Red Hat SummitChapter 4. Connectivity Link application developer workflow
This section of the walkthrough shows how as an application developer you can override your existing Gateway-level policies to configure your application-level routing, authentication, and rate limiting requirements.
Prerequisites
- Your Connectivity Link environment is set up and policies are configured as described in Chapter 3, Connectivity Link platform engineer workflow.
4.1. Step 1 - Deploy the toystore app
Procedure
Create the namespace for your application as follows, if it does not already exist:
kubectl create ns ${devNS}Deploy the
toystoreapplication to your developer namespace as follows, if it has not already been deployed:kubectl apply -f https://raw.githubusercontent.com/Kuadrant/Kuadrant-operator/main/examples/toystore/toystore.yaml -n ${devNS}
4.2. Step 2 - Set up the HTTPRoute for your API
Procedure
Enter the following command to define an HTTP route for your Toystore application API:
kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: toystore labels: deployment: toystore service: toystore spec: parentRefs: - name: ${gatewayName} namespace: ${gatewayNS} hostnames: - "api.${rootDomain}" rules: - matches: - method: GET path: type: PathPrefix value: "/cars" - method: GET path: type: PathPrefix value: "/dolls" backendRefs: - name: toystore port: 80 - matches: - path: type: PathPrefix value: "/admin" backendRefs: - name: toystore port: 80 EOFWith this
HTTPRoutein place, the service that you deployed is now exposed by the Gateway.You can access your API endpoint over HTTPS as follows:
export INGRESS_HOST=$(kubectl get gtw ${gatewayName} -o jsonpath='{.status.addresses[0].value}' -n api-gateway) curl --resolve api.${rootDomain}:443:${INGRESS_HOST} "https://api.${rootDomain}/cars"
4.3. Step 3 - Override the Gateway’s deny-all AuthPolicy
Next, you will allow authenticated access to the Toystore API. You can do this by defining an AuthPolicy that targets the HTTPRoute resource created in the previous step.
Any new HTTPRoutes will still be affected by the existing Gateway-level policy. Because you want users to now access this API, you must override that Gateway policy. For simplicity, you can use API keys to authenticate the requests, but other options such as OpenID Connect are also available.
Procedure
Define API keys for bob and alice users as follows:
kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata: name: bob-key labels: authorino.kuadrant.io/managed-by: authorino app: toystore annotations: secret.kuadrant.io/user-id: bob stringData: api_key: IAMBOB type: Opaque --- apiVersion: v1 kind: Secret metadata: name: alice-key labels: authorino.kuadrant.io/managed-by: authorino app: toystore annotations: secret.kuadrant.io/user-id: alice stringData: api_key: IAMALICE type: Opaque EOFOverride the
AuthPolicyto start accepting the API keys as follows:kubectl apply -f - <<EOF apiVersion: kuadrant.io/v1 kind: AuthPolicy metadata: name: toystore spec: targetRef: group: gateway.networking.k8s.io kind: HTTPRoute name: toystore rules: authentication: "api-key-users": apiKey: selector: matchLabels: app: toystore credentials: authorizationHeader: prefix: APIKEY response: success: filters: "identity": json: properties: "userid": selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id EOF
4.4. Step 4 - Override the Gateway’s RateLimitPolicy
The configured Gateway limits provide a good set of limits for the general case. However, as the developer of the Toystore API, you might want to only allow a certain number of requests for specific users, and a general limit for all other users.
Procedure
Enter the following command to set rate limits for specific users:
kubectl apply -f - <<EOF apiVersion: kuadrant.io/v1 kind: RateLimitPolicy metadata: name: toystore spec: targetRef: group: gateway.networking.k8s.io kind: HTTPRoute name: toystore limits: "general-user": rates: - limit: 1 duration: 3 unit: second counters: - metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.userid when: - selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.userid operator: neq value: bob "bob-limit": rates: - limit: 2 duration: 3 unit: second when: - selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.userid operator: eq value: bob EOFNoteIt might take a few minutes for the
RateLimitPolicyto be applied, depending on your cluster.As another example, you could give bob twice as many requests to use compared to all other users.
To test your new setup, send requests as alice as follows:
while :; do curl --resolve api.${rootDomain}:443:${INGRESS_HOST} --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' "https://api.${rootDomain}/cars" | grep -E --color "\b(429)\b|$"; sleep 1; doneSend requests as bob as follows:
while :; do curl --resolve api.${rootDomain}:443:${INGRESS_HOST} --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' "https://api.${rootDomain}/cars" | grep -E --color "\b(429)\b|$"; sleep 1; doneNoteIf you set up a DNS provider and configured a
DNSPolicyas described in the platform engineer workflow, you can omit the--resolve api.${rootDomain}:443:${INGRESS_HOST}flag. For example, for alice as follows:while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' "https://api.${rootDomain}/cars" | grep -E --color "\b(429)\b|$"; sleep 1; doneNoteIf you followed through this guide on more than one cluster, the DNS record for the
HTTPRoutehostname will have multiple IP addresses. This means that requests will be made in a round-robin pattern across clusters because your DNS provider sends different responses to lookups.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}