🔥码云GVP开源项目 12k star Uniapp+ElementUI 功能强大 支持多语言、二开方便! 广告
Ambassador 可以在将传入请求路由到后台服务之前对其进行身份验证。在本教程中,我们将配置Ambassador使用外部第三方认证服务。 # 1.部署身份验证服务 Ambassador 将实际的身份验证逻辑委托给第三方身份验证服务。我们编写了一个简单的身份验证服务: ambassador通过认证服务路由所有的请求,依赖于认证服务去区分哪些资源需要认证那些资源不需要认证。如果ambassador不能联系上认证服务,会返回一个503错误。因此,ambassador使用认证服务前让认证服务先运行,这一点非常重要。 ## 1.1 准备环境 先部署一个内部service,通过ambassador路由 ```yaml --- apiVersion: v1 kind: Service metadata: name: say-hello annotations: getambassador.io/config: | --- apiVersion: ambassador/v0 kind: Mapping name: say_mapping prefix: /say-hello/ service: say-hello spec: selector: app: say-hello ports: - port: 80 name: http-say targetPort: http-say-api --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: say-hello spec: replicas: 1 strategy: type: RollingUpdate template: metadata: labels: app: say-hello spec: containers: - name: say-hello image: woms/say-hello:0.0.1 ports: - name: http-say-api containerPort: 8080 ``` 执行命令:`kubectl apply -f say-hello.yml` 访问请求成功:`http://$AMBASSADORURL/say-hello/say/hello` say-hello镜像本身:`http://localhost:8080/say/hello` 这里,这里路由的时候,前缀被重写了 ``` "prefix": "/say-hello/", "prefix_rewrite": "/" ``` ## 1.2 部署认证服务 ``` --- apiVersion: v1 kind: Service metadata: name: header-auth spec: type: ClusterIP selector: app: header-auth ports: - port: 3000 name: header-auth-port targetPort: app-port --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: header-auth spec: replicas: 1 strategy: type: RollingUpdate template: metadata: labels: app: header-auth spec: containers: - name: header-auth image: woms/head-auth-service:0.0.1 imagePullPolicy: Always ports: - name: app-port containerPort: 3000 ``` 请注意,该服务还不曾包含任何 ambassador 注解。目的是:认证服务必须在ambassador使用前运行,不然ambassador联系不上认证服务返回503错误 ## 1.3 配置ambassador认证服务 一旦认证服务运行起来,我们要通知ambassador,可以理解为向ambassador网关注册认证服务。最简单的做法是给上面的认证服务service加ambassador注解。我们可以修改认证服务的service定义,再re-apply一次。 ``` --- apiVersion: v1 kind: Service metadata: name: header-auth annotations: getambassador.io/config: | --- apiVersion: ambassador/v1 kind: AuthService name: authentication auth_service: "header-auth:3000" path_prefix: "/extauth" allowed_request_headers: - "x-qotm-session" allowed_authorization_headers: - "x-qotm-session" spec: type: ClusterIP selector: app: header-auth ports: - port: 3000 name: header-auth-port targetPort: app-port ```