SlideShare a Scribd company logo

Deep Dive: Building external auth plugins for Gloo Enterprise

Download as PPTX, PDF
Christian Posta
Christian Posta

Using the plugin framework for Ext. Auth Service in Gloo Enterprise, we can build any custom AuthN/AuthZ plugins to handle security requirements not provided out of the box.

Technology
1 of 28
1 | Copyright © 2019 Solo.io Deep Dive Building Go plugins for external auth service for Gloo Enterprise
2 | Copyright © 2019 The Gloo Control Plane
3 | Copyright © 2019 External Auth Plugins
4 | Copyright © 2019 External Auth Plugins
5 | Copyright © 2019 External Auth Plugins
6 | Copyright © 2019 External Auth Plugins
7 | Copyright © 2019 Creating a plugin https://github.com/solo-io/ext-auth-plugin-examplesSee example:
8 | Copyright © 20198 | Copyright © 2019 Creating the plugin source
9 | Copyright © 2019 Plugin implements ExtAuthPlugin interface type ExtAuthPlugin interface { NewConfigInstance(ctx context.Context) (configInstance interface{}, err error) GetAuthService(ctx context.Context, configInstance interface{}) (AuthService, error) } https://docs.solo.io/gloo/latest/gloo_routing/virtual_services/security/plugin_auth/
10 | Copyright © 2019 Config instance maps to what we configure in VirtualService virtualHostPlugins: extensions: configs: extauth: plugin_auth: plugins: - config: RequiredHeader: my-header AllowedValues: - foo - bar - baz name: RequiredHeader plugin_file_name: RequiredHeader.so exported_symbol_name: Plugin
11 | Copyright © 2019 AuthService interface type AuthService interface { Start(ctx context.Context) error Authorize(ctx context.Context, request *AuthorizationRequest) (*AuthorizationResponse, error) } https://docs.solo.io/gloo/latest/dev/writing_auth_plugins/
12 | Copyright © 2019 Plugin implements ExtAuthPlugin interface package main import ( impl "github.com/solo-io/ext-auth-plugin-examples/plugins/required_header/pkg" "github.com/solo-io/ext-auth-plugins/api" ) func main() {} var Plugin impl.RequiredHeaderPlugin
13 | Copyright © 2019 Creating a plugin https://github.com/solo-io/ext-auth-plugin-examplesSee example:
14 | Copyright © 201914 | Copyright © 2019 Preparing and building the plugin for Gloo Enterprise
15 | Copyright © 2019 Align version dependencies with Gloo Enterprise $ dep ensure –v $ GLOOE_VERSION=0.20.7 make compare-deps { "pluginDependencies": { "name": "github.com/gogo/protobuf", "version": "v1.2.1", "revision": "ba06b47c162d49f2af050fb4c75bcbc86a159d5c" }, "glooeDependencies": { "name": "github.com/gogo/protobuf", "version": "v1.3.0", "revision": "0ca988a254f991240804bf9821f3450d87ccbb1b" } },
16 | Copyright © 2019 Align version dependencies with Gloo Enterprise $ // correct the dep mismatches in Gopkg.toml $ dep ensure –v $ GLOOE_VERSION=0.20.7 make compare-deps go run scripts/compare_dependencies.go Gopkg.lock _glooe/Gopkg.lock All shared dependencies match
17 | Copyright © 2019 Build plugin (needs access to docker daemon) $ GLOOE_VERSION=0.20.7 make build-plugins {"level":"info","ts":"2019-11-01T16:51:10.694Z","logger":"verify-plugins.header_value_plugin", "caller":"pkg/impl.go:39","msg":"Parsed RequiredHeaderAuthService config", "requiredHeader":"my-auth-header","allowedHeaderValues":["foo","bar","baz"] } {"level":"info","ts":"2019-11-01T16:51:10.695Z","logger":"verify-plugins", "caller":"plugins/loader.go:63","msg":"Successfully loaded plugin. Adding it to the plugin chain.", "pluginName":"RequiredHeader"} {"level":"info","ts":"2019-11-01T16:51:10.696Z","logger":"verify-plugins", "caller":"scripts/verify_plugins.go:62","msg":"Successfully verified that plugins can be loaded by Gloo!"} Be on the lookout for this log line in the docker build:
18 | Copyright © 2019 Tag the docker image and push to registry $ docker images $ docker tag <find tag> gcr.io/solo-public/ext-auth-example:v0.20.7 $ docker push gcr.io/solo-public/ext-auth-example:v0.20.7
19 | Copyright © 2019 Now we have our plugin! https://github.com/solo-io/ext-auth-plugin-examplesSee example:
20 | Copyright © 201920 | Copyright © 2019 Deploying and verifying our plugin
21 | Copyright © 2019 External Auth Plugins
22 | Copyright © 2019 Configuration values for Gloo Enterprise install plugin-values.yaml license_key: YOUR_LICENSE_KEY global: extensions: extAuth: plugins: my-plugin: image: repository: gloo-examples-extauth-required-header registry: gcr.io/solo-public pullPolicy: IfNotPresent tag: 0.20.7
23 | Copyright © 2019 Install Gloo with Ext-Auth plugin configured $ helm fetch glooe/gloo-ee –-version ”0.20.7” --untar $ kubectl create ns gloo-system $ helm template gloo-ee -–namespace gloo-system –f plugin-values.yaml | kubectl apply –f -
24 | Copyright © 2019 Verify plugin got copied over correctly $ kubectl exec -n gloo-system deploy/extauth -- ls -l /auth-plugins total 28356 -rw-r--r-- 1 root root 29033304 Nov 1 20:03 RequiredHeader.so
25 | Copyright © 2019 If already have Gloo Enterprise installed? Just add the initcontainer to deploy/extauth: initContainers: - image: gcr.io/solo-public/gloo-examples-extauth-required-header:0.20.7 imagePullPolicy: IfNotPresent name: plugin-my-plugin resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /auth-plugins name: auth-plugins
26 | Copyright © 201926 | Copyright © 2019 Configure the plugin and enforcement
27 | Copyright © 2019 Config instance maps to what we configure in VirtualService virtualHostPlugins: extensions: configs: extauth: plugin_auth: plugins: - config: RequiredHeader: my-header AllowedValues: - foo - bar - baz name: RequiredHeader plugin_file_name: RequiredHeader.so exported_symbol_name: Plugin
28 | Copyright © 2019

