juzhiyuan commented on code in PR #1018: URL: https://github.com/apache/apisix-ingress-controller/pull/1018#discussion_r881262338
########## docs/en/latest/practices/enable-authentication-and-restriction.md: ########## @@ -121,7 +224,7 @@ spec: EOF ``` -ApisixRoute: +* Creates a ApisixRoute, and enable plugin `key-auth`: Review Comment: ```suggestion * Creates an ApisixRoute, and enables plugin `key-auth`: ``` ########## docs/en/latest/practices/enable-authentication-and-restriction.md: ########## @@ -29,34 +29,126 @@ Consumers are used for the authentication method controlled by Apache APISIX, if ### Authentication -#### [`keyAuth`](https://apisix.apache.org/docs/apisix/plugins/key-auth/) +#### Key Auth -Consumers add their key either in a header `apikey` to authenticate their requests. +Consumers add their key either in a header or query string parameter to authenticate their requests. For more information about `Key Auth`, please refer to [APISIX key-auth plugin](https://apisix.apache.org/docs/apisix/plugins/key-auth/). +Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object). + +<details> + <summary>Key Auth yaml configure</summary> ```yaml -keyAuth: - value: - key: ${key} +apiVersion: apisix.apache.org/v2beta3 +kind: ApisixConsumer +metadata: + name: ${name} +spec: + authParameter: + keyAuth: + value: + key: ${key} #required ``` -#### [`basicAuth`](https://apisix.apache.org/docs/apisix/plugins/basic-auth/) +</details> + +#### Basic Auth -Consumers add their key either in a header `Authentication` to authenticate their requests. +Consumers add their key in a header to authenticate their requests. For more information about `Basic Auth`, please refer to [APISIX basic-auth plugin](https://apisix.apache.org/docs/apisix/plugins/basic-auth/). +Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object). + +<details> + <summary>Basic Auth yaml configure</summary> ```yaml -basicAuth: - value: - username: ${username} - password: ${password} +apiVersion: apisix.apache.org/v2beta3 +kind: ApisixConsumer +metadata: + name: ${name} +spec: + authParameter: + basicAuth: + value: + username: ${username} #required + password: ${password} #required +``` + +</details> + +#### JWT Auth + +The consumer then adds its key to the query string parameter, request header, or cookie to verify its request. For more information about `JWT Auth`, please refer to [APISIX jwt-auth plugin](https://apisix.apache.org/docs/apisix/plugins/jwt-auth/). +Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object). + +:::note Need to expose API +This plugin will add `/apisix/plugin/jwt/sign` to sign. You may need to use `public-api` plugin to expose it. +::: + +<details> + <summary>JWT Auth yaml configure</summary> + +```yaml +apiVersion: apisix.apache.org/v2beta3 +kind: ApisixConsumer +metadata: + name: ${name} +spec: + authParameter: + wolfRbac: + value: + key: "${key}" #required + secret: "${secret}" #optional + public_key: "${public_key}" #optional, required when algorithm attribute selects RS256 algorithm. + private_key: "{private_key}" #optional, required when algorithm attribute selects RS256 algorithm. + algorithm: "${HS256 | HS512 | RS256}" #optional + exp: ${ 86400 | token's expire time, in seconds} #optional + algorithm: ${true | false} #optional +``` + +</details> + +#### `Wolf RBAC` + +To use wolfRbac authentication, you need to start and install [wolf-server](https://github.com/iGeeky/wolf/blob/master/quick-start-with-docker/README.md). For more information about `Wolf RBAC`, please refer to [APISIX wolf-rbac plugin](https://apisix.apache.org/zh/docs/apisix/plugins/wolf-rbac/). +Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object). + +:::note This plugin will add several API Review Comment: ```suggestion :::note This plugin will add several APIs ``` ########## docs/en/latest/practices/enable-authentication-and-restriction.md: ########## @@ -146,10 +249,183 @@ spec: EOF ``` -Requests from foo: +* Requests from foo: ```shell -kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: local.httpbin.org' -H 'apikey:foo-key' -i +kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i +``` + +```shell +HTTP/1.1 200 OK +... +``` + +##### Key Auth reference Secret object + +<details> + <summary>ApisixRoute with keyAuth consumer using secret example</summary> + +* Creates a `Secret` object: + +```shell +kubectl apply -f - <<EOF +apiVersion: v1 +kind: Secret +metadata: + name: foovalue +data: + key: Zm9vLWtleQ== +EOF +``` + +* Creates a ApisixConsumer and reference `Secret` object: + +```shell +kubectl apply -f - <<EOF +apiVersion: apisix.apache.org/v2beta3 +kind: ApisixConsumer +metadata: + name: foo +spec: + authParameter: + keyAuth: + secretRef: + name: foovalue +EOF +``` + +* Creates a ApisixRoute, and enable plugin `key-auth`: + +```shell +kubectl apply -f - <<EOF +apiVersion: apisix.apache.org/v2beta3 +kind: ApisixRoute +metadata: + name: httpserver-route +spec: + http: + - name: rule1 + match: + hosts: + - httpbin.org + paths: + - /* + backends: + - serviceName: httpbin + servicePort: 80 + authentication: + enable: true + type: keyAuth +EOF +``` + +* Requests from foo: + +```shell +kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i +``` + +```shell +HTTP/1.1 200 OK +... +``` + +</details> + +#### Enable `JWT Auth` + +* Creates a ApisixConsumer, and set the attributes of plugin `jwt-auth`: Review Comment: ```suggestion * Creates an ApisixConsumer, and set the attributes of plugin `jwt-auth`: ``` ########## docs/en/latest/practices/enable-authentication-and-restriction.md: ########## @@ -146,10 +249,183 @@ spec: EOF ``` -Requests from foo: +* Requests from foo: ```shell -kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: local.httpbin.org' -H 'apikey:foo-key' -i +kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i +``` + +```shell +HTTP/1.1 200 OK +... +``` + +##### Key Auth reference Secret object + +<details> + <summary>ApisixRoute with keyAuth consumer using secret example</summary> + +* Creates a `Secret` object: + +```shell +kubectl apply -f - <<EOF +apiVersion: v1 +kind: Secret +metadata: + name: foovalue +data: + key: Zm9vLWtleQ== +EOF +``` + +* Creates a ApisixConsumer and reference `Secret` object: Review Comment: ```suggestion * Creates an ApisixConsumer and reference `Secret` object: ``` ########## docs/en/latest/practices/enable-authentication-and-restriction.md: ########## @@ -146,10 +249,183 @@ spec: EOF ``` -Requests from foo: +* Requests from foo: ```shell -kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: local.httpbin.org' -H 'apikey:foo-key' -i +kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i +``` + +```shell +HTTP/1.1 200 OK +... +``` + +##### Key Auth reference Secret object + +<details> + <summary>ApisixRoute with keyAuth consumer using secret example</summary> + +* Creates a `Secret` object: + +```shell +kubectl apply -f - <<EOF +apiVersion: v1 +kind: Secret +metadata: + name: foovalue +data: + key: Zm9vLWtleQ== +EOF +``` + +* Creates a ApisixConsumer and reference `Secret` object: + +```shell +kubectl apply -f - <<EOF +apiVersion: apisix.apache.org/v2beta3 +kind: ApisixConsumer +metadata: + name: foo +spec: + authParameter: + keyAuth: + secretRef: + name: foovalue +EOF +``` + +* Creates a ApisixRoute, and enable plugin `key-auth`: Review Comment: ```suggestion * Creates an ApisixRoute, and enables plugin `key-auth`: ``` ########## docs/en/latest/practices/enable-authentication-and-restriction.md: ########## @@ -314,10 +516,10 @@ EOF **Example usage** -Requests from jack1: +* Requests from jack1: Review Comment: So why not keep using `-`? ########## docs/en/latest/practices/enable-authentication-and-restriction.md: ########## @@ -103,9 +204,11 @@ kubectl expose pod httpbin --port 80 ### How to enable `Authentication` +#### Enable `keyAuth` + The following is an example. The `keyAuth` is enabled on the specified route to restrict user access. -Create ApisixConsumer foo: +* Creates a ApisixConsumer, and set the attributes of plugin `key-auth`: Review Comment: ```suggestion * Creates an ApisixConsumer, and set the attributes of plugin `key-auth`: ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
