devbennett7/goma-gateway
1
0
Fork 0
Code Pull Requests Activity

Merge pull request #144 from jkaninda/docs

Browse Source 
docs: update operator deployment
This commit is contained in:
Jonas Kaninda
2024-12-02 07:51:39 +01:00
committed by GitHub
parent 29e62f5a85 bca392ce1c
commit 8456691ef8
25 changed files with 281 additions and 292 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/install/kubernetes.md
View File

@@ -7,6 +7,11 @@ nav_order: 4
# Kubernetes Installation
Goma Gateway has two types of installations: simple and advanced.
## 1. Simple Deployment
Simple deployment is to deploy Goma Gateway using Kubernetes deployment resources.
Details about how to use Goma in Kubernetes can be found on the hub.docker.com repo hosting the image: Goma.
We also have some cool examples with [Kubernetes deployment template](https://github.com/jkaninda/goma-gateway/tree/main/examples) with built-in orchestration and scalability.
@@ -84,3 +89,8 @@ spec:
name: goma-config
```
## 2. Advanced Deployment
Advanced deployment is to deploy Goma Gateway using its Kubernetes Operator.
See Operator Manuel

17
docs/middleware/access.md
View File

@@ -38,20 +38,3 @@ Example of access middleware
middlewares:
- api-forbidden-paths
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Middleware
metadata:
name: access-middleware-sample
spec:
type: access
## prevents access paths
paths:
- /swagger-ui/*
- /v2/swagger-ui/*
- /api-docs/*
- /internal/*
- /actuator/*
```

146
docs/middleware/jwt.md
View File

@@ -1,93 +1,103 @@
---
title: JWT auth
title: JWT Middleware
layout: default
parent: Middleware
nav_order: 4
---
### JWT middleware
### JWT Middleware
As BasicAuth, JWT middleware grants also access to route to authorized users only.
It implements client authorization based on the result of a request using JSON Web Tokens.
The JWT middleware restricts access to routes, similar to BasicAuth, by authorizing users based on JSON Web Tokens (JWTs).
If the request returns a 200 response code, access is allowed.
If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the request is considered an error.
---
It depends on an authentication service on the backend.
#### How It Works
It works as `ngx_http_auth_request_module` on Nginx
```conf
location /private/ {
auth_request /auth;
...
}
1. **Authorization Logic**
The middleware determines access based on the HTTP response from an authentication service:
- **200 (OK)**: Access is granted.
- **401 (Unauthorized)** or **403 (Forbidden)**: Access is denied with the corresponding error code.
- **Other Response Codes**: Treated as errors.
location = /auth {
proxy_pass ...
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
2. **Backend Dependency**
The middleware relies on a backend authentication service to validate requests.
3. **Nginx Inspiration**
Its behavior is comparable to `ngx_http_auth_request_module` in Nginx.
Here's an example Nginx configuration:
```
location /private/ {
auth_request /auth;
...
}
location = /auth {
proxy_pass ...;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
```
You can also get headers from the authentication request result and inject them into the next request header or params.
### Header and Parameter Injection
In case you want to get headers from the authentication service and inject them into the next request headers.
The middleware supports extracting headers from the authentication response and injecting them into the next requests headers or parameters.
Set the request variable to the given value after the authorization request completes.
Key is authentication request response header Key. Value is the next Request header Key.
1. **Injecting Headers**
Add headers to the next request after a successful authorization:
```yaml
headers:
## Key Authentication request header key and value is next request header key
userId: X-Auth-UserId
userCountryId: X-Auth-UserCountryId
headers:
# Key: Auth request header key | Value: Next request header key
userId: X-Auth-UserId
userCountryId: X-Auth-UserCountryId
```
The second example, is in case you want to get headers from the authentication request and inject them into the next request parameters.
Key is authentication request response header Key. Value is the next Request parameter Key.
See the example below.
2. **Injecting Parameters**
Add parameters to the next request from the authentication response headers:
```yaml
# Key Authentication request header key and value is next request parameter key
params:
userId: userId
userCountryId: countryId
params:
# Key: Auth request header key | Value: Next request parameter key
userId: userId
userCountryId: countryId
```
Example of JWT middleware
### Example Configuration
Below is a complete example of JWT middleware configuration:
```yaml
middlewares:
#Enables JWT authorization based on the result of a request and continues the request.
- name: google-auth
# jwt authorization based on the result of backend's response and continue the request when the client is authorized
type: jwt
# Paths to protect
paths:
- /protected-access
- /example-of-jwt
#- /* or wildcard path
rule:
# This is an example URL
url: https://www.example.com/auth/access
# Required headers, if not present in the request, the proxy will return 403
requiredHeaders:
- Authorization
#Set the request variable to the given value after the authorization request completes.
#
# Add header to the next request from AuthRequest header, depending on your requirements
# Key is AuthRequest's response header Key, and value is Request's header Key
# In case you want to get headers from the authentication service and inject them into the next request header or parameters,
#Set the request variable to the given value after completing the authorization request.
#
# Add header to the next request from AuthRequest header, depending on your requirements
# Key is AuthRequest's response header Key, and value is next request header Key
# In case you want to get headers from the authentication service and inject them into the next request headers.
headers:
userId: X-Auth-UserId
userCountryId: X-Auth-UserCountryId
# In case you want to get headers from the Authentication service and inject them to the next request params.
params:
userCountryId: countryId
```
- name: jwt-auth
type: jwt
# Paths to protect
paths:
- /protected-access
- /example-of-jwt
# - /* for wildcard paths
rule:
# URL of the backend authentication service
url: https://www.example.com/auth/access
# Headers required in the incoming request
requiredHeaders:
- Authorization
# Headers to include in the next request
headers:
userId: X-Auth-UserId
userCountryId: X-Auth-UserCountryId
# Parameters to include in the next request
params:
userId: userId
userCountryId: countryId
```
### Notes
- Use this middleware to secure endpoints by delegating authorization to a backend service.
- Properly configure the rule section to match your authentication service requirements.

