This tutorial shows how to expose and secure services or Functions using API Gateway Controller. The controller reacts to an instance of the APIRule custom resource (CR) and creates an Istio VirtualService and Oathkeeper Access Rules according to the details specified in the CR. To interact with the secured services, the tutorial uses an OAuth2 client registered through the Hydra Maester controller.

Prerequisites

• Deploy a sample HttpBin service and a sample Function.
• Set up your custom domain or use a Kyma domain instead.

• Depending on whether you use your custom domain or a Kyma domain, export the necessary values as environment variables:

  • Custom domain
  • Kyma domain

Register an OAuth2 client and get tokens

1. Export the client name as an environment variable:

   Click to copy

   export CLIENT_NAME={YOUR_CLIENT_NAME}

2. Create an OAuth2 client with read and write scopes. Run:

   Click to copy

   cat <<EOF | kubectl apply -f -
   apiVersion: hydra.ory.sh/v1alpha1
   kind: OAuth2Client
   metadata:
     name: $CLIENT_NAME
     namespace: $NAMESPACE
   spec:
     grantTypes:
       - "client_credentials"
     scope: "read write"
     secretName: $CLIENT_NAME
   EOF

3. Export the client's credentials as environment variables. Run:

   Click to copy

   export CLIENT_ID="$(kubectl get secret -n $NAMESPACE $CLIENT_NAME -o jsonpath='{.data.client_id}' | base64 --decode)"
   export CLIENT_SECRET="$(kubectl get secret -n $NAMESPACE $CLIENT_NAME -o jsonpath='{.data.client_secret}' | base64 --decode)"

4. Encode the client's credentials and export them as environment variables:

   Click to copy

   export ENCODED_CREDENTIALS=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)

5. Get tokens to interact with secured resources using the client credentials flow:

   • Token with `read` scope
   • Token with `write` scope

Expose and secure your workload

Follow the instructions to expose an instance of the HttpBin service or a sample Function, and secure them with Oauth2 scopes.

CAUTION: When you secure a workload, don't create overlapping Access Rules for paths. Doing so can cause unexpected behavior and reduce the security of your implementation.

Access the secured resources

Follow the instructions to call the secured service or Functions using the tokens issued for the client you registered.

To learn more about the security options, read the document describing authorization configuration.