consul-k8s-apigee-hybrid

Apigee hybrid used for ext_authz with Consul Service Mesh

Following instructions are taken from the quickstart repository here please refer to this repo for issues and further assistance.

Select a GCP project

• Select the GCP project to install Apigee hybrid

export PROJECT_ID=xxx
gcloud config set project $PROJECT_ID
gcloud auth login
gcloud auth application-default login

(Optional step) Override Default Config

• The following environment variables are set by default, export them to override the default values if needed.

# GCP region and zone for the runtime
export REGION='us-west1'
export ZONE='us-west1-a,us-west1-b,us-west1-c'

# Networking
export NETWORK='apigee-hybrid'
export SUBNET='apigee-us-west1'

# Runtime GKE cluster
export GKE_CLUSTER_NAME='apigee-hybrid'
export GKE_CLUSTER_MACHINE_TYPE='e2-standard-4'

# Apigee Env Config
export ENV_NAME='env'
export ENV_GROUP_NAME='envgroup'

Initialize the Apigee hybrid runtime on a GKE cluster

After the configuration is done run the following command to initialize you Apigee hybrid organization and runtime. This typically takes between 15 and 20min.

infra/initialize-runtime-gke.sh

• Apigee hybrid config files are generated at infra/hybrid-files/overrides.yaml

Install Consul in k8s

• This example needs Consul version > 1.16 to work

export CONSUL_LICENSE="paste-your-consul-license-here"
kubectl create ns consul
kubectl create secret generic consul-enterprise-license --from-literal=key=$CONSUL_LICENSE -n consul
helm install consul hashicorp/consul --namespace consul --values consul/values.yaml

• (Optional step) Alternatively use consul-k8s cli service to install Consul

brew install consul-k8s # change based on the OS
kubectl create ns consul
kubectl create secret generic consul-enterprise-license --from-literal=key=$CONSUL_LICENSE -n consul
consul-k8s install -namespace consul -f consul/values.yaml

• Ensure Consul services are healthy

kubectl get pods -n consul

Configure Apigee Envoy adapter and deploy sample services

Following instructions are taken from this guide please refer there for issues and further assistance.

• Configure the Apigee Remote service with auto injector

infra/apigee-remote.sh

• Create consul intention between curl and httpbin

kubectl apply -f consul/intentions.yaml

• Ping the httpbin service from curl service

kubectl exec -it deployment/curl -- /bin/sh
curl -i httpbin.default.svc.cluster.local/headers

• The response should be HTTP/1.1 200 OK

HTTP/1.1 200 OK
server: envoy
date: Thu, 99 XX 20XX XX:XX:XX GMT
content-type: application/json
content-length: 2225
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 28

{
    "headers": {
        "Accept": "*/*", 
        "Host": "httpbin.default.svc.cluster.local", 
        "User-Agent": "curl/8.2.0", 
        "X-Envoy-Auth-Failure-Mode-Allowed": "true", 
        "X-Envoy-Expected-Rq-Timeout-Ms": "15000", 
        "X-Forwarded-Client-Cert": "--cert-redacted--"
    }
}

Apply the ext_authz filter

• The ext_authz filter will be applied on the httpbin

kubectl apply -f consul/ext_authz.yaml

• (Optional) To debug port forward and visit localhost:19000 > click config_dump > search for 'ext_authz'

kubectl port-forward deployment/httpbin 19000

• Ping the httpbin service from curl service again

kubectl exec -it deployment/curl -- /bin/sh
curl -i httpbin.default.svc.cluster.local/headers

• The response should be HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden
date: Thu, 99 XX 20XX XX:XX:XX GMT
server: envoy
content-length: 0
x-envoy-upstream-service-time: 3

• After using the API key generated from Apigee (follow guide here) and pinging again the response should have Apigee headers

NOTE: There might be a delay after creating the API key of ~2 mins.

curl -i httpbin.default.svc.cluster.local/headers -H "x-api-key: developer_client_key_goes_here"

HTTP/1.1 200 OK
server: envoy
date: Thu, 99 XX 20XX XX:XX:XX GMT
content-type: application/json
content-length: 2727
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 22
{
    "headers": {
        "Accept": "*/*", 
        "Host": "httpbin.default.svc.cluster.local", 
        "User-Agent": "curl/8.2.0", 
        "X-Api-Key": "developer_client_key_goes_here", 
        "X-Apigee-Accesstoken": "", 
        "X-Apigee-Api": "httpbin.default.svc.cluster.local", 
        "X-Apigee-Apiproducts": "httpbin-product", 
        "X-Apigee-Application": "httpbin-app", 
        "X-Apigee-Authorized": "true", 
        "X-Apigee-Clientid": "developer_client_key_goes_here", 
        "X-Apigee-Developeremail": "[email protected]", 
        "X-Apigee-Environment": "env", 
        "X-Apigee-Organization": "GCP_ORG_ID", 
        "X-Apigee-Scope": "", 
        "X-Envoy-Expected-Rq-Timeout-Ms": "15000",
        "X-Forwarded-Client-Cert": "--cert-redacted--"
    }
}

Clean up

This tool includes a script to automatically clean up the Apigee hybrid runtime resources (without deleting the Apigee Organization).

infra/destroy-runtime-gke.sh