Expose and secure a workload with JWT
This tutorial shows how to expose and secure services or Functions using API Gateway Controller. The Controller reacts to an instance of the APIRule custom resource (CR) and creates an Istio VirtualService and Oathkeeper Access Rules according to the details specified in the CR. To interact with the secured workloads, the tutorial uses a JWT token.
You can use it as a follow-up to the Set up a custom domain for a workload tutorial.
Prerequisites
This tutorial is based on a sample HttpBin service deployment and a sample Function. To deploy or create them, follow the Create a workload tutorial. To obtain JWT take a look at Get a JWT tutorial.
Expose, secure, and access your workload
- HttpBin
- Function
Export the following value as an environment variable:
Click to copyexport DOMAIN_TO_EXPOSE_WORKLOADS={DOMAIN_NAME}export GATEWAY=$NAMESPACE/httpbin-gatewayNOTE:
DOMAIN_NAMEis the domain that you own, for example, api.mydomain.com. If you don't want to use your custom domain, replaceDOMAIN_NAMEwith a Kyma domain and$NAMESPACE/httpbin-gatewaywith Kyma's default Gatewaykyma-system/kyma-gateway
Expose the service and secure it by creating an APIRule CR in your Namespace. Run:
Click to copycat <<EOF | kubectl apply -f -apiVersion: gateway.kyma-project.io/v1beta1kind: APIRulemetadata:name: httpbinnamespace: $NAMESPACEspec:host: httpbin.$DOMAIN_TO_EXPOSE_WORKLOADSservice:name: httpbinport: 8000gateway: $GATEWAYrules:- accessStrategies:- handler: jwtconfig:jwks_urls:- $JWKS_URImethods:- GETpath: /.*EOFNOTE: If you are running Kyma on k3d, add
httpbin.kyma.localto the entry with k3d IP in your system's/etc/hostsfile.
To access the secured service, call it using the JWT access token:
Click to copycurl -ik https://httpbin.$DOMAIN_TO_EXPOSE_WORKLOADS/headers -H "Authorization: Bearer $ACCESS_TOKEN"This call returns the code
200response.