1-Let's add a KongPlugin resource to protect the API:
$ echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: httpbin-auth
plugin: key-auth
" | kubectl apply -f -
kongplugin.configuration.konghq.com/httpbin-auth created
2-Now, associate this plugin with the previous Ingress rule we created using the plugins.konghq.com annotation:
$ echo "
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo
annotations:
plugins.konghq.com: httpbin-auth
spec:
rules:
- http:
paths:
- path: /foo
backend:
serviceName: httpbin
servicePort: 80
" | kubectl apply -f -
Any request matching the proxying rules defined in the demo ingress will now require a valid API key:
$ curl -i $PROXY_IP/foo/status/200
HTTP/1.1 401 Unauthorized
Date: Wed, 17 Jul 2019 19:30:33 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
WWW-Authenticate: Key realm="kong"
Content-Length: 41
Server: kong/1.2.1
{"message":"No API key found in request"}
3-由于服务添加了认证插件,所以客户端访问需要提供凭证,头里需要添加apikey: xxxxx
所以需要创建一个带有访问凭证的消费者
--创建证书
kubectl create secret generic harry-apikey --from-literal=kongCredType=key-auth --from-literal=key=my-sooper-secret-key
--绑定证书到消费者
$ echo "apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: harry
username: harry
credentials:
- harry-apikey" | kubectl apply -f -
kongconsumer.configuration.konghq.com/harry configured
--测试
$ curl -i -H 'apikey: my-sooper-secret-key' $PROXY_IP/foo/status/200
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Server: gunicorn/19.9.0
Date: Wed, 17 Jul 2019 19:34:44 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
X-Kong-Upstream-Latency: 3
X-Kong-Proxy-Latency: 1
Via: kong/1.2.1