Recommended

EWI webinar: PowerPoint for Leaders
EWI webinar: PowerPoint for LeadersEWI webinar: PowerPoint for Leaders
EWI webinar: PowerPoint for Leaders
Diane Windingland
 
CLC vs. PLC
CLC vs. PLCCLC vs. PLC
CLC vs. PLC
University of Education, Lower Mall, Lahore
 
Lifestyle Sponsorships: Social Change through sports sponsorship
Lifestyle Sponsorships: Social Change through sports sponsorshipLifestyle Sponsorships: Social Change through sports sponsorship
Lifestyle Sponsorships: Social Change through sports sponsorship
Stephen Dann
 
Bizrate
BizrateBizrate
Bizrate
mindway
 
Quality Control in Development
Quality Control in DevelopmentQuality Control in Development
Quality Control in Development
Salesforce Developers
 
Digital Marketing strategy - ICICI Bank.
Digital Marketing strategy - ICICI Bank. Digital Marketing strategy - ICICI Bank.
Digital Marketing strategy - ICICI Bank.
Pooja Pathare
 
Startup Business Plan PowerPoint Presentation Slides
Startup Business Plan PowerPoint Presentation Slides Startup Business Plan PowerPoint Presentation Slides
Startup Business Plan PowerPoint Presentation Slides
SlideTeam
 
