TSB provides authorization capability to authorize every request coming to your service from a public network. This document will describe how to configure Tier-1 Gateway authorization using Open Policy Agent (OPA) as an example.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts.
✓ Completed Tier-1 Gateway routing to Tier-2 Gateway with httpbin already configured in TSB.
✓ Created a Tenant, and understand Workspaces and Config Groups.
tctl for your TSB environment.
The following diagram shows the request/response flow using OPA with Tier-1 Gateways. Requests that come to Tier-1 Gateway will be checked by OPA. If the request is deemed unauthorized, then the request will be denied with a 403 (Forbidden) response, otherwise they are sent to the Tier-2 Gateways.
Follow the instructions in this document to create the
httpbin service, and make sure the service is exposed at
For this example you will be deploying OPA as its own standalone service. Create a namespace for the OPA service, if you have not already done so:
kubectl create namespace opa
kubectl apply -f opa.yaml
Then update your Tier-1 Gateway configuration your OpenAPI spec by adding the following section to the Tier-1 Gateway and use tctl to apply them
- name: httpbin
You can test the external authorization by following the instructions in the "Configuring External Authorization in Ingress Gateways", except you need to obtain the Tier-1 Gateway IP address instead of the Ingress Gateway address.
To obtain the Tier-1 Gateway address, execute the following command:
kubectl -n tier1 get service tier1-gateway \
Then follow the instructions but replace the value for
gateway-ip with the address of the Tier-1 Gateway.