This sample provides a reverse proxy feature which dispatches requests to other microservices running in Kyma. It includes a middleware to handle authentication which is based on Open ID Connect and can be configured using XSUAA or SAP IAS. The authentication middleware creates a server side session which is referenced by a cookie provided to the client. It also includes a middleware to validate user scopes based on HTTP methods. By default the app will use a memory store for storing user sessions which is meant for development only. It also contains a Redis implementation for storing session which is the preferred usage. See store-implementations for other options.
This sample demonstrates how to:
- Create a development Namespace in the Kyma runtime.
- Consume the SCP service XSUAA
- Deploy the following Kubernetes resources:
- API deployment written in GO
- API Rule
- Service
- Configmap
- ServiceBinding
- ServiceBindingUsage
- SAP BTP, Kyma runtime instance
- Docker
- Go
- kubectl configured to use the
KUBECONFIGfile downloaded from the Kyma runtime
-
Create a new
devNamespace:kubectl create namespace dev kubectl label namespaces dev istio-injection=enabled
-
Open the file
k8s/xsuaa-instance.yamland adjust the value<cluster domain>and then apply the filekubectl -n dev apply -f ./k8s/xsuaa-instance.yaml
For a complete list of parameters visit Application Security Descriptor Configuration Syntax
-
Once the instance is provisioned choose the menu option
Service Management -> BTP Service Bindingswithin thedevnamespace. -
Choose the
Secretwhich should display the instance secret in a dialog. ChooseDecodeto view the values. These will be needed if running the sample locally.
-
Optionally set the environment variables required to connect with the XSUAA instance which can be found in the
Secretgenerated with the service instance:export IDP_clientid='<instance clientid>' export IDP_clientsecret=<instance clientsecret> export IDP_url=<instance url> export IDP_xsappname=<xsappname>
-
Adjust the config.json which contains the following properties. The provided
config.jsonis configured to use the examples- React frontend MS SQL
- Requires the configmap API_URL to point to
https://app-auth-proxy.<cluster domain>
- Requires the configmap API_URL to point to
- Golang MS SQL database API
Property Description Remarks routes An array of routes to be proxied routes.path The incoming path routes.priority The priority of the path with 1 be the highest routes.protected If the auth middleware is required on the path routes.remove_from_path If assigned, this value will be removed from routes.path before the call is proxied routes.target The target of the proxied route which can be a service url routes.http_method_scopes An array containing HTTP methods and thier associated user scopes For no restrictions this can be obmitted or assigned: http-method: "*", "scope": "*" routes.http_method_scopes.http_method An HTTP methods for example GET routes.http_method_scopes.scope A scope which is allowed the call the given http_method on the route path Use $XSAPPNAME for the application name, for example using a Kyma scopes - $XSAPPNAME.runtimeDeveloper idp_config Optionally set IDP config if not using a service binding idp_config.url The IDP url If this value is not set, the environment variables will be used idp_config.clientsecret The IDP client secret idp_config.clientid The IDP client ID idp_config.token_endpoint_auth_method The htttp method used to during authentication For XSUAA use client_secret_post, for SAPIAS us client_secret_basic redirect_uri The registered redirect_uri to be called debug Toggle debug on or off redis_store When configure app will you redis to store the sessions, otherwise a memory store is used which should only be used for evaluation. redis_store.addr The service address of the Redis database If this value is not set, memory storage will be used to store the session redis_store.password The password of the Redis database redis_store.db The database index cookie.session_name The name of the session cookie cookie.max_age_seconds The max age of the session cookie cookie.key The key used to encrypt the session cookie cookie.httponly If the cookie can be accessed with Javascript or only http - React frontend MS SQL
-
Run the application:
go run ./cmd/proxy
-
Accessible endpoints include
-
Build and push the image to your Docker repository:
docker build -t {your-docker-account}/app-auth-proxy -f docker/Dockerfile . docker push {your-docker-account}/app-auth-proxy -
To run the image locally adjust the config.json and either set the env variables individually, or copy them from your environment:
docker run -p 8000:8000 --env-file ./env.list --mount type=bind,source=$(pwd)/config/config.json,target=/app/config/config.json -d jcawley5/app-auth-proxy:latest OR docker run -p 8000:8000 --env-file <(env | grep IDP) --mount type=bind,source=$(pwd)/config/config.json,target=/app/config/config.json -d jcawley5/app-auth-proxy:latest
-
Create a new
devNamespace:kubectl create namespace dev
-
Within
./k8s/configmap.yamladjust the values and then apply the ConfigMap:kubectl -n dev apply -f ./k8s/configmap.yaml
-
Get the name of the ServiceInstance:
kubectl -n dev get serviceinstances
For example:
NAME CLASS PLAN STATUS AGE xsuaa-showy-yard ClusterServiceClass/xsuaa application Ready 63m -
Within
./k8s/deployment.yamladjust the value of<Service Instance Name>to the XSUAA service instance name and the apply the Deployment:kubectl -n dev apply -f ./k8s/deployment.yaml
-
Apply the APIRule:
kubectl -n dev apply -f ./k8s/apirule.yaml
-
Verify that the Deployment is up and running:
kubectl -n dev get deployment app-auth-proxy
-
Use the APIRule
https://app-auth-proxy.{cluster-domain}