明
总的来说还是比较简单的,同时比较方便参考资料
https://www.getambassador.io/user-guide/auth-tutorial
https://github.com/rongfengliang/ambassador-learning