Protecting a backend service

Overview

Goal
Configure the Microgateway to protect a simple backend service.
Notes
-

Preparation

  • Deploy the Kubernetes exercise
  • 1.
    Run the following commands:
  • copy
    cd protecting-a-backend-service/exercise/
    copy
    kubectl apply -k .
  • The exercise has been deployed successfully.

The exercise does not contain any licenses. Therefore, Airlock Microgateway runs as Community Edition

For more details see Features and support.

To run the exercise as Premium Edition, copy a valid license to .templates/microgateway/secret/microgateway.lic and execute kubectl apply -k . to re-deploy the Microgateway.

Instruction

  • Change the Microgateway configuration
  • 1.
    Connect to the website:
    • Open the URL in your browser: https://<MINIKUBE_IP>/
  • 2.
    Watch the logs of the Microgateway pod.
  • details...

    Check the logs of the Microgateway configbuilder.

    copy
    kubectl logs -l app=microgateway -c configbuilder -f

    Follow the logs of the Microgateway runtime container.

    copy
    kubectl logs -l app=microgateway -c microgateway -f

    Follow the logs of the Microgateway runtime container and filter for interesting log messages. Mainly these are the log messages with the log_id WR-SG-SUMMARY and WR-SG-BLOCK. Under some circumstances, WR-SG-REJECT or WR-SG-BACK is also very interesting.

    copy
    kubectl logs -l app=microgateway -c microgateway -f | grep -iE "WR-SG-(SUMMARY|BLOCK|REJECT|BACK)"
  • 3.
    Check the following:
    • Did Airlock Microgateway receive the request?
    • Did Airlock Microgateway forward the request to the back-end service?
    details...
    • The following should be noticed:
    • The request was received by Airlock Microgateway. The log message WR-SG-SUMMARY indicates that.
    • Without a back-end host configured in the config.yaml file, Airlock Microgateway connects to the default back-end which is http://backend:8080.
    • The request is rejected by Airlock Microgateway because there is no back-end reachable/available under this name (log message WR-SG-BACK-502).
  • 4.
    Find out the Kubernetes service name which should be protected by Microgateway.
  • details...
    copy
    kubectl get svc

    The NAME of the Kubernetes service can be configured as back-end host in the Microgateway configuration.

  • 5.
    Edit Microgateway's configuration file.
  • Edit the file config/config.yaml and configure the following settings:

    • For the mapping echoserver:
    • backend.name
    • backend.hosts[].name
    • backend.hosts[].protocol
    • backend.hosts[].port

    Use the (Microgateway) DSL reference to accomplish this task.

    details...

    The modified part of the config.yaml looks as follow:

    copy
        mappings: 
          - name: echoserver 
            ...
            ...
            backend: 
              name: echoserver 
              hosts: 
                - name: echoserver 
                  protocol: http 
                  port: 8080    
  • 6.
    Apply the new configuration.
  • After modifying the configuration file, apply the new configuration by running the following command:

    copy
    kubectl apply -k .
  • 7.
    Deploy the Microgateway with the new configuration.
  • details...
    copy
    kubectl rollout restart deployment/microgateway

    A running Microgateway does not automatically reload the new configmap. The existing Microgatway pod must be killed. This way a new pod is deployed with the adapted configuration.

  • 8.
    Check the status of the Microgateway pod.
  • details...

    List the Microgateway pods:

    copy
    kubectl get pod
    copy
    kubectl get pod -l app=microgateway

    Show Microgateway pod details:

    copy
    kubectl describe pod -l app=microgateway

    Once the pod is ready to process requests, the output of the kubectl describe command shows that the pod is ready.

    ...
       Conditions: 
      Type              Status 
      Initialized       True 
      Ready             True 
      ContainersReady   True 
      PodScheduled      True
    ...     
  • 9.
    Connect to the website:
    • Open the URL in your browser: https://<MINIKUBE_IP>/
  • The web application should be reachable from the browser.
  • 10.
    Watch the logs of the Microgateway pod.
  • details...

    Check the logs of the Microgateway configbuilder.

    copy
    kubectl logs -l app=microgateway -c configbuilder -f

    Follow the logs of the Microgateway runtime container.

    copy
    kubectl logs -l app=microgateway -c microgateway -f

    Follow the logs of the Microgateway runtime container and filter for interesting log messages. Mainly these are the log messages with the log_id WR-SG-SUMMARY and WR-SG-BLOCK. Under some circumstances, WR-SG-REJECT or WR-SG-BACK is also very interesting.

    copy
    kubectl logs -l app=microgateway -c microgateway -f | grep -iE "WR-SG-(SUMMARY|BLOCK|REJECT|BACK)"
  • The log message WR-SG-SUMMARY with the key action:allowed indicates that the request has successfully proceeded.

Cleanup

  • Delete Kubernetes resources from previously exercises or solutions
  • 1.
    Run the following commands:
  • copy
    kubectl delete all,ing,cm,secrets,pv,pvc,sa,roles,rolebindings,clusterroles,clusterrolebindings -l purpose=microgateway-tutorial
  • All relevant Kubernetes resources in the namespace have been deleted successfully.