New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support several auth (and rate limit) services via single Gateway #2257
Comments
Linking to #2244 as this change would require supporting multiple filter chains for the same We should come up with a generic API design that supports both these use cases and lends itself to be easily extended. |
One suggestion, though. |
@marcogschmidt thanks for pinging me on this. let me know when you're ready to discuss |
I interpret the original description as wanting multiple auth servers in the same API gateway, but not necessarily in the same |
@rickducott well having multiple several specific CRD for customauth, and fhenreferring to them in Virtual Services / Route Tables - would be the best |
Gotcha, thanks. |
Spoke with another user who +1'ed the route- or virtual service-level config (rather than |
I have a similar need to have different auth at the virtual service level. I use one Gateway CR for several Virtual Services. For me, a VirtualService represents a user domain. I could use multiple ELBs, but that adds cost. |
the problem is that the ext auth filter config is on the listener / gateway level. |
ok, but what the problem of modyfying envoy config when new auth added for virtual service ? any technical obstacles ? or the matter is only amount of time to develop this ? am I wrong on this assumption ? |
the part in the config that points ext auth to the extauth server is in the listener / gateway level, and is not exposed in the route level config. for reference, here is the envoy config for the ext auth filter: as you can see, only |
@yuval-k does that mean this issue never will be implemented ? Or what are the next steps ? |
I suggest this is implemented at the gateway vs the settings level. That would enable the use of gateway.virtualServiceSelector to have one control plane manage 2 completely separate data planes. |
@rickducott Any plans for this implementing @bdecoste 's suggestion above? |
Any updates ? |
Sorry about the delay, we have been discussing internally. We are going to move ahead with @bdecoste's suggestion above, adding support for configuring these upstream services on the |
Awesome! |
@rickducott could you provide an example how config will look like ? |
Here's an example of what it could look like:
|
@ashleywang1 hmmmmm - and where is the multiple custom auth services ?? |
Gloo supports multiple gateways, so this approach means that one extauth service can be customized per listener. Here's an example of multiple gateways, each with its own extauth config:
|
More food for thought. I my company uses jwts as session tokens. I can almost use gloo to authenticate them. However, the tokens can be revoked before they expire. I need a way to check this. With the gloo design for auth, I don’t see a way to use the gloo built-in auth and add a simple custom auth to check for revocation. |
@derrickburns this use case makes sense - I'm tracking #2601 for similar cases |
@ashleywang1 may you also provide an example how to setup multiple gateways within a single installation of Gloo, preferrably via helm |
Here's an example of a helm override file:
This will set up the following 4 Gateways within a single installation of Gloo open source. To get the same result with Gloo Enterprise, the helm override file needs to be modified with all the values going under the gloo subchart:
|
@ashleywang1 hope last question - how many provider specific load balancers will be created ? |
Based on this, there should be one load balancer per gateway-proxy-id (e.g. gateway-proxy or gateway-proxy-2). Each gateway-proxy instance can support a ssl and non-ssl Gateway type. So in the example above, 2 LoadBalancers would be created, and each would need the helm override annotation:
to integrate with AWS. |
@ashleywang1 so eventually there should be 1 service |
Yep! There will be 2 Kubernetes LoadBalancer services. |
@ashleywang1 Thank you ! |
Slack context https://solo-io.slack.com/archives/C9L6VPAUW/p1579627480092100
@christian-posta
Currently only a single custom auth can be declared in
Settings
object. It would be great to have possibility to declare several custom auth services to use for different routes, virtual services served by single proxy configured bySettings
.For example scenario can be a dev stage k8s cluster with dozens of "env" handling multiple teams \ customers. In this case a single Gloo proxy can serve them all, based on different virtual hosts.
But for this particular scenario several custom auth server maybe required to isolate customer data, hide users between teams etc.
There's no technical proposal from my site, only feature requirement.
The text was updated successfully, but these errors were encountered: