Activity: Developer workflow
Module 3
In this section, you will perform the role of a developer and create policies to securely expose the travel-agency service endpoints. This will allow partner portals to securely access Travelz Corp’s flights, hotels, and car offerings.
Test access to the Travelz Partner Portal Application
-
Access the Travels Blue partner portal by clicking here
-
You should see a 404 error status code because the
travel-agencycore services endpoint hasn’t been exposed using an HTTPRoute to make it available to other applications/systems.
Set up HTTPRoute for Travels service endpoint
-
Click the (+) button on the top navigation bar of {ocp_cluster_openshift_cluster_console_url}[OpenShift Console^, window="console"] to create a new HTTPRoute.
-
In the YAML editor, copy the following HTTPRoute CR for the
travelREST API and click the Create button at the bottom of the YAML editorapiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: travel-agency namespace: travel-agency labels: deployment: travels-v1 service: travels spec: parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: prod-web namespace: ingress-gateway hostnames: - api.travels.{ocp_cluster_workshop_main_domain} rules: - backendRefs: - group: '' kind: Service name: travels namespace: travel-agency port: 8000 weight: 1 matches: - path: type: PathPrefix value: /
Test Web App again after HTTPRoute is set up
-
Refresh the Web application or access it from here.
-
You should see a 403 - Forbidden error because while you have created the
travelsAPI’s HTTPRoute, theprod-webGateway’sdeny-alldefault policy kicks in and doesn’t allow any requests to be made. We have a zero-trust auth in place!!
-
You can validate this by accessing Red Hat Connectivity Link’s {ocp_cluster_openshift_cluster_console_url}/kuadrant/policy-topology[Policy Topology^, window="console"]. You will notice that the
travel-agencyHTTPRoute also inherits the Gateway’s policies (just like theecho-apiHTTRoute)
Setup Authpolicy
Next, create an AuthPolicy targetting the HTTPRoute to allow the partner portal to access the core services securely.
-
Click the (+) button on the top navigation bar of {ocp_cluster_openshift_cluster_console_url}[OpenShift Console^, window="console"] to create a new AuthPolicy for the HTTPRoute.
-
In the YAML editor, copy the following CRs, which creates an AuthPolicy along with the API Key secret needed.
apiVersion: kuadrant.io/v1 kind: AuthPolicy metadata: name: travel-agency-authpolicy namespace: travel-agency spec: defaults: rules: authentication: api-key-authn: apiKey: allNamespaces: false selector: matchLabels: app: partner credentials: queryString: name: APIKEY targetRef: group: gateway.networking.k8s.io kind: HTTPRoute name: travel-agency --- apiVersion: v1 kind: Secret metadata: name: apikey-blue namespace: kuadrant-system labels: authorino.kuadrant.io/managed-by: authorino app: partner stringData: api_key: blue type: Opaque -
Click Create to create these resources
-
The resources are created successfully.
For the sake of the workshop, we have chosen to authenticate using an API Key. In the real world, consider using a JWT/OAuth access token to authenticate the requests. -
Access Red Hat Connectivity Link’s {ocp_cluster_openshift_cluster_console_url}/kuadrant/policy-topology[Policy Topology^, window="console"] once more.
-
You will notice that the
travel-agencyHTTPRoute is now impacted by its own AuthPolicy. -
You will also notice that the
prod-webGateway’s RateLimitPolicy still affects thetravel-agencyHTTPRoute.
-
Test Web App again (after HTTPRoute and AuthPolicy are set up)
-
Refresh the partner portal one more time. You should now see an
API Call is successfulmessage.
-
Choose a City, a From, and a To date, and click the Find details button
Test the default RateLimit Policy
-
Clicking the Find details button more than 5 times.
-
Expect to see a 429 error:
-
This is because of the super low rate limit configured for the Gateway.
-
Since there is no specific RateLimit Policy for the Travels service HTTPRoute, the Gateway’s RateLimit Policy is applied to the HTTPRoute as well.
Create a new travels specific RateLimit Policy
-
Click the (+) button on the top navigation bar of {ocp_cluster_openshift_cluster_console_url}[OpenShift Console^, window="console"] to create a new RateLimitPolicy for the HTTPRoute.
-
In the YAML editor, copy the following CRs, which creates the RatLimit Policy of 20 calls per 10 seconds per user.
apiVersion: kuadrant.io/v1 kind: RateLimitPolicy metadata: name: ratelimit-policy-travels namespace: travel-agency spec: targetRef: group: gateway.networking.k8s.io kind: HTTPRoute name: travel-agency limits: "per-user": rates: - limit: 20 window: 10s counters: - expression: auth.identity.userid -
Click Create.
Test again (after HTTPRoute, AuthPolicy, and RateLimitPolicy are set up)
-
Try accessing the details again by clicking the Find details button.
-
You should now be able to retrieve details without a
429 - Too Many Requestserror for up to 20 requests in a duration of 10 seconds. -
You will notice in the Red Hat Connectivity Link’s {ocp_cluster_openshift_cluster_console_url}/kuadrant/policy-topology[Policy Topology^, window="console"], that the
travel-agencyHTTPRoute has its own Auth and RateLimit policies which effectively override the zero-trust and super low-limits setup on the Gateway.
Summary
-
In this section, you played the role of a Developer and created a
travel-agencyHTTPRoute for the core services so that this can be accessed by the partner portal securely. You applied the right Auth and Rate Limit policies to the HTTPRoute thereby customising this to your specific needs in a self-service manner -
In the next section, you will be introduced to observability and monitoring.