feat: add support for externalized consumers #7657
Conversation
✅ Deploy Preview for kongdocs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
jschmid1
added
the
do not merge
Guaris
added
the
review:general
| - geo: null | ||
| id: null |
There was a problem hiding this comment.
geo and id should be optional (default null) imo
|
|
||
| -- Dummy/Link that points to Konnect Docs when ready. | ||
|
|
||
| With the `pool_id` you obtained from the previous step, you can configure the key-auth plugin to validate API keys against the Identity Service. |
There was a problem hiding this comment.
@jschmid1 where does the pool_id come from? Konnect?
| @@ -0,0 +1,71 @@ | |||
| --- | |||
| nav_title: | |||
| title: How to configure pools | |||
| --- | ||
|
|
||
|
|
||
| With `pool_id` you can configure the key-auth plugin to validate API keys against the Identity Service. |
|
|
||
| With `pool_id` you can configure the key-auth plugin to validate API keys against the Identity Service. | ||
|
|
||
| ### Configuring Multiple Pools |
|
|
||
| ### Configuring Multiple Pools | ||
|
|
||
| In the key-auth plugin configuration, add the `pools` option as shown below: |
| In the key-auth plugin configuration, add the `pools` option as shown below: | ||
|
|
||
| ```yaml | ||
| pools: |
There was a problem hiding this comment.
change to "identity_realms"
| type: remote | ||
| ``` | ||
|
|
||
| In this configuration, the dataplane will initially check the local pool (LMDB) before querying the remote Identity Service. |
There was a problem hiding this comment.
cp-scoped consumers first
|
|
||
| In this configuration, the dataplane will initially check the local pool (LMDB) before querying the remote Identity Service. | ||
|
|
||
| If a matching key is found in any of these pools, the request will be authenticated. If the key is not found in any of the configured pools, the request will be blocked. |
|
|
||
| If a matching key is found in any of these pools, the request will be authenticated. If the key is not found in any of the configured pools, the request will be blocked. | ||
|
|
||
| ### Configuring Single Pools |
|
|
||
| ### Configuring Single Pools | ||
|
|
||
| It is also possible to configure only a single pool, either local or remote. However, only one of each type can be configured. |
There was a problem hiding this comment.
change pool to realm
change "either local or remote" to "consumers can be scoped to the geo or cp".
|
|
||
| It is also possible to configure only a single pool, either local or remote. However, only one of each type can be configured. | ||
|
|
||
| To configure only a remote pool: |
There was a problem hiding this comment.
change "remote pool" to "realm"
Testing edit function
Updated the terminology used for realms and the yaml file examples
…in to add realms section Signed-off-by: Diana <[email protected]>
|
@brentos Hi! I just wanted to let you know I'll be working on external consumers and I just added some changes to the PR, including a new Konnect page that explains what they are and how to configure them, as well as a revised section to key auth. I had a few questions while I was working on it:
|
Signed-off-by: Diana <[email protected]>
Signed-off-by: Diana <[email protected]>
|
Broken sales link was a false failure, I manually approved link validation for now |
Signed-off-by: Diana <[email protected]>
|
@smritikjaggi and @brentos The externalized consumers pages are ready for review if you have the chance to look them over: |
app/konnect/centralized-consumers.md
Outdated
|
|
||
| The following diagram shows how you can configure centralized Consumers in realms as well as scope Consumers to a Control Plane: | ||
|
|
||
| <!--vale off --> |
There was a problem hiding this comment.
I don't really understand what this diagram is showing me.
For example:
Consumer: Ira
Consumer Groups: Gold for appointments
Does this consumer only have access to the appointments control plane? Or does it have access to both control planes, but since the consumer group Gold only exists on appointments, it can only access appointments? Or something else?
Are control planes located inside realms, or alongside them?
app/konnect/centralized-consumers.md
Outdated
| * The Consumer identity can be setup centrally instead of being defined across multiple control planes. | ||
| * Share Consumers across multiple control planes. Users don't need to replicate changes to Consumer identity in multiple control planes and Consumer configuration doesn't conflict. | ||
| * Reduces configuration sync issues between the control plane and the dataplane. Centralized Consumers aren't part of the configuration that is pushed down from the control plane to the dataplane, so it reduces config size and latency. | ||
|
|
There was a problem hiding this comment.
Maybe add the required Gateway version here as a note, somewhere.
| * **Realm is listed first:** The dataplane will first reach out to the realm. If the API key is not found in the realm, the dataplane will look for the API key in the control plane config. | ||
| * **Control Plane scope listed first:** The dataplane will initially check the control plane configuration (LMDB) for the API key before looking up the API Key in the realm. | ||
| * **Realm isn't associated with a control plane:** You can also configure a single `identity_realms` by omitting the `scope: cp` from the example. In this case, the dataplane will only attempt to authenticate API keys against the realm. If the API key isn't found, the request will be blocked. | ||
| * **Realm is only associated with a Control Plane:** You can configure a look up only in the control plane config by only specifying `scope: cp` for `identity_realms`. In this scenario, the dataplane will only check the control plane configuration (LMDB) for API key authentication. If the API key isn't found, the request will be blocked. |
There was a problem hiding this comment.