2
docs/middleware/oauth.md
View File

@@ -83,7 +83,7 @@ kind: Middleware
metadata:
name: oauth-middleware-sample
spec:
type: basic
type: oauth
paths:
- /protected
- /example-of-oauth

2
docs/middleware/rate-limit.md
View File

@@ -51,7 +51,7 @@ kind: Middleware
metadata:
name: ratelimit-middleware-sample
spec:
type: basic
type: ratelimit
paths:
- /*
rule:

8
docs/quickstart/distrubuted-intance.md → docs/monitoring/distrubuted-intance.md
View File

@@ -1,8 +1,8 @@
---
title: Distributed instances
layout: default
parent: Quickstart
nav_order: 5
parent: Monitoring and Performance
nav_order: 4
---
@@ -15,8 +15,8 @@ By leveraging Redis, the Gateway ensures high-performance request throttling and
```yaml
version: "1.0"
gateway:
sslCertFile: cert.pem
sslKeyFile: key.pem
tlsCertFile: cert.pem
tlsKeyFile: key.pem
writeTimeout: 15
readTimeout: 15
idleTimeout: 30

8
docs/monitoring/index.md Normal file
View File

@@ -0,0 +1,8 @@
---
title: Monitoring and Performance
layout: default
nav_order: 5
has_children: true
---
## Monitoring and Performance

4
docs/quickstart/loadbalanging.md → docs/monitoring/loadbalanging.md
View File

@@ -1,8 +1,8 @@
---
title: Load Balancing
layout: default
parent: Quickstart
nav_order: 4
parent: Monitoring and Performance
nav_order: 3
---

4
docs/quickstart/logging.md → docs/monitoring/logging.md
View File

@@ -1,8 +1,8 @@
---
title: Logging
layout: default
parent: Quickstart
nav_order: 6
parent: Monitoring and Performance
nav_order: 2
---

4
docs/quickstart/monitoring.md → docs/monitoring/monitoring.md
View File

@@ -1,8 +1,8 @@
---
title: Monitoring
layout: default
parent: Quickstart
nav_order: 6
parent: Monitoring and Performance
nav_order: 1
---

25
docs/operator-manual/Uninstallation.md Normal file
View File

@@ -0,0 +1,25 @@
---
title: Uninstall
layout: default
parent: Operator Manual
nav_order: 5
---
# Uninstall
```sh
kubectl delete -f https://raw.githubusercontent.com/jkaninda/goma-operator/main/dist/install.yaml
```
### Force Gateway deletion
```shell
kubectl patch gateways.gomaproj.github.io (gatewayName) -p '{"metadata":{"finalizers":[]}}' --type=merge
```
### Force gateway crd deletion
```shell
kubectl patch crd gateways.gomaproj.github.io -p '{"metadata":{"finalizers":[]}}' --type=merge
```

98
docs/install/kuberntes-advanced.md → docs/operator-manual/gateway.md
View File

@@ -1,24 +1,10 @@
---
title: Kubernetes Advanced deployment
title: Gateway
layout: default
parent: Installation
nav_order: 5
parent: Operator Manual
nav_order: 2
---
# Kubernetes Advanced deployment using CRDs and an Operator
**Install the CRDs and Operator into the cluster:**
```sh
kubectl apply -f https://raw.githubusercontent.com/jkaninda/goma-operator/main/dist/install.yaml
```
## Resources
- Gateway
- Route
- Middleware
## Gateway
The **Gateway** serves as the entry point to the server, handling and routing incoming traffic.
@@ -99,82 +85,4 @@ Or
```shell
kubectl delete gateways.gomaproj.github.io (gatewayName)
```
## Middleware
A simple example of middleware
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Middleware
metadata:
name: basic-middleware-sample
spec:
type: basic
paths:
- /admin/*
rule:
username: admin
password: admin
```
## Route
A simple example of route