Marketing Plan
Marketing PlanMarketing Plan
Marketing Plan
Felix Harim Cortez
 

Recommended

EWI webinar: PowerPoint for Leaders
EWI webinar: PowerPoint for LeadersEWI webinar: PowerPoint for Leaders
EWI webinar: PowerPoint for Leaders
Diane Windingland
 
CLC vs. PLC
CLC vs. PLCCLC vs. PLC
CLC vs. PLC
University of Education, Lower Mall, Lahore
 
Lifestyle Sponsorships: Social Change through sports sponsorship
Lifestyle Sponsorships: Social Change through sports sponsorshipLifestyle Sponsorships: Social Change through sports sponsorship
Lifestyle Sponsorships: Social Change through sports sponsorship
Stephen Dann
 
Bizrate
BizrateBizrate
Bizrate
mindway
 
Quality Control in Development
Quality Control in DevelopmentQuality Control in Development
Quality Control in Development
Salesforce Developers
 
Digital Marketing strategy - ICICI Bank.
Digital Marketing strategy - ICICI Bank. Digital Marketing strategy - ICICI Bank.
Digital Marketing strategy - ICICI Bank.
Pooja Pathare
 
Startup Business Plan PowerPoint Presentation Slides
Startup Business Plan PowerPoint Presentation Slides Startup Business Plan PowerPoint Presentation Slides
Startup Business Plan PowerPoint Presentation Slides
SlideTeam
 
Marketing Plan
Marketing PlanMarketing Plan
Marketing Plan
Felix Harim Cortez
 
Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
Atlassian
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
KAI CHU CHUNG
 
Web APIs & Apps - Mozilla
Web APIs & Apps - MozillaWeb APIs & Apps - Mozilla
Web APIs & Apps - Mozilla
Robert Nyman
 
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
NexThoughts Technologies
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101
colleenfry
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla London
Robert Nyman
 
Build resource server &amp; client for OCF Cloud (2018.8.30)
Build resource server &amp; client for OCF Cloud (2018.8.30)Build resource server &amp; client for OCF Cloud (2018.8.30)
Build resource server &amp; client for OCF Cloud (2018.8.30)
남균 김
 
Grails plugin
Grails pluginGrails plugin
Grails plugin
Vijay Shukla
 
Integrating dialog flow (api.ai) into qiscus sdk chat application
Integrating dialog flow (api.ai) into qiscus sdk chat applicationIntegrating dialog flow (api.ai) into qiscus sdk chat application
Integrating dialog flow (api.ai) into qiscus sdk chat application
Erick Ranes Akbar Mawuntu
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice
Pierre Vincent
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
KAI CHU CHUNG
 
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsPVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
Andrey Karpov
 
Mastering Microservices with Kong (DevoxxUK 2019)
Mastering Microservices with Kong (DevoxxUK 2019)Mastering Microservices with Kong (DevoxxUK 2019)
Mastering Microservices with Kong (DevoxxUK 2019)
Maarten Mulders
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
nasza-klasa
 
Distributing UI Libraries: in a post Web-Component world
Distributing UI Libraries: in a post Web-Component worldDistributing UI Libraries: in a post Web-Component world
Distributing UI Libraries: in a post Web-Component world
Rachael L Moore
 
Baking in the cloud with packer and puppet
Baking in the cloud with packer and puppetBaking in the cloud with packer and puppet
Baking in the cloud with packer and puppet
Alan Parkinson
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
VodqaBLR
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
NETWAYS
 
Move Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the PlatformMove Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the Platform
Christian Posta
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
Christian Posta
 

More Related Content

Similar to Deep Dive: Building external auth plugins for Gloo Enterprise

Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
Atlassian
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
KAI CHU CHUNG
 
Web APIs & Apps - Mozilla
Web APIs & Apps - MozillaWeb APIs & Apps - Mozilla
Web APIs & Apps - Mozilla
Robert Nyman
 
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
NexThoughts Technologies
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101
colleenfry
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla London
Robert Nyman
 
