Consul
Delegate authorization to Apigee
This topic describes how to use the external authorization Envoy extension to delegate data plane authorization requests to Apigee.
For more detailed guidance, refer to the learn-consul-apigee-external-authz
repo on GitHub.
Workflow
Complete the following steps to use the external authorization extension with Apigee:
- Deploy the Apigee Adapter for Envoy and register the service in Consul.
- Configure the
EnvoyExtensions
block in a service defaults or proxy defaults configuration entry. - Apply the configuration entry.
Deploy the Apigee Adapter for Envoy
The Apigee Adapter for Envoy is an Apigee-managed API gateway that uses Envoy to proxy API traffic.
To download and install Apigee Adapter for Envoy, refer to the getting started documentation or follow along with the learn-consul-apigee-external-authz
repo on GitHub.
After you deploy the service in your desired runtime, create a service defaults configuration entry for the service's gRPC protocol.
apigee-remote-service-envoy.hcl
Kind = "service-defaults"
Name = "apigee-remote-service-envoy"
Protocol = "grpc"
Configure the EnvoyExtensions
Add Envoy extension configurations to a proxy defaults or service defaults configuration entry. Place the extension configuration in an EnvoyExtensions
block in the configuration entry.
- When you configure Envoy extensions on proxy defaults, they apply to every service.
- When you configure Envoy extensions on service defaults, they apply to all instances of a service with that name.
Warning
Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
The following example configures the default behavior for all services named api
so that the Envoy proxies running as sidecars for those service instances target the apigee-remote-service-envoy service for gRPC authorization requests:
api-auth-service-defaults.hcl
Kind = "service-defaults"
Name = "api"
EnvoyExtensions = [
{
Name = "builtin/ext-authz"
Arguments = {
ProxyType = "connect-proxy"
Config = {
GrpcService = {
Target = {
Service = {
Name = "apigee-remote-service-envoy"
}
}
}
}
}
}
]
Refer to the external authorization extension configuration reference for details on how to configure the extension.
Refer to the proxy defaults configuration entry reference and service defaults configuration entry reference for details on how to define the configuration entries.
Apply the configuration entry
On the CLI, you can use the consul config write
command and specify the names of the configuration entries to apply them to Consul. For Kubernetes-orchestrated networks, use the kubectl apply
command to update the relevant CRD.
$ consul config write apigee-remote-service-envoy.hcl
$ consul config write api-auth-service-defaults.hcl