Overview
Cake protects all resources running in its cluster with an Envoy gateway. This gateway prevents any access to Cake models without a valid JWT token. This means that by default, app APIs are only callable externally if explicitly configured. Cake makes some application APIs callable by default. But, your applications must be configured manually. Cake support is happy to help you do this, but, if you want to configure things self service, use this document is a guide
Instructions
Use these YAML files as a guide to add a custom overlay that allows ingress to your applications or models.
Detailed documentation for Istio Gateways and Virtual Services are here: https://istio.io/https://istio.io/latest/docs/reference/config/networking/gateway//docs/reference/config/networking/gateway/
Example files for overlays. See overlays document for information on using
Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- resources/<APP_NAME>-service.yaml
- resources/<APP_NAME>-gateway.yaml
- resources/<APP_NAME>-virtual-service.yaml
- resources/<APP_NAME>-dex-istio-auth-link.yaml
- resources/<APP_NAME>-authorization-policy.yaml
- resources/<APP_NAME>-<YOUR_CODE>.yamlArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: <APP_NAME>
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "4"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: <NAMESPACE>
server: https://kubernetes.default.svc
project: default
source:
path: platform/deploys/<CLUSTER>/<APP_NAME>
repoURL: "[email protected]:<COMPANY>/<REPO>.git"
targetRevision: HEAD
syncPolicy:
managedNamespaceMetadata:
labels:
istio-injection: enabled
syncOptions:
- CreateNamespace=trueResources to add to subdirectories
Gateway
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: <APP_NAME>-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: istio-gateway-certificate-tls
hosts:
- <APP_NAME>.<CLUSTER_URL>Virtual Service
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: <APP_NAME>-virtual-service
spec:
gateways:
- <APP_NAME>-gateway
hosts:
- '<APP_NAME>.<CLUTER_URL>'
http:
- route:
- destination:
host: <APP_NAME>-service.<CLUTER_URL>
port:
number: 80Service
apiVersion: v1
kind: Service
metadata:
name: <APP_NAME>-service
labels:
app.kubernetes.io/name: <APP_NAME>
spec:
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
selector:
app.kubernetes.io/name: <APP_NAME>AuthPolicy
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: <APP_NAME>-allow-all
spec:
action: ALLOW
rules:
- {}
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: <APP_NAME>-external
namespace: istio-system
spec:
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
to:
- operation:
hosts: ["<APP_NAME>.<CLUSTER_NAME>"]
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgatewayDexIstioAuthLink
apiVersion: security.cake.ai/v1beta1
kind: DexIstioAuthLink
metadata:
name: <APP_NAME>-authentication-jwt
spec:
issuer: https://<CLUSTER_NAME>/dex
signingKeyRef:
name: openid-connect-keys
namespace: auth
requestAuthenticationTemplate:
spec:
selector:
matchLabels:
app.kubernetes.io/name: <APP_NAME>
jwtRules:
- issuer: "https://<CLUSTER_NAME>/dex"
forwardOriginalToken: true