Build resource server &amp; client for OCF Cloud (2018.8.30)
Build resource server &amp; client for OCF Cloud (2018.8.30)Build resource server &amp; client for OCF Cloud (2018.8.30)
Build resource server &amp; client for OCF Cloud (2018.8.30)
남균 김
 
Grails plugin
Grails pluginGrails plugin
Grails plugin
Vijay Shukla
 
Integrating dialog flow (api.ai) into qiscus sdk chat application
Integrating dialog flow (api.ai) into qiscus sdk chat applicationIntegrating dialog flow (api.ai) into qiscus sdk chat application
Integrating dialog flow (api.ai) into qiscus sdk chat application
Erick Ranes Akbar Mawuntu
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice
Pierre Vincent
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
KAI CHU CHUNG
 
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsPVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
Andrey Karpov
 
Mastering Microservices with Kong (DevoxxUK 2019)
Mastering Microservices with Kong (DevoxxUK 2019)Mastering Microservices with Kong (DevoxxUK 2019)
Mastering Microservices with Kong (DevoxxUK 2019)
Maarten Mulders
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
nasza-klasa
 
Distributing UI Libraries: in a post Web-Component world
Distributing UI Libraries: in a post Web-Component worldDistributing UI Libraries: in a post Web-Component world
Distributing UI Libraries: in a post Web-Component world
Rachael L Moore
 
Baking in the cloud with packer and puppet
Baking in the cloud with packer and puppetBaking in the cloud with packer and puppet
Baking in the cloud with packer and puppet
Alan Parkinson
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
VodqaBLR
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
NETWAYS
 

Similar to Deep Dive: Building external auth plugins for Gloo Enterprise (20)

Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 
Web APIs & Apps - Mozilla
Web APIs & Apps - MozillaWeb APIs & Apps - Mozilla
Web APIs & Apps - Mozilla
 
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
Grails Plugins(Console, DB Migration, Asset Pipeline and Remote pagination)
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla London
 
Build resource server &amp; client for OCF Cloud (2018.8.30)
Build resource server &amp; client for OCF Cloud (2018.8.30)Build resource server &amp; client for OCF Cloud (2018.8.30)
Build resource server &amp; client for OCF Cloud (2018.8.30)
 
Grails plugin
Grails pluginGrails plugin
Grails plugin
 
Integrating dialog flow (api.ai) into qiscus sdk chat application
Integrating dialog flow (api.ai) into qiscus sdk chat applicationIntegrating dialog flow (api.ai) into qiscus sdk chat application
Integrating dialog flow (api.ai) into qiscus sdk chat application
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
 
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsPVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
 
Mastering Microservices with Kong (DevoxxUK 2019)
Mastering Microservices with Kong (DevoxxUK 2019)Mastering Microservices with Kong (DevoxxUK 2019)
Mastering Microservices with Kong (DevoxxUK 2019)
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
Distributing UI Libraries: in a post Web-Component world
Distributing UI Libraries: in a post Web-Component worldDistributing UI Libraries: in a post Web-Component world
Distributing UI Libraries: in a post Web-Component world
 
Baking in the cloud with packer and puppet
Baking in the cloud with packer and puppetBaking in the cloud with packer and puppet
Baking in the cloud with packer and puppet
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
 

More from Christian Posta

Move Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the PlatformMove Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the Platform
Christian Posta
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
Christian Posta
 
Understanding Wireguard, TLS and Workload Identity
Understanding Wireguard, TLS and Workload IdentityUnderstanding Wireguard, TLS and Workload Identity
Understanding Wireguard, TLS and Workload Identity
Christian Posta
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
Christian Posta
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo Mesh
Christian Posta
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMesh
Christian Posta
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh Patterns
Christian Posta
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service Mesh
Christian Posta
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)
Christian Posta
 
The Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneThe Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data Plane
Christian Posta
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoption
Christian Posta
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Christian Posta
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for Microservices
Christian Posta
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Christian Posta
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Christian Posta
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1
Christian Posta
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
Christian Posta
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
Christian Posta
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh Landscape
Christian Posta
 
Intro to Knative
Intro to KnativeIntro to Knative
Intro to Knative
Christian Posta
 

More from Christian Posta (20)

Move Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the PlatformMove Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the Platform
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Understanding Wireguard, TLS and Workload Identity
Understanding Wireguard, TLS and Workload IdentityUnderstanding Wireguard, TLS and Workload Identity
Understanding Wireguard, TLS and Workload Identity
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo Mesh
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMesh
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh Patterns
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service Mesh
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)
 
The Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneThe Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data Plane
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoption
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for Microservices
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh Landscape
 
Intro to Knative
Intro to KnativeIntro to Knative
Intro to Knative
 

Recently uploaded

“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
Edge AI and Vision Alliance
 
APJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes WebinarAPJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes Webinar
ThousandEyes
 
Chapter 3 - Static Testing (Review) V4.0
Chapter 3 - Static Testing (Review) V4.0Chapter 3 - Static Testing (Review) V4.0
Chapter 3 - Static Testing (Review) V4.0
Neeraj Kumar Singh
 
Metadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - DatastratoMetadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - Datastrato
Zilliz
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
 
Database Management Myths for Developers
Database Management Myths for DevelopersDatabase Management Myths for Developers
Database Management Myths for Developers
John Sterrett
 
Supercomputing from the Desktop Workstation
Supercomputing from the Desktop WorkstationSupercomputing from the Desktop Workstation
Supercomputing from the Desktop Workstation
Larry Smarr
 
Artificial Intelligence and Its Different Domains.pptx
Artificial Intelligence and Its Different Domains.pptxArtificial Intelligence and Its Different Domains.pptx
Artificial Intelligence and Its Different Domains.pptx
officialnavya2010
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
BookNet Canada
 
UiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs ConferenceUiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs Conference
UiPathCommunity
 
Chapter 1 - Fundamentals of Testing V4.0
Chapter 1 - Fundamentals of Testing V4.0Chapter 1 - Fundamentals of Testing V4.0
Chapter 1 - Fundamentals of Testing V4.0
Neeraj Kumar Singh
 
Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0
Neeraj Kumar Singh
 
this resume for sadika shaikh bca student
this resume for sadika shaikh bca studentthis resume for sadika shaikh bca student
this resume for sadika shaikh bca student
SadikaShaikh7
 
Blockchain and Cyber Defense Strategies in new genre times
Blockchain and Cyber Defense Strategies in new genre timesBlockchain and Cyber Defense Strategies in new genre times
Blockchain and Cyber Defense Strategies in new genre times
anupriti
 
9 Ways Pastors Will Use AI Everyday By 2029
9 Ways Pastors Will Use AI Everyday By 20299 Ways Pastors Will Use AI Everyday By 2029
9 Ways Pastors Will Use AI Everyday By 2029
Big Click Syndicate LLC
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
Dr. Jimmy Schwarzkopf
 
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
ThousandEyes
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
Aurora Consulting
 
AI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AIAI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AI
Raphaël Semeteys
 
Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threats
Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum ThreatsNavigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threats
Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threats
anupriti
 

Recently uploaded (20)

“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
 
APJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes WebinarAPJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes Webinar
 
Chapter 3 - Static Testing (Review) V4.0
Chapter 3 - Static Testing (Review) V4.0Chapter 3 - Static Testing (Review) V4.0
Chapter 3 - Static Testing (Review) V4.0
 
Metadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - DatastratoMetadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - Datastrato
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Database Management Myths for Developers
Database Management Myths for DevelopersDatabase Management Myths for Developers
Database Management Myths for Developers
 
Supercomputing from the Desktop Workstation
Supercomputing from the Desktop WorkstationSupercomputing from the Desktop Workstation
Supercomputing from the Desktop Workstation
 
