Configuration format history
Gloo Gateway Enterprise versions >=0.20.1
Gloo Gateway Enterprise, release 0.20.1, simplified the
external auth configuration format. You can now specify the extauth
configuration directly on the Options
/Plugins
(Gloo Gateway 1.0+ vs Gloo Gateway 0.x respectively) attribute of the relevant resource:
options: # Pre Gloo Gateway 1.0, this was virtualHostPlugins, routePlugins, or weightedDestinationPlugins
extauth:
configRef:
name: basic-auth
namespace: gloo-system
Compare this to the old format (not supported in Gloo Gateway 1.0+):
virtualHostPlugins:
extensions:
configs:
extauth:
configRef:
name: basic-auth
namespace: gloo-system
For more information on the latest configuration format see the main page of the authentication section of the docs.
Gloo Gateway Enterprise versions >=0.19.0
As of now, this configuration format is still supported by Gloo Gateway Enterprise.
Gloo Gateway Enterprise, release 0.19.0, introduced the possibility to
configure authentication on Routes and WeightedDestinations. As part of this change, authentication configurations
have been promoted to top-level resources, i.e. they are stored in a dedicated AuthConfig
resource.
The new features require this new configuration format.
Here is an example AuthConfig
resource:
apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
name: basic-auth
namespace: gloo-system
spec:
configs:
- basicAuth:
realm: "test"
apr:
users:
user:
salt: "TYiryv0/"
hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1"
The format of the configuration for the different external auth implementations has not changed from previous versions,
i.e. the spec.configs
attribute has the same format as the extensions.configs.extauth.configs
attribute that we used
to define directly on virtual services.
Once you have defined your AuthConfigs
you can reference them in your virtual services like this:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: my-vs
namespace: gloo-system
spec:
virtualHost:
domains:
- 'example.com'
virtualHostPlugins:
extensions:
configs:
extauth:
configRef:
name: basic-auth # Default auth config for this virtual host and all its child resources
namespace: gloo-system
routes:
- matcher:
prefix: /super-secret
routeAction:
single:
upstream:
name: some-secret-upstream-1234
namespace: gloo-system
routePlugins:
extensions:
configs:
extauth:
name: admin-auth # More specific config overwrites the parent default
namespace: gloo-system
- matcher:
prefix: /public
routeAction:
single:
upstream:
name: some-public-upstream-1234
namespace: gloo-system
routePlugins:
extensions:
configs:
extauth:
disable: true # Disable auth for this route
- matcher:
prefix: /
routeAction:
single:
upstream:
name: some-upstream-1234
namespace: gloo-system
Gloo Gateway Enterprise versions >=0.18.21
As of now, this configuration format is still supported by Gloo Gateway Enterprise.
Gloo Gateway Enterprise, release 0.18.21, introduced a change in the
authentication configuration format. It turned the extauth
attribute from being an object into an array. This allows us
to define multiple configuration steps that are executed in the order in which they are specified. If any one of these
steps fails, the request will be denied without executing any subsequent steps. Authentication can still be configured
only on virtual hosts, with the possibility for child routes to opt out.
Here is an example of this configuration format:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: test-auth
namespace: gloo-system
spec:
virtualHost:
domains:
- 'foo'
routes:
- matcher:
prefix: /authenticated
routeAction:
single:
upstream:
name: my-upstream
namespace: gloo-system
virtualHostPlugins:
extensions:
configs:
extauth:
configs:
- basicAuth:
realm: "test"
apr:
users:
user:
salt: "TYiryv0/"
hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1"
Gloo Gateway Enterprise versions <0.18.21
As of now, this configuration format is still supported by Gloo Gateway Enterprise.
This is the original configuration format that was first introduced in the early days of Gloo Gateway Enterprise (it was originally released with version v0.0.10). This configuration format supports authentication only on Virtual Hosts. The configuration has to be specified directly on the Virtual Service CRD:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: test-auth
namespace: gloo-system
spec:
virtualHost:
domains:
- 'foo'
routes:
- matcher:
prefix: /authenticated
routeAction:
single:
upstream:
name: my-upstream
namespace: gloo-system
virtualHostPlugins:
extensions:
configs:
extauth:
basicAuth:
realm: "test"
apr:
users:
user:
salt: "TYiryv0/"
hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1"
On a Route level, it is only possible to opt out of auth configurations specified on parent Virtual Hosts:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: test-auth
namespace: gloo-system
spec:
virtualHost:
domains:
- 'foo'
routes:
- matcher:
prefix: /authenticated
routeAction:
single:
upstream:
name: my-upstream
namespace: gloo-system
- matcher:
prefix: /skip-auth
routeAction:
single:
upstream:
name: my-insecure-upstream
namespace: gloo-system
routePlugins:
extensions:
configs:
extauth:
disable: true
virtualHostPlugins:
extensions:
configs:
extauth:
basicAuth:
realm: "test"
apr:
users:
user:
salt: "TYiryv0/"
hashedPassword: "8BvzLUO9IfGPGGsPnAgSu1"