Configuration format history

Gloo Gateway Enterprise versions >=0.20.1

Gloo Gateway Enterprise, release 0.20.1, simplified the external auth configuration format. You can now specify the extauth configuration directly on the Options/Plugins (Gloo Gateway 1.0+ vs Gloo Gateway 0.x respectively) attribute of the relevant resource:

options: # Pre Gloo Gateway 1.0, this was virtualHostPlugins, routePlugins, or weightedDestinationPlugins
  extauth:
    configRef:
      name: basic-auth
      namespace: gloo-system

Compare this to the old format (not supported in Gloo Gateway 1.0+):

virtualHostPlugins:
  extensions:
    configs:
      extauth:
        configRef:
          name: basic-auth
          namespace: gloo-system

For more information on the latest configuration format see the main page of the authentication section of the docs.

Gloo Gateway Enterprise versions >=0.19.0

As of now, this configuration format is still supported by Gloo Gateway Enterprise.

Gloo Gateway Enterprise, release 0.19.0, introduced the possibility to configure authentication on Routes and WeightedDestinations. As part of this change, authentication configurations have been promoted to top-level resources, i.e. they are stored in a dedicated AuthConfig resource. The new features require this new configuration format.

Here is an example AuthConfig resource:

apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
  name: basic-auth
  namespace: gloo-system
spec:
  configs:
  - basicAuth:
      realm: "test"
      apr:
        users:
          user:
            salt: "TYiryv0/"
            hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1"

The format of the configuration for the different external auth implementations has not changed from previous versions, i.e. the spec.configs attribute has the same format as the extensions.configs.extauth.configs attribute that we used to define directly on virtual services.

Once you have defined your AuthConfigs you can reference them in your virtual services like this:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: my-vs
  namespace: gloo-system
spec:
  virtualHost:
    domains:
    - 'example.com'
    virtualHostPlugins:
      extensions:
        configs:
          extauth:
            configRef:
              name: basic-auth # Default auth config for this virtual host and all its child resources
              namespace: gloo-system
    routes:
    - matcher:
        prefix: /super-secret
      routeAction:
        single:
          upstream:
            name: some-secret-upstream-1234
            namespace: gloo-system
      routePlugins:
        extensions:
          configs:
            extauth:
              name: admin-auth # More specific config overwrites the parent default
              namespace: gloo-system
    - matcher:
        prefix: /public
      routeAction:
        single:
          upstream:
            name: some-public-upstream-1234
            namespace: gloo-system
      routePlugins:
        extensions:
          configs:
            extauth:
              disable: true # Disable auth for this route
    - matcher:
        prefix: /
      routeAction:
        single:
          upstream:
            name: some-upstream-1234
            namespace: gloo-system

Gloo Gateway Enterprise versions >=0.18.21

As of now, this configuration format is still supported by Gloo Gateway Enterprise.

Gloo Gateway Enterprise, release 0.18.21, introduced a change in the authentication configuration format. It turned the extauth attribute from being an object into an array. This allows us to define multiple configuration steps that are executed in the order in which they are specified. If any one of these steps fails, the request will be denied without executing any subsequent steps. Authentication can still be configured only on virtual hosts, with the possibility for child routes to opt out.

Here is an example of this configuration format:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: test-auth
  namespace: gloo-system
spec:
  virtualHost:
    domains:
      - 'foo'
    routes:
      - matcher:
          prefix: /authenticated
        routeAction:
          single:
            upstream:
              name: my-upstream
              namespace: gloo-system
    virtualHostPlugins:
      extensions:
        configs:
          extauth:
            configs:
            - basicAuth:
                realm: "test"
                apr:
                  users:
                    user:
                      salt: "TYiryv0/"
                      hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1"

Gloo Gateway Enterprise versions <0.18.21

As of now, this configuration format is still supported by Gloo Gateway Enterprise.

This is the original configuration format that was first introduced in the early days of Gloo Gateway Enterprise (it was originally released with version v0.0.10). This configuration format supports authentication only on Virtual Hosts. The configuration has to be specified directly on the Virtual Service CRD:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: test-auth
  namespace: gloo-system
spec:
  virtualHost:
    domains:
      - 'foo'
    routes:
      - matcher:
          prefix: /authenticated
        routeAction:
          single:
            upstream:
              name: my-upstream
              namespace: gloo-system
    virtualHostPlugins:
      extensions:
        configs:
          extauth:
            basicAuth:
              realm: "test"
              apr:
                users:
                  user:
                    salt: "TYiryv0/"
                    hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1"

On a Route level, it is only possible to opt out of auth configurations specified on parent Virtual Hosts:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: test-auth
  namespace: gloo-system
spec:
  virtualHost:
    domains:
      - 'foo'
    routes:
      - matcher:
          prefix: /authenticated
        routeAction:
          single:
            upstream:
              name: my-upstream
              namespace: gloo-system
      - matcher:
          prefix: /skip-auth
        routeAction:
          single:
            upstream:
              name: my-insecure-upstream
              namespace: gloo-system
        routePlugins:
          extensions:
            configs:
              extauth:
                disable: true
    virtualHostPlugins:
      extensions:
        configs:
          extauth:
            basicAuth:
              realm: "test"
              apr:
                users:
                  user:
                    salt: "TYiryv0/"
                    hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1"