Artificial Intelligence and Its Different Domains.pptx
Artificial Intelligence and Its Different Domains.pptxArtificial Intelligence and Its Different Domains.pptx
Artificial Intelligence and Its Different Domains.pptx
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
 
UiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs ConferenceUiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs Conference
 
Chapter 1 - Fundamentals of Testing V4.0
Chapter 1 - Fundamentals of Testing V4.0Chapter 1 - Fundamentals of Testing V4.0
Chapter 1 - Fundamentals of Testing V4.0
 
Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0
 
this resume for sadika shaikh bca student
this resume for sadika shaikh bca studentthis resume for sadika shaikh bca student
this resume for sadika shaikh bca student
 
Blockchain and Cyber Defense Strategies in new genre times
Blockchain and Cyber Defense Strategies in new genre timesBlockchain and Cyber Defense Strategies in new genre times
Blockchain and Cyber Defense Strategies in new genre times
 
9 Ways Pastors Will Use AI Everyday By 2029
9 Ways Pastors Will Use AI Everyday By 20299 Ways Pastors Will Use AI Everyday By 2029
9 Ways Pastors Will Use AI Everyday By 2029
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
 
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
 
AI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AIAI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AI
 
Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threats
Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum ThreatsNavigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threats
Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threats
 

Deep Dive: Building external auth plugins for Gloo Enterprise

  • 1. 1 | Copyright © 2019 Solo.io Deep Dive Building Go plugins for external auth service for Gloo Enterprise
  • 2. 2 | Copyright © 2019 The Gloo Control Plane
  • 3. 3 | Copyright © 2019 External Auth Plugins
  • 4. 4 | Copyright © 2019 External Auth Plugins
  • 5. 5 | Copyright © 2019 External Auth Plugins
  • 6. 6 | Copyright © 2019 External Auth Plugins
  • 7. 7 | Copyright © 2019 Creating a plugin https://github.com/solo-io/ext-auth-plugin-examplesSee example:
  • 8. 8 | Copyright © 20198 | Copyright © 2019 Creating the plugin source
  • 9. 9 | Copyright © 2019 Plugin implements ExtAuthPlugin interface type ExtAuthPlugin interface { NewConfigInstance(ctx context.Context) (configInstance interface{}, err error) GetAuthService(ctx context.Context, configInstance interface{}) (AuthService, error) } https://docs.solo.io/gloo/latest/gloo_routing/virtual_services/security/plugin_auth/
  • 10. 10 | Copyright © 2019 Config instance maps to what we configure in VirtualService virtualHostPlugins: extensions: configs: extauth: plugin_auth: plugins: - config: RequiredHeader: my-header AllowedValues: - foo - bar - baz name: RequiredHeader plugin_file_name: RequiredHeader.so exported_symbol_name: Plugin
  • 11. 11 | Copyright © 2019 AuthService interface type AuthService interface { Start(ctx context.Context) error Authorize(ctx context.Context, request *AuthorizationRequest) (*AuthorizationResponse, error) } https://docs.solo.io/gloo/latest/dev/writing_auth_plugins/
  • 12. 12 | Copyright © 2019 Plugin implements ExtAuthPlugin interface package main import ( impl "github.com/solo-io/ext-auth-plugin-examples/plugins/required_header/pkg" "github.com/solo-io/ext-auth-plugins/api" ) func main() {} var Plugin impl.RequiredHeaderPlugin
  • 13. 13 | Copyright © 2019 Creating a plugin https://github.com/solo-io/ext-auth-plugin-examplesSee example:
