Expose and secure a workload with JWT

This tutorial shows how to expose and secure services or Functions using API Gateway Controller. The Controller reacts to an instance of the APIRule custom resource (CR) and creates an Istio VirtualService and Oathkeeper Access Rules according to the details specified in the CR. To interact with the secured workloads, the tutorial uses a JWT token.

You can use it as a follow-up to the Set up a custom domain for a workload tutorial.

Prerequisites

This tutorial is based on a sample HttpBin service deployment and a sample Function. To deploy or create them, follow the Create a workload tutorial. To obtain JWT take a look at Get a JWT tutorial.

Expose, secure, and access your workload

  • HttpBin
  • Function
  1. Export the following value as an environment variable:

    Click to copy
    export DOMAIN_TO_EXPOSE_WORKLOADS={DOMAIN_NAME}
    export GATEWAY=$NAMESPACE/httpbin-gateway

    NOTE: DOMAIN_NAME is the domain that you own, for example, api.mydomain.com. If you don't want to use your custom domain, replace DOMAIN_NAME with a Kyma domain and $NAMESPACE/httpbin-gateway with Kyma's default Gateway kyma-system/kyma-gateway

  1. Expose the service and secure it by creating an APIRule CR in your Namespace. Run:

    Click to copy
    cat <<EOF | kubectl apply -f -
    apiVersion: gateway.kyma-project.io/v1beta1
    kind: APIRule
    metadata:
    name: httpbin
    namespace: $NAMESPACE
    spec:
    host: httpbin.$DOMAIN_TO_EXPOSE_WORKLOADS
    service:
    name: httpbin
    port: 8000
    gateway: $GATEWAY
    rules:
    - accessStrategies:
    - handler: jwt
    config:
    jwks_urls:
    - $JWKS_URI
    methods:
    - GET
    path: /.*
    EOF

    NOTE: If you are running Kyma on k3d, add httpbin.kyma.local to the entry with k3d IP in your system's /etc/hosts file.

  1. To access the secured service, call it using the JWT access token:

    Click to copy
    curl -ik https://httpbin.$DOMAIN_TO_EXPOSE_WORKLOADS/headers -H "Authorization: Bearer $ACCESS_TOKEN"

    This call returns the code 200 response.