KONG with TLS + Auth

Ambassandor with TLS + Auth

• TLS
  1. https://github.com/kubernetes/kubernetes/issues/53100

  1
    openssl rsa -in encryedprivate.key -out unencryed.key
  

  1. gcloud user has to be cluster-admin role, so that it can create new role for Ambassador role binding.

  1
        kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud info --format="value(config.account)")
  

  1. ambassador need a service account to bind specific role to check cluster’s services,secrets and configmaps.

  1
  2
  3
  4
  5
  6
  7
  8
  9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
        ---
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRole
        metadata:
          namespace: iot-proxy
          name: ambassador
        rules:
        - apiGroups: [""]
          resources:
          - services
          verbs: ["get", "list", "watch"]
        - apiGroups: [""]
          resources:
          - configmaps
          verbs: ["create", "update", "patch", "get", "list", "watch"]
        - apiGroups: [""]
          resources:
          - secrets
          verbs: ["get", "list", "watch"]
          
        ---
        apiVersion: v1
        kind: ServiceAccount
        metadata:
          namespace: iot-proxy
          name: ambassador
          
        ---
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        metadata:
          namespace: iot-proxy
          name: ambassador
        roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: ambassador
        subjects:
        - kind: ServiceAccount
          name: ambassador
          namespace: iot-proxy
        - kind: ServiceAccount
          name: default
          namespace: iot-proxy
  

• Auth
  1. HTTP Basic