TLDR : Is it okay to use controller class in spring gateway instead of routing in config class? I want to take data from one service and then pass it the response from that service to another.
I used spring cloud gateway to create an api gateway. I have several services that need to communicate. I currently only use the gateway for routing to the first service and then the first service is going to talk to other service by itself. But this is becoming troublesome now that I have a lot of services.
Here we use Spring Cloud Gateway , Eureka Server and some microservices.
When the user (frontend) call a rest service he needs to call the gateway then the gateway do the loadbalance and returns the result for the user. (OK)
Our problem is when this rest service call other rest service after pass by the gateway.
When this fact occur we call the gateway again to do this call, is it ok to do? Or the best practice would be use a client loadbalance to do this request direct on the service dont using the gateway again.
Anyone could help me about this doubt?
Thanks a lot!
I have an EDG service which is a gateway in front of some services,
those services were reached by feign client so all requests come to edge and it's controllers will forward the request to back end service using fegin client.
I thought that's bad so I wanted to change this by fully using Zuul integration, that will automatically do the routing to the backend services , load balancing ...etc
The problem is: handing zuul filters to do centralized logging is not so cool vs fegin client which is just a call and I can make global Exception handler to handle exceptions ...etc
so what is the correct way of implementing the Edge layer?
Is it possible to use spring cloud oauth 2 server with kubernetes api gateway ingress.
I have used it with zuul to authenticate user before making a call. Can I do similar with ingress?
Edit 1:
To explain it more clearly, what I am trying to achieve
I am using token based oAuth2 implementation given by the spring cloud.
oauth is running as one of the service behind the zuul.
zuul has routes mapped for the oauth server and resource server
client call the auth server via zuul and gets the token.
client call resource server via zuul with token passed
zuul is configured to validate the token before making a call to resource server.
In this way we can stop any downstream traffic to go without a valid token.
can we do token validation in ingress with auth server running with in a cluster?
I have not used Spring Cloud OAuth 2 but as OAuth is a standard I believe you can set it up if you are using Nginx Ingress as the ingress controller, you can specify and external Oauth Provider (As OAuth generally has the same flow) like this on your ingress:
...
metadata:
name: application
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
...
You can find more information here with an example of using GitHub as an OAuth provider
There are currently three different nginx-ingress-controllers (see here), which differ in functionality. I believe that none of these ingress controllers themselves can perform an oauth token introspection. However, requests can be routed to the authorization server's introspection interface using the auth_request module.
Specifically for your case, you can use the auth-url annotation (see) in the ingress controller to direct the requests to the introspection interface of the spring cloud oauth2 server (see). The introspection interface is available under /oaut/check_token by default when #EnableAuthorizationServer is used. If the introspection interface returns a 2XX, the ingress will forward the request. This functionality is based on the auth_request module, which expects a 2xx response code from the external service if the access is allowed and 401 or 403 if denied.
If you use JWTs and want to validate the request by only checking the signature, this can in some cases actually be done by the ingress itself. To my knowledge, only the nginx plus ingress controller (paid) can validate JWTs. But there is also the nginx-based kong-ingress controller, which you can equip with pulgins (see here). There is e.g. promoted with oauth2 integration and JWT validation.
Did you find out more than me?
We would like to use Spring Cloud Gateway to implement a CloudFoundry Route Service.
In short: every request coming in to the 'Route Service' needs to be forwarded to a url defined as a Request Header (X-CF-Forwarded-Url). The request can be modified/blocked by the 'Route Service' id required.
From what I see (and as the name implies) Spring Cloud gateway is only able to proxy a request. Is it possible to do something like that?
Why 'Spring Cloud Gateway'? I think it provides a very nice API and lots of thoughts have gone into it. It also just feels as a very related usecase/extension to the whole API.