开放平台实现(一)kong jwt plugin在k8s中的使用
2020-12-30 本文已影响0人
lodestar
我们往往都有一些接口需要提供给第三方合作伙伴,将自身已有能力开放出来。那么第一步就涉及到权限验证,那接下来将说明下在k8s中怎么使用kong jwt plugin。
一、安装一个kong
helm install kong/kong --generate-name --set ingressController.installCRDs=false --set admin.enabled=true --set admin.http.enabled=true
$ curl -i $PROXY_IP
HTTP/1.1 404 Not Found
Date: Wed, 30 Dec 2020 14:25:31 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
X-Kong-Response-Latency: 1
Server: kong/2.2.1
{"message":"no Route matched with those values"}
创建一个应用 kubectl apply -f httpbin.yaml
#httpbin.yaml
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
template:
metadata:
labels:
app: httpbin
spec:
containers:
- image: docker.io/kennethreitz/httpbin
name: httpbin
ports:
- containerPort: 80
kubectl apply -f ingress-get.yaml
#ingress-get.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-get
annotations:
konghq.com/strip-path: "false"
kubernetes.io/ingress.class: kong
spec:
rules:
- http:
paths:
- path: /get
backend:
serviceName: httpbin
servicePort: 80
curl -i $PROXY_IP/get
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 296
Connection: keep-alive
Server: gunicorn/19.9.0
Date: Wed, 30 Dec 2020 14:31:07 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
X-Kong-Upstream-Latency: 2
X-Kong-Proxy-Latency: 1
Via: kong/2.2.1
{
"args": {},
"headers": {
"Accept": "*/*",
"Connection": "keep-alive",
"Host": $PROXY_IP,
"User-Agent": "curl/7.62.0",
"X-Forwarded-Host": $PROXY_IP,
"X-Forwarded-Path": "/get"
},
"origin": "120.76.157.117",
"url": "http://$PROXY_IP/get"
}
以上是没有加入jwt的时候所表现出来的情况,下面将jwt加入到ingress中
创建jwt插件
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: app-jwt
plugin: jwt
jwt加入到ingess中,kubectl apply -f ingress-get-jwt.yaml
#ingress-get-jwt.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-get
annotations:
konghq.com/plugins: app-jwt
konghq.com/strip-path: "false"
kubernetes.io/ingress.class: kong
spec:
rules:
- http:
paths:
- path: /get
backend:
serviceName: httpbin
servicePort: 80
再执行 curl请求,那么现在就提示未授权了。
$ curl -i $PROXY_IP/get
HTTP/1.1 401 Unauthorized
Date: Wed, 30 Dec 2020 14:41:59 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 26
X-Kong-Response-Latency: 1
Server: kong/2.2.1
{"message":"Unauthorized"}
本例中使用HS256对称加密算法,key为admin-issuer, secret为12344444,这里的key和secret可以理解为对外提供的appkey和appsecret。还可以使用RS256非对称加密算法。
kubectl create secret \
generic app-admin-jwt-hs256 \
--from-literal=kongCredType=jwt \
--from-literal=key="admin-issuer" \
--from-literal=algorithm=HS256 \
--from-literal=secret=12344444
现在提供一个KongConsumer
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: admin-hs256
annotations:
kubernetes.io/ingress.class: kong
username: admin-hs256
credentials:
- app-admin-jwt-hs256
验证jwt
curl -i -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhZG1pbi1pc3N1ZXIifQ.pyD7rEPy48xZqFOH_qjCHtpHH_MlGQ7ZoauOI8cF_f4" $PROXY_IP/get
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 593
Connection: keep-alive
Server: gunicorn/19.9.0
Date: Wed, 30 Dec 2020 14:51:03 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
X-Kong-Upstream-Latency: 2
X-Kong-Proxy-Latency: 1
Via: kong/2.2.1
{
"args": {},
"headers": {
"Accept": "*/*",
"Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhZG1pbi1pc3N1ZXIifQ.pyD7rEPy48xZqFOH_qjCHtpHH_MlGQ7ZoauOI8cF_f4",
"Connection": "keep-alive",
"Host": $PROXY_IP,
"User-Agent": "curl/7.62.0",
"X-Consumer-Id": "21ed4c5f-d804-5f64-9171-782b9b4bf476",
"X-Consumer-Username": "admin-hs256",
"X-Credential-Identifier": "admin-issuer",
"X-Forwarded-Host": $PROXY_IP,
"X-Forwarded-Path": "/get"
},
"origin": "120.76.157.117",
"url": "http://$PROXY_IP/get"
}
JWT相关参考,https://jwt.io/,注意JWT中payload字段需要包含iss字段,本例中为admin-issuer,至此,JWT验证过程完成。