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Route
metadata:
labels: {}
name: route-sample
spec:
gateway: gateway-sample
path: /
hosts: []
rewrite: /
methods:
- GET
- POST
- PUT
destination: https://example.com
backends: []
insecureSkipVerify: false
healthCheck:
path: /
interval: 10s
timeout: 10s
healthyStatuses:
- 200
- 404
cors:
origins: []
headers: {}
rateLimit: 15
disableHostFording: true
interceptErrors: []
blockCommonExploits: false
## Middleware names
middlewares:
- basic-middleware-sample
```
## Uninstall
```sh
kubectl delete -f https://raw.githubusercontent.com/jkaninda/goma-operator/main/dist/install.yaml
```
### Force Gateway deletion
```shell
kubectl patch gateways.gomaproj.github.io (gatewayName) -p '{"metadata":{"finalizers":[]}}' --type=merge
```
### Force gateway crd deletion
```shell
kubectl patch crd gateways.gomaproj.github.io -p '{"metadata":{"finalizers":[]}}' --type=merge
```

8
docs/operator-manual/index.md Normal file
View File

@@ -0,0 +1,8 @@
---
title: Operator Manual
layout: default
nav_order: 6
has_children: true
---
## Operator Manual

28
docs/operator-manual/installation.md Normal file
View File

@@ -0,0 +1,28 @@
---
title: Installation
layout: default
parent: Operator Manual
nav_order: 1
---
# Installation
## Kubernetes Advanced deployment using CRDs and an Operator
**Install the CRDs and Operator into the cluster:**
```sh
kubectl apply -f https://raw.githubusercontent.com/jkaninda/goma-operator/main/dist/install.yaml
```
### Resources
- Gateway
- Middleware
- Route
### Resources order
- Gateway
- Middleware
- Route

49
docs/operator-manual/middlware.md Normal file
View File

@@ -0,0 +1,49 @@
---
title: Middleware
layout: default
parent: Operator Manual
nav_order: 3
---
# Middleware
### Basic-auth
A simple example of middleware
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Middleware
metadata:
name: basic-middleware-sample
spec:
type: basic
paths:
- /admin/*
rule:
username: admin
password: admin
```
### JWT-auth
```yaml
```
### Access
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Middleware
metadata:
name: access-middleware-sample
spec:
type: access
## prevents access paths
paths:
- /swagger-ui/*
- /v2/swagger-ui/*
- /api-docs/*
- /internal/*
- /actuator/*
```

47
docs/operator-manual/route.md Normal file
View File

@@ -0,0 +1,47 @@
---
title: Route
layout: default
parent: Operator Manual
nav_order: 4
---
# Route
A simple example of route
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Route
metadata:
labels: {}
name: route-sample
spec:
gateway: gateway-sample
path: /
hosts: []
rewrite: /
methods:
- GET
- POST
- PUT
destination: https://example.com
backends: []
insecureSkipVerify: false
healthCheck:
path: /
interval: 10s
timeout: 10s
healthyStatuses:
- 200
- 404
cors:
origins: []
headers: {}
rateLimit: 15
disableHostFording: true
interceptErrors: []
blockCommonExploits: false
## Middleware names
middlewares:
- basic-middleware-sample
```

2
docs/upgrade/index.md
View File

@@ -1,7 +1,7 @@
---
title: Upgrade Notes
layout: default
nav_order: 5
nav_order: 7
has_children: true
---

2
docs/quickstart/extra-route.md → docs/usermanual/extra-route.md
View File

@@ -1,7 +1,7 @@
---
title: Extra Routes
layout: default
parent: Quickstart
parent: User Manual
nav_order: 3
---