| * **Realm is listed first:** The dataplane will first reach out to the realm. If the API key is not found in the realm, the dataplane will look for the API key in the control plane config. | |
| * **Control Plane scope listed first:** The dataplane will initially check the control plane configuration (LMDB) for the API key before looking up the API Key in the realm. | |
| * **Realm isn't associated with a control plane:** You can also configure a single `identity_realms` by omitting the `scope: cp` from the example. In this case, the dataplane will only attempt to authenticate API keys against the realm. If the API key isn't found, the request will be blocked. | |
| * **Realm is only associated with a Control Plane:** You can configure a look up only in the control plane config by only specifying `scope: cp` for `identity_realms`. In this scenario, the dataplane will only check the control plane configuration (LMDB) for API key authentication. If the API key isn't found, the request will be blocked. | |
| * **Realm is listed first:** The data plane will first reach out to the realm. If the API key is not found in the realm, the data plane will look for the API key in the control plane config. | |
| * **Control Plane scope listed first:** The data plane will initially check the control plane configuration (LMDB) for the API key before looking up the API Key in the realm. | |
| * **Realm isn't associated with a control plane:** You can also configure a single `identity_realms` by omitting the `scope: cp` from the example. In this case, the data plane will only attempt to authenticate API keys against the realm. If the API key isn't found, the request will be blocked. | |
| * **Realm is only associated with a Control Plane:** You can configure a look up only in the control plane config by only specifying `scope: cp` for `identity_realms`. In this scenario, the data plane will only check the control plane configuration (LMDB) for API key authentication. If the API key isn't found, the request will be blocked. |
Should this info actually be on the Konnect page instead, except genericized to "credentials" instead of "API key"?
app/konnect/centralized-consumers.md
Outdated
| <!--vale off --> | ||
| {% mermaid %} | ||
| flowchart TD | ||
| A(Consumer: Cruz<br>Consumer Groups: Gold for appointments, Silver for billing) |
There was a problem hiding this comment.
Each consumer can be in multiple consumer groups, but you can't scope the consumer group to a service.
If billing respected the Gold group, then Cruz would be Gold for billing too.
app/konnect/centralized-consumers.md
Outdated
| * {region}: Region for your {{site.konnect_short_name}} instance. | ||
| * $KONNECT_TOKEN: Replace with your {{site.konnect_short_name}} personal access token. | ||
| * $CONTROL_PLANE_UUID: (Optional) Replace with your Control Plane UUID. | ||
| * `ttl` and `negative_ttl`: (Optional) Time-to-live in minutes of the consumer or negative consumer for this realm in the {{site.base_gateway}} cache. |
There was a problem hiding this comment.
What's a negative consumer? I don't think that this is what negative_ttl means. @zekth can you help us out here?
There was a problem hiding this comment.
there's no concept of negative_consumer. negative_ttl represents the TTL of a bad login cache entry. Meaning api key foobar is sent to the gateway; gateway reaches the service to authenticate it; if it fails the api key foobar will be labelled as non working in gateway cache to the time of the TTL. During that time it won't try to reache the authentication server.
app/konnect/centralized-consumers.md
Outdated
| * $KONNECT_TOKEN: Replace with your {{site.konnect_short_name}} personal access token. | ||
| * {realmId}: The ID of the realm you created previously. | ||
| * $CONSUMER_NAME: Replace with the name of the consumer. | ||
| * $CONSUMER_GROUP: (Optional) Replace with the name of the consumer groups you want to associate with the consumer. |
There was a problem hiding this comment.
If I specify consumer_groups on a consumer does that replace consumer_groups from the realm, or are they added together?
If I specify consumer_groups: [] does that mean no consumer groups, or use the groups from the realm?
There was a problem hiding this comment.
This is additive here, I'll add that info to the doc.
| * **Realm isn't associated with a control plane:** You can also configure a single `identity_realms` by omitting the `scope: cp` from the example. In this case, the dataplane will only attempt to authenticate API keys against the realm. If the API key isn't found, the request will be blocked. | ||
| * **Realm is only associated with a Control Plane:** You can configure a look up only in the control plane config by only specifying `scope: cp` for `identity_realms`. In this scenario, the dataplane will only check the control plane configuration (LMDB) for API key authentication. If the API key isn't found, the request will be blocked. |
There was a problem hiding this comment.
| * **Realm isn't associated with a control plane:** You can also configure a single `identity_realms` by omitting the `scope: cp` from the example. In this case, the dataplane will only attempt to authenticate API keys against the realm. If the API key isn't found, the request will be blocked. | |
| * **Realm is only associated with a Control Plane:** You can configure a look up only in the control plane config by only specifying `scope: cp` for `identity_realms`. In this scenario, the dataplane will only check the control plane configuration (LMDB) for API key authentication. If the API key isn't found, the request will be blocked. | |
| * **Realm only:** You can also configure a single `identity_realms` by omitting the `scope: cp` from the example. In this case, the dataplane will only attempt to authenticate API keys against the realm. If the API key isn't found, the request will be blocked. | |
| * **Control Plane only:** You can configure a look up only in the control plane config by only specifying `scope: cp` for `identity_realms`. In this scenario, the dataplane will only check the control plane configuration (LMDB) for API key authentication. If the API key isn't found, the request will be blocked. |
| @@ -287,19 +295,55 @@ Response: | |||
| } | |||
| ``` | |||
|
|
|||
| {% if_version gte: 3.10.x %} | |||
|
|
|||
| ## Configure realms for centralized Consumers in {{site.konnect_short_name}} | |||
There was a problem hiding this comment.
Should this be an example rather than on the overview?
There was a problem hiding this comment.
Good point, I'll convert it to an example.
Co-authored-by: lena-larionova <[email protected]>
Signed-off-by: Diana <[email protected]>
cloudjumpercat
added
ci:manual-approve:link-validation
and removed
ci:manual-approve:link-validation
labels
Signed-off-by: Diana <[email protected]>
Description
Testing instructions
Preview link:
Checklist