  • 14. 14 | Copyright © 201914 | Copyright © 2019 Preparing and building the plugin for Gloo Enterprise
  • 15. 15 | Copyright © 2019 Align version dependencies with Gloo Enterprise $ dep ensure –v $ GLOOE_VERSION=0.20.7 make compare-deps { "pluginDependencies": { "name": "github.com/gogo/protobuf", "version": "v1.2.1", "revision": "ba06b47c162d49f2af050fb4c75bcbc86a159d5c" }, "glooeDependencies": { "name": "github.com/gogo/protobuf", "version": "v1.3.0", "revision": "0ca988a254f991240804bf9821f3450d87ccbb1b" } },
  • 16. 16 | Copyright © 2019 Align version dependencies with Gloo Enterprise $ // correct the dep mismatches in Gopkg.toml $ dep ensure –v $ GLOOE_VERSION=0.20.7 make compare-deps go run scripts/compare_dependencies.go Gopkg.lock _glooe/Gopkg.lock All shared dependencies match
  • 17. 17 | Copyright © 2019 Build plugin (needs access to docker daemon) $ GLOOE_VERSION=0.20.7 make build-plugins {"level":"info","ts":"2019-11-01T16:51:10.694Z","logger":"verify-plugins.header_value_plugin", "caller":"pkg/impl.go:39","msg":"Parsed RequiredHeaderAuthService config", "requiredHeader":"my-auth-header","allowedHeaderValues":["foo","bar","baz"] } {"level":"info","ts":"2019-11-01T16:51:10.695Z","logger":"verify-plugins", "caller":"plugins/loader.go:63","msg":"Successfully loaded plugin. Adding it to the plugin chain.", "pluginName":"RequiredHeader"} {"level":"info","ts":"2019-11-01T16:51:10.696Z","logger":"verify-plugins", "caller":"scripts/verify_plugins.go:62","msg":"Successfully verified that plugins can be loaded by Gloo!"} Be on the lookout for this log line in the docker build:
  • 18. 18 | Copyright © 2019 Tag the docker image and push to registry $ docker images $ docker tag <find tag> gcr.io/solo-public/ext-auth-example:v0.20.7 $ docker push gcr.io/solo-public/ext-auth-example:v0.20.7
  • 19. 19 | Copyright © 2019 Now we have our plugin! https://github.com/solo-io/ext-auth-plugin-examplesSee example:
  • 20. 20 | Copyright © 201920 | Copyright © 2019 Deploying and verifying our plugin
  • 21. 21 | Copyright © 2019 External Auth Plugins
  • 22. 22 | Copyright © 2019 Configuration values for Gloo Enterprise install plugin-values.yaml license_key: YOUR_LICENSE_KEY global: extensions: extAuth: plugins: my-plugin: image: repository: gloo-examples-extauth-required-header registry: gcr.io/solo-public pullPolicy: IfNotPresent tag: 0.20.7
  • 23. 23 | Copyright © 2019 Install Gloo with Ext-Auth plugin configured $ helm fetch glooe/gloo-ee –-version ”0.20.7” --untar $ kubectl create ns gloo-system $ helm template gloo-ee -–namespace gloo-system –f plugin-values.yaml | kubectl apply –f -
  • 24. 24 | Copyright © 2019 Verify plugin got copied over correctly $ kubectl exec -n gloo-system deploy/extauth -- ls -l /auth-plugins total 28356 -rw-r--r-- 1 root root 29033304 Nov 1 20:03 RequiredHeader.so
  • 25. 25 | Copyright © 2019 If already have Gloo Enterprise installed? Just add the initcontainer to deploy/extauth: initContainers: - image: gcr.io/solo-public/gloo-examples-extauth-required-header:0.20.7 imagePullPolicy: IfNotPresent name: plugin-my-plugin resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /auth-plugins name: auth-plugins
  • 26. 26 | Copyright © 201926 | Copyright © 2019 Configure the plugin and enforcement
  • 27. 27 | Copyright © 2019 Config instance maps to what we configure in VirtualService virtualHostPlugins: extensions: configs: extauth: plugin_auth: plugins: - config: RequiredHeader: my-header AllowedValues: - foo - bar - baz name: RequiredHeader plugin_file_name: RequiredHeader.so exported_symbol_name: Plugin
  • 28. 28 | Copyright © 2019