devbennett7/goma-gateway
1
0
Fork 0
Code Pull Requests Activity

refator: refacoting, replace ssl by tls

Browse Source
This commit is contained in:
Jonas Kaninda
2024-11-29 13:48:00 +01:00
parent 076d9aa56d
commit e33af02f04
11 changed files with 233 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
docs/install/kuberntes-advanced.md
View File

@@ -61,12 +61,12 @@ spec:
gatewayVersion: latest # 0.2.2
## Server config
server:
# # Kubernetes tls secret name
# tlsSecretName: tls-secret
# #Redis configs for distributed rate limiting across multiple instances
# redis:
# addr: redis:6379
# password: password
# Kubernetes tls secret name
tlsSecretName: '' #Optional, tls-secret
#Redis configs for distributed rate limiting across multiple instances
redis:
addr: '' #Optional, redis:6379
password: '' #Optional, password
writeTimeout: 10
readTimeout: 15
idleTimeout: 30
@@ -131,35 +131,33 @@ metadata:
name: route-sample
spec:
gateway: gateway-sample
routes:
- path: /
name: Example
hosts: []
rewrite: /
methods:
- GET
- POST
- PUT
destination: https://example.com
backends: []
insecureSkipVerify: false
healthCheck:
path: /
interval: 10s
timeout: 10s
healthyStatuses:
- 200
- 404
cors:
origins: []
headers: {}
rateLimit: 15
disableHostFording: true
interceptErrors: []
blockCommonExploits: false
## Middleware names
middlewares:
- basic-middleware-sample
path: /
hosts: []
rewrite: /
methods:
- GET
- POST
- PUT
destination: https://example.com
backends: []
insecureSkipVerify: false
healthCheck:
path: /
interval: 10s
timeout: 10s
healthyStatuses:
- 200
- 404
cors:
origins: []
headers: {}
rateLimit: 15
disableHostFording: true
interceptErrors: []
blockCommonExploits: false
## Middleware names
middlewares:
- basic-middleware-sample
```
## Uninstall

17
docs/middleware/access.md
View File

@@ -37,4 +37,21 @@ Example of access middleware
cors: {}
middlewares:
- api-forbidden-paths
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Middleware
metadata:
name: access-middleware-sample
spec:
type: access
## prevents access paths
paths:
- /swagger-ui/*
- /v2/swagger-ui/*
- /api-docs/*
- /internal/*
- /actuator/*
```

16
docs/middleware/basic.md
View File

@@ -37,4 +37,20 @@ middlewares:
cors: {}
middlewares:
- basic-auth
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Middleware
metadata:
name: basic-middleware-sample
spec:
type: basic
paths:
- /admin/*
rule:
username: admin
password: admin
```

65
docs/middleware/oauth.md
View File

@@ -5,9 +5,9 @@ parent: Middleware
nav_order: 5
---
### OAuth middleware
# OAuth middleware
Example of Google provider
### Example of Google provider
```yaml
- name: google-oauth
@@ -30,7 +30,7 @@ Example of Google provider
```
Example of Authentik provider
### Example of Authentik provider
```yaml
- name: oauth-authentik
@@ -59,32 +59,6 @@ Example of Authentik provider
jwtSecret: your-strong-jwt-secret | It's optional
```
### Access middleware
Access middleware prevents access to a route or specific route path.
Example of access middleware
```yaml
# The server will return 403
- name: api-forbidden-paths
type: access
## prevents access paths
paths:
- /swagger-ui/*
- /v2/swagger-ui/*
- /api-docs/*
- /internal/*
- /actuator/*
```
### RateLimit middleware
The RateLimit middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
Example of rateLimit middleware
```yaml
```
### Apply middleware on the route
```yaml
@@ -99,4 +73,37 @@ Example of rateLimit middleware
cors: {}
middlewares:
- oauth-authentik
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Middleware
metadata:
name: oauth-middleware-sample
spec:
type: basic
paths:
- /protected
- /example-of-oauth
rule:
clientId: xxx
clientSecret: xxx
# oauth provider google, gitlab, github, amazon, facebook, custom
provider: custom
endpoint:
authUrl: https://authentik.example.com/application/o/authorize/
tokenUrl: https://authentik.example.com/application/o/token/
userInfoUrl: https://authentik.example.com/application/o/userinfo/
redirectUrl: https://example.com/callback
#RedirectPath is the PATH to redirect users after authentication, e.g: /my-protected-path/dashboard
redirectPath: ''
#CookiePath e.g.: /my-protected-path or / || by default is applied on a route path
cookiePath: "/"
scopes:
- email
- openid
state: randomStateString
jwtSecret: your-strong-jwt-secret | It's optional
```

18
docs/middleware/rate-limit.md
View File

@@ -20,7 +20,7 @@ middlewares:
- /*
rule:
unit: minute # or hour
requestsPerUnit: 10
requestsPerUnit: 60
```
Example of route rate limiting middleware
@@ -41,4 +41,20 @@ gateway:
rateLimit: 60 # per minute
routes:
- name: Example
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Middleware
metadata:
name: ratelimit-middleware-sample
spec:
type: basic
paths:
- /*
rule:
unit: minute # or hour
requestsPerUnit: 60
```

44
docs/quickstart/gateway.md
View File

@@ -90,4 +90,48 @@ gateway:
directory: /etc/goma/extra
watch: true
routes: []
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Gateway
metadata:
labels: {}
name: gateway-sample
spec:
# The version of Goma Gateway
# See: https://github.com/jkaninda/goma-gateway/releases
gatewayVersion: latest # 0.2.2
server:
# Kubernetes tls secret name
tlsSecretName: '' #Optional, tls-secret
#Redis configs for distributed rate limiting across multiple instances
redis:
addr: '' #Optional, redis:6379
password: '' #Optional, password
writeTimeout: 10
readTimeout: 15
idleTimeout: 35
logLevel: info
disableHealthCheckStatus: true
disableKeepAlive: false
enableMetrics: true
# Replicas count
replicaCount: 1
resources:
limits:
cpu: 250m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
autoScaling:
enabled: true
minReplicas: 2
maxReplicas: 5
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
affinity: {}
```

33
docs/quickstart/route.md
View File

@@ -189,4 +189,37 @@ gateway:
middlewares:
- api-forbidden-paths
- jwt-auth
```
## Advanced Kubernetes deployment
```yaml
apiVersion: gomaproj.github.io/v1beta1
kind: Route
metadata:
labels: {}
name: route-sample
spec:
gateway: gateway-sample
path: /
hosts: []
rewrite: /g
methods: [GET]
destination: https://example.com
backends: []
insecureSkipVerify: true
healthCheck:
path: /
interval: 10s
timeout: 10s
healthyStatuses:
- 200
- 404
cors:
origins: []
headers: {}
disableHostFording: true
blockCommonExploits: true
middlewares:
- basic-middleware-sample
- ratelimit
```

8
docs/quickstart/ssl.md → docs/quickstart/tls.md
View File

@@ -1,19 +1,19 @@
---
title: SSL Certificate
title: TLS Certificate
layout: default
parent: Quickstart
nav_order: 5
---
# SSL Certificate
# TLS Certificate
```yaml
version: 1.0
gateway:
sslCertFile: cert.pem
sslKeyFile: key.pem
tlsCertFile: cert.pem
tlsKeyFile: key.pem
```

8
internal/gateway_type.go
View File

@@ -20,9 +20,13 @@ package pkg
// Gateway contains Goma Proxy Gateway's configs
type Gateway struct {
// SSLCertFile SSL Certificate file
SSLCertFile string `yaml:"sslCertFile" env:"GOMA_SSL_CERT_FILE, overwrite"`
SSLCertFile string `yaml:"sslCertFile,omitempty" env:"GOMA_SSL_CERT_FILE, overwrite"` // Deprecated, use TlsCertFile instead
// SSLKeyFile SSL Private key file
SSLKeyFile string `yaml:"sslKeyFile" env:"GOMA_SSL_KEY_FILE, overwrite"`
SSLKeyFile string `yaml:"sslKeyFile,omitempty" env:"GOMA_SSL_KEY_FILE, overwrite"` // Deprecated, use TlsKeyFile instead
// TlsCertFile TLS Certificate file
TlsCertFile string `yaml:"tlsCertFile" env:"GOMA_TLS_CERT_FILE, overwrite"`
// SSLKeyFile TLS Private key file
TlsKeyFile string `yaml:"tlsKeyFile" env:"GOMA_TLS_KEY_FILE, overwrite"`
// Redis contains redis database details
Redis Redis `yaml:"redis"`
// WriteTimeout defines proxy write timeout

3
internal/server.go
View File

@@ -37,9 +37,8 @@ func (gatewayServer GatewayServer) Start() error {
tlsConfig, listenWithTLS, err := gatewayServer.initTLS()
if err != nil {
return err
logger.Error("Failed to initialize TLS")
}
if !gatewayServer.gateway.DisableDisplayRouteOnStart {
printRoute(dynamicRoutes)
}

33
internal/tls.go
View File

@@ -24,16 +24,35 @@ import (
)
func (gatewayServer GatewayServer) initTLS() (*tls.Config, bool, error) {
cert, key := gatewayServer.gateway.SSLCertFile, gatewayServer.gateway.SSLKeyFile
if cert == "" || key == "" {
loadAndWarn := func(cert, key string, warnMsg string) (*tls.Config, bool, error) {
if len(cert) != 0 || len(key) != 0 {
if warnMsg != "" {
logger.Warn(warnMsg)
}
tlsConfig, err := loadTLS(cert, key)
if err != nil {
return nil, false, fmt.Errorf("failed to load TLS config: %w", err)
}
return tlsConfig, true, nil
}
return nil, false, nil
}
tlsConfig, err := loadTLS(cert, key)
if err != nil {
return nil, false, fmt.Errorf("failed to load TLS config: %w", err)
// Check deprecated fields
tlsConfig, loaded, err := loadAndWarn(
gatewayServer.gateway.SSLCertFile,
gatewayServer.gateway.SSLKeyFile,
"sslCertFile and sslKeyFile are deprecated, please use tlsCertFile and tlsKeyFile instead",
)
if loaded || err != nil {
return tlsConfig, loaded, err
}
return tlsConfig, true, nil
// Check new fields
return loadAndWarn(
gatewayServer.gateway.TlsCertFile,
gatewayServer.gateway.TlsKeyFile,
"",
)
}
// loadTLS loads TLS Certificate