mirror of https://github.com/status-im/consul.git
Adding Apigee for ext_authz, minor fix in the default ext_authz docs (#18796)
* adding apigee for ext_authz, minor fix * adding the Apigee docs to nav * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Blake Covarrubias <blake.covarrubias@gmail.com> * addressing feedback * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Blake Covarrubias <blake.covarrubias@gmail.com>
This commit is contained in:
parent
4357362973
commit
132c1eaa87
|
@ -0,0 +1,199 @@
|
|||
---
|
||||
layout: docs
|
||||
page_title: Delegate authorization to Apigee
|
||||
description: Learn how to use the `ext-authz` Envoy extension to delegate data plane authorization requests to Apigee.
|
||||
---
|
||||
|
||||
# Delegate authorization to Apigee
|
||||
|
||||
This topic describes how to use the external authorization Envoy extension to delegate data plane authorization requests to Apigee.
|
||||
|
||||
For more detailed guidance, refer to the [`learn-consul-apigee-external-authz` repo on GitHub](https://github.com/hashicorp-education/learn-consul-apigee-external-authz).
|
||||
|
||||
## Workflow
|
||||
|
||||
Complete the following steps to use the external authorization extension with Apigee:
|
||||
|
||||
1. Deploy the Apigee Adapter for Envoy and register the service in Consul.
|
||||
1. Configure the `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry.
|
||||
1. Apply the configuration entry.
|
||||
|
||||
## Deploy the Apigee Adapter for Envoy
|
||||
|
||||
The [Apigee Adapter for Envoy](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/concepts) is an Apigee-managed API gateway that uses Envoy to proxy API traffic.
|
||||
|
||||
To download and install Apigee Adapter for Envoy, refer to the [getting started documentation](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/getting-started) or follow along with the [`learn-consul-apigee-external-authz` repo on GitHub](https://github.com/hashicorp-education/learn-consul-apigee-external-authz).
|
||||
|
||||
After you deploy the service in your desired runtime, create a service defaults configuration entry for the service's gRPC protocol.
|
||||
|
||||
<Tabs>
|
||||
<Tab heading="HCL" group="hcl">
|
||||
<CodeBlockConfig filename="apigee-remote-service-envoy.hcl">
|
||||
|
||||
```hcl
|
||||
Kind = "service-defaults"
|
||||
Name = "apigee-remote-service-envoy"
|
||||
Protocol = "grpc"
|
||||
```
|
||||
</CodeBlockConfig>
|
||||
</Tab>
|
||||
<Tab heading="JSON" group="json">
|
||||
<CodeBlockConfig filename="apigee-remote-service-envoy.json">
|
||||
|
||||
```json
|
||||
{
|
||||
"kind": "service-defaults",
|
||||
"name": "apigee-remote-service-envoy",
|
||||
"protocol": "grpc"
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
</Tab>
|
||||
<Tab heading="YAML" group="yaml">
|
||||
<CodeBlockConfig filename="apigee-remote-service-envoy.yaml">
|
||||
|
||||
```yaml
|
||||
apiVersion: consul.hashicorp.com/v1alpha1
|
||||
kind: ServiceDefaults
|
||||
metadata:
|
||||
name: apigee-remote-service-envoy
|
||||
namespace: apigee
|
||||
spec:
|
||||
protocol: grpc
|
||||
```
|
||||
</CodeBlockConfig>
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
## Configure the `EnvoyExtensions`
|
||||
|
||||
Add Envoy extension configurations to a proxy defaults or service defaults configuration entry. Place the extension configuration in an `EnvoyExtensions` block in the configuration entry.
|
||||
|
||||
- When you configure Envoy extensions on proxy defaults, they apply to every service.
|
||||
- When you configure Envoy extensions on service defaults, they apply to all instances of a service with that name.
|
||||
|
||||
<Warning>
|
||||
Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.
