tyk-mixer-adapter

module
v0.0.0-...-08357c7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 10, 2020 License: MPL-2.0

README

tyk-mixer-adapter

Custom Istio Mixer Authorization Adapter For Policy Enforcement Using Tyk API Gateway

How it works

This is an adapter for the Istio Mixer component which invokes the Tyk Istio Mixer Adapter.

Tyk API Gateways can then define access control, rate limiting and quotas for several different authentication scenarios based on receiving user defined headers, and other mesh information passed to the adapter by Mixer.

Istio Prerequsites

Note, in istio-1.1, policy checks are disabled.

While setting up the cluster using the instructions above, set the value

--set global.disablePolicyChecks=false

Tyk Prerequisites

  • Install the Tyk Deployment you need into k8s using our Official Helm Charts

  • In your Tyk Dashboard import functionality or via the Rest API define APIs in Tyk that will map to the service names in your istio cluster. For example, when deploying the Istio helloworld app the servicename is helloworld. Therefore, there must be an API loaded into Tyk with that listenpath i.e. http(s)://{GATEWAY_SERVICE}:8080/helloworld/

There are two example definitions in the samples folder of this repository that will set up an externally facing API listening on helloworld that routes internally to a second API that will return a mock response when it is successfully called via the external API - we dont use a mock response int he first API as it will prevent collecting analytics data for that API.

If the public facing API is accessed with a key that is unauthorized/rate limited or quota limited then the relevant response code will be returned. If the auth/rl/q step is successful then the internal API returns a 200 code (this is configurable on the mock response middleware).

Running the Adapter

Apply the adapter service config:

apiVersion: v1
kind: Service
metadata:
  name: tykgrpcadapterservice
  namespace: istio-system
  labels:
    app: tykgrpcadapter
spec:
  type: ClusterIP
  ports:
    - name: grpc
      protocol: TCP
      port: 9999
      targetPort: 9999
  selector:
    app: tykgrpcadapter
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: tykgrpcadapter
  namespace: istio-system
  labels:
    app: tykgrpcadapter
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: tykgrpcadapter
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      containers:
        - name: tykgrpcadapter
          image: joshtyk/tyk-istio-adapter:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 9999

kubectl apply -f adapter_service.yaml

Adapter configuration

TODO

Deploy configuration state for the adapter to Istio

Please make sure you have Istio cluster setup running the sample helloworld or BookInfo

First setup the attributes maps and deploy them from the cloned repo:

kubectl apply -f testdata/attributes.yaml -f testdata/template.yaml

Deploy the state for the adapter

kubectl apply -f testdata/tykgrpcadapter.yaml

Deploy the config: kubectl apply -f testdata/sample_operator_cfg.yaml

you should now see a connection established on the mixer logs:

$ kubectl -n istio-system logs $(kubectl -n istio-system get pods -lapp=mixer -o jsonpath='{.items[0].metadata.name}') -c mixer
2020-01-28T17:59:49.249312Z	info	grpcAdapter	Connected to: tykgrpcadapterservice:5000
2020-01-28T17:59:49.249312Z	info	ccResolverWrapper: sending new addresses to cc: [{tykgrpcadapterservice:5000 0  <nil>}]
2020-01-28T17:59:49.249312Z	info	ClientConn switching balancer to "pick_first"
2020-01-28T17:59:49.249312Z	info	pickfirstBalancer: HandleSubConnStateChange: 0xc4211e2cb0, CONNECTING
2020-01-28T17:59:49.249312Z	info	pickfirstBalancer: HandleSubConnStateChange: 0xc4211e2cb0, READY

Validate things are working

  1. Check tyk dashboard for Analytics data relating to the calls to your setup APIs
  2. Check adapter logs for returned codes from tyk and details about what endpoints the adapter is trying to call in Tyk.

References

https://istio.io/docs/concepts/policies-and-telemetry/#adapters https://github.com/salrashid123/istio_custom_auth_adapter https://github.com/istio/istio/wiki/Mixer-Out-Of-Process-Adapter-Walkthrough https://venilnoronha.io/set-sail-a-production-ready-istio-adapter https://istio.io/help/ops/setup/validation/

Directories

Path Synopsis
pkg
cmd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL