Ambassador 可以在將傳入請求路由到后臺服務之前對其進行身份驗證。在本教程中,我們將配置Ambassador使用外部第三方認證服務。
# 1.部署身份驗證服務
Ambassador 將實際的身份驗證邏輯委托給第三方身份驗證服務。我們編寫了一個簡單的身份驗證服務:
ambassador通過認證服務路由所有的請求,依賴于認證服務去區分哪些資源需要認證那些資源不需要認證。如果ambassador不能聯系上認證服務,會返回一個503錯誤。因此,ambassador使用認證服務前讓認證服務先運行,這一點非常重要。
## 1.1 準備環境
先部署一個內部service,通過ambassador路由
```yaml
---
apiVersion: v1
kind: Service
metadata:
name: say-hello
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: Mapping
name: say_mapping
prefix: /say-hello/
service: say-hello
spec:
selector:
app: say-hello
ports:
- port: 80
name: http-say
targetPort: http-say-api
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: say-hello
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: say-hello
spec:
containers:
- name: say-hello
image: woms/say-hello:0.0.1
ports:
- name: http-say-api
containerPort: 8080
```
執行命令:`kubectl apply -f say-hello.yml`
訪問請求成功:`http://$AMBASSADORURL/say-hello/say/hello`
say-hello鏡像本身:`http://localhost:8080/say/hello`
這里,這里路由的時候,前綴被重寫了
```
"prefix": "/say-hello/",
"prefix_rewrite": "/"
```
## 1.2 部署認證服務
```
---
apiVersion: v1
kind: Service
metadata:
name: header-auth
spec:
type: ClusterIP
selector:
app: header-auth
ports:
- port: 3000
name: header-auth-port
targetPort: app-port
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: header-auth
spec:
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: header-auth
spec:
containers:
- name: header-auth
image: woms/head-auth-service:0.0.1
imagePullPolicy: Always
ports:
- name: app-port
containerPort: 3000
```
請注意,該服務還不曾包含任何 ambassador 注解。目的是:認證服務必須在ambassador使用前運行,不然ambassador聯系不上認證服務返回503錯誤
## 1.3 配置ambassador認證服務
一旦認證服務運行起來,我們要通知ambassador,可以理解為向ambassador網關注冊認證服務。最簡單的做法是給上面的認證服務service加ambassador注解。我們可以修改認證服務的service定義,再re-apply一次。
```
---
apiVersion: v1
kind: Service
metadata:
name: header-auth
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: AuthService
name: authentication
auth_service: "header-auth:3000"
path_prefix: "/extauth"
allowed_request_headers:
- "x-qotm-session"
allowed_authorization_headers:
- "x-qotm-session"
spec:
type: ClusterIP
selector:
app: header-auth
ports:
- port: 3000
name: header-auth-port
targetPort: app-port
```