|
||||
</Warning>
|
||||
|
||||
Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
|
||||
|
||||
The following example configures the default behavior for all services named `api` so that the Envoy proxies running as sidecars for those service instances target the apigee-remote-service-envoy service for gRPC authorization requests:
|
||||
|
||||
<Tabs>
|
||||
<Tab heading="HCL" group="hcl">
|
||||
<CodeBlockConfig filename="api-auth-service-defaults.hcl">
|
||||
|
||||
```hcl
|
||||
Kind = "service-defaults"
|
||||
Name = "api"
|
||||
EnvoyExtensions = [
|
||||
{
|
||||
Name = "builtin/ext-authz"
|
||||
Arguments = {
|
||||
ProxyType = "connect-proxy"
|
||||
Config = {
|
||||
GrpcService = {
|
||||
Target = {
|
||||
Service = {
|
||||
Name = "apigee-remote-service-envoy"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
```
|
||||
</CodeBlockConfig>
|
||||
</Tab>
|
||||
|
||||
<Tab heading="JSON" group="json">
|
||||
<CodeBlockConfig filename="api-auth-service-defaults.json">
|
||||
|
||||
```json
|
||||
{
|
||||
"Kind": "service-defaults",
|
||||
"Name": "api",
|
||||
"EnvoyExtensions": [{
|
||||
"Name": "builtin/ext-authz",
|
||||
"Arguments": {
|
||||
"ProxyType": "connect-proxy",
|
||||
"Config": {
|
||||
"GrpcService": {
|
||||
"Target": {
|
||||
"Service": {
|
||||
"Name": "apigee-remote-service-envoy"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
</Tab>
|
||||
|
||||
<Tab heading="YAML" group="yaml">
|
||||
<CodeBlockConfig filename="api-auth-service-defaults.yaml">
|
||||
|
||||
```yaml
|
||||
apiVersion: consul.hashicorp.com/v1alpha1
|
||||
kind: ServiceDefaults
|
||||
metadata:
|
||||
name: api
|
||||
namespace: default
|
||||
spec:
|
||||
envoyExtensions:
|
||||
- name: builtin/ext-authz
|
||||
arguments:
|
||||
proxyType: connect-proxy
|
||||
config:
|
||||
grpcService:
|
||||
target:
|
||||
service:
|
||||
name: apigee-remote-service-envoy
|
||||
namespace: apigee
|
||||
```
|
||||
</CodeBlockConfig>
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
Refer to the [external authorization extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/ext-authz) for details on how to configure the extension.
|
||||
|
||||
Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries.
|
||||
|
||||
## Apply the configuration entry
|
||||
|
||||
On the CLI, you can use the `consul config write` command and specify the names of the configuration entries to apply them to Consul. For Kubernetes-orchestrated networks, use the `kubectl apply` command to update the relevant CRD.
|
||||
|
||||
<Tabs>
|
||||
<Tab heading="HCL" group="hcl">
|
||||
|
||||
```shell-session
|
||||
$ consul config write apigee-remote-service-envoy.hcl
|
||||
$ consul config write api-auth-service-defaults.hcl
|
||||
```
|
||||
|
||||
</Tab>
|
||||
<Tab heading="JSON" group="json">
|
||||
|
||||
```shell-session
|
||||
$ consul config write apigee-remote-service-envoy.json
|
||||
$ consul config write api-auth-service-defaults.json
|
||||
```
|
||||
|
||||
</Tab>
|
||||
<Tab heading="YAML" group="yaml">
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f apigee-remote-service-envoy.yaml
|
||||
$ kubectl apply -f api-auth-service-defaults.yaml
|
||||
```
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
|
@ -57,9 +57,10 @@ EnvoyExtensions = [
|
|||
<CodeBlockConfig filename="api-auth-service-defaults.json">
|
||||
|
||||
```json
|
||||
"Kind": "service-defaults",
|
||||
"Name": "api",
|
||||
"EnvoyExtensions": [{
|
||||
{
|
||||
"Kind": "service-defaults",
|
||||
"Name": "api",
|
||||
"EnvoyExtensions": [{
|
||||
"Name": "builtin/ext-authz",
|
||||
"Arguments": {
|
||||
"ProxyType": "connect-proxy",
|
||||
|
@ -74,7 +75,8 @@ EnvoyExtensions = [
|
|||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
|
|
@ -503,6 +503,10 @@
|
|||
{
|
||||
"title": "Usage",
|
||||
"routes": [
|
||||
{
|
||||
"title": "Delegate authorization to Apigee",
|
||||
"path": "connect/proxies/envoy-extensions/usage/apigee-ext-authz"
|
||||
},
|
||||
{
|
||||
"title": "Delegate authorization to external services",
|
||||
"path": "connect/proxies/envoy-extensions/usage/ext-authz"
|
||||
|
|
Loading…
Reference in New Issue