One-Step Ingress - Use One Command To Secure APIs and Microservices
EnRoute Kubernetes Ingress can be programmed to secure APIs and Microservices using on helm command. Securing a service takes minutes instead of weeks.
Join the DZone community and get the full member experience.Join For Free
EnRoute Ingress allows you to configure any security policy for a service at Kubernetes Ingress in One Step
- Get, Verify and Install SSL Certificate from Let’s Encrypt
- Rate Limit configuration for service
- JWT Validation for Service
- Attach Lua script to request/response path for the service
- Enable CORS for the service
Apart from this, in the near future, we plan on extending support for:
- Setup external-DNS to auto-create DNS records and set up DNS auto certificate renewal.
- More security blocks like CSRF filter to prevent request forgery and IP Tagging to tag trusted IP addresses.
- More programmability using WASM to provide out-of-the-box Web Assembly code invocation capability.
EnRoute model is truly a declarative service policy. Service policy does not need configuration, declaring it is sufficient. Once declared, policy configuration is automatically created and enforced for the service.
For example, to enable the JWT plugin, simply invoke:
helm install httpbin-service-policy saaras/service-policy \ --set service.namespace=demo-service \ --set service.name=httpbin \ --set service.port=80 \ --set filters.jwt.enable=true \
This enables the JWT plugin for the service
Update L7 Policy Blocks Using the Same Abstraction
L7 Policy blocks (like SSL, CORS, JWT, Rate-Limit, etc.) can be included/excluded declaratively. They can be added or removed using a single helm command.
The helm chart supports enabling/disabling filters for the service
helm upgrade httpbin-service-policy saaras/service-policy \ --set service.namespace=demo-service \ --set service.name=httpbin \ --set service.prefix=/get \ --set service.port=80 \ --set service.enableTLS=true \ --set autoTLS.certificateCN=httpbin.enroutedemo.com \ --set autoTLS.enableProd=true \ --set autoTLS.createIssuers=true \ --set autoTLS.firstname.lastname@example.org \ --set filters.cors.enable=true \ --set filters.jwt.enable=false \
Declarative policy can be specified using
helm install. Declaratively modifying this policy using
helm upgrade reconciles the L7 policy for service to a new state.
EnRoute One-Step provides higher-level abstractions. This is similar to a higher-level programming language compared to assembly code.
Higher-level abstractions (and languages) simplify programming the Ingress.
EnRoute leverages existing Envoy filter abstraction and extends them to the Ingress layer. It keeps it simple to use a well-known tool like
helm while working with well-known Envoy filter abstractions. It forms a lightweight shim for Envoy proxy.
EnRoute’s deep integration with Let’s Encrypt radically simplifies setting up certificates, verifying them, and installing them for a service.
The helm command creates
GatewayHost and related artifacts to support installing different filters.
The helm code that creates the artifacts can be modified to meet the needs of different types of services and create microservice connectivity and security profiles.
Advantages Of Running Policy At EnRoute One-Step Ingress Controller
There are several distinct advantages of running an Ingress Controller and enforcing policies at Ingress.
- Ingress provides a portable mechanism to enforce policy inside the Kubernetes Cluster. Policies enforced inside a cluster are easier to port across clouds.
- Ingress can be scaled horizontally inside the Kubernetes Cluster. The elasticity of L7 fabric makes it easier to operate and scale it.
- L7 policies can be hosted along with services inside the cluster with cluster-native state storage.
- Keeping L7 policy closer to services simplifies policy enforcement and troubleshooting of services and APIs.
One-Step Ingress provides an opportunity to make Ingress extremely simple to understand and operate. It cuts down the number of artifacts required to configure service connectivity and policy. When there are higher-level abstractions to work with, it improves operational velocity to work with Kubernetes without sacrificing DevOps agility
As Kubernetes is adopted as a standard to run microservices and adopt DevOps practices, working with fewer tools cuts down the number of moving parts. EnRoute One-Step Ingress drives simplicity and operational velocity by relying on existing tools like helm and Envoy.
Published at DZone with permission of Chintan Thakker. See the original article here.
Opinions expressed by DZone contributors are their own.