46
docs/quickstart/gateway.md → docs/usermanual/gateway.md
View File

@@ -1,7 +1,7 @@
---
title: Gateway
layout: default
parent: Quickstart
parent: User Manual
nav_order: 1
---
@@ -90,48 +90,4 @@ gateway:
directory: /etc/goma/extra
watch: true
routes: []
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Gateway
metadata:
labels: {}
name: gateway-sample
spec:
# The version of Goma Gateway
# See: https://github.com/jkaninda/goma-gateway/releases
gatewayVersion: latest
server:
# Kubernetes tls secret name
tlsSecretName: '' #Optional, tls-secret
#Redis configs for distributed rate limiting across multiple instances
redis:
addr: '' #Optional, redis:6379
password: '' #Optional, password
writeTimeout: 10
readTimeout: 15
idleTimeout: 35
logLevel: info
disableHealthCheckStatus: true
disableKeepAlive: false
enableMetrics: true
# Replicas count
replicaCount: 1
resources:
limits:
cpu: 250m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
autoScaling:
enabled: true
minReplicas: 2
maxReplicas: 5
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
affinity: {}
```

4
docs/quickstart/healthcheck.md → docs/usermanual/healthcheck.md
View File

@@ -1,8 +1,8 @@
---
title: Healthcheck
layout: default
parent: Quickstart
nav_order: 5
parent: User Manual
nav_order: 4
---

4
docs/quickstart/index.md → docs/usermanual/index.md
View File

@@ -1,8 +1,8 @@
---
title: Quickstart
title: User Manual
layout: default
nav_order: 3
has_children: true
---
## Quickstart
## User Manual

35
docs/quickstart/route.md → docs/usermanual/route.md
View File

@@ -1,7 +1,7 @@
---
title: Route
layout: default
parent: Quickstart
parent: User Manual
nav_order: 2
---
@@ -189,37 +189,4 @@ gateway:
middlewares:
- api-forbidden-paths
- jwt-auth
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Route
metadata:
labels: {}
name: route-sample
spec:
gateway: gateway-sample
path: /
hosts: []
rewrite: /g
methods: [GET]
destination: https://example.com
backends: []
insecureSkipVerify: true
healthCheck:
path: /
interval: 10s
timeout: 10s
healthyStatuses:
- 200
- 404
cors:
origins: []
headers: {}
disableHostFording: true
blockCommonExploits: true
middlewares:
- basic-middleware-sample
- ratelimit
```

2
docs/quickstart/tls.md → docs/usermanual/tls.md
View File

@@ -1,7 +1,7 @@
---
title: TLS Certificate
layout: default
parent: Quickstart
parent: User Manual
nav_order: 5
---

9
examples/configMap.yaml
View File

@@ -135,16 +135,11 @@ data:
# Required headers, if not present in the request, the proxy will return 403
requiredHeaders:
- Authorization
# You can also get headers from the authentication request result and inject them into the next request header or params.
# In case you want to get headers from the authentication service and inject them into the next request headers.
# Set the request variable to the given value after the authorization request completes.
# In case you want to get headers from the authentication service and inject them into the next request headers.
# Key is authentication request response header Key. Value is the next Request header Key.
# Key: Auth request header key | Value: Next request header key
headers:
userId: Auth-UserId
userCountryId: Auth-UserCountryId
# In case you want to get headers from the Authentication service and inject them to the next request params.
#Key is authentication request response header Key. Value is the next Request parameter Key.
# Key: Auth request header key | Value: Next request parameter key
params:
userCountryId: countryId
# The server will return 403

9
examples/goma.yml
View File

@@ -136,16 +136,11 @@ middlewares:
# Required headers, if not present in the request, the proxy will return 403
requiredHeaders:
- Authorization
# You can also get headers from the authentication request result and inject them into the next request header or params.
# In case you want to get headers from the authentication service and inject them into the next request headers.
# Set the request variable to the given value after the authorization request completes.
# In case you want to get headers from the authentication service and inject them into the next request headers.
# Key is authentication request response header Key. Value is the next Request header Key.
# Key: Auth request header key | Value: Next request header key
headers:
userId: Auth-UserId
userCountryId: Auth-UserCountryId
# In case you want to get headers from the Authentication service and inject them to the next request params.
#Key is authentication request response header Key. Value is the next Request parameter Key.
# Key: Auth request header key | Value: Next request parameter key
params:
userCountryId: countryId
# The server will return 403