Verticle Gateway Operator

A kubernetes operator that spawns and configures instances of Spring Cloud Gateway on your cluster.

It uses Verticle’s implementation of Spring Cloud Gateway with enhancements: https://github.com/verticle-io/spring-cloud-gateway-kubernetes

Gateway Operator Features

Cloud native deployment

The gateway operator utilizes the new Kubernetes Gateway API and is configured by CRDs like Gateway, GatewayClass and HTTPRoute.

The operator also takes additional metadata configuration to leverage SCG features like rate-limiting, dedup, rewrites etc.

Behind-Ingress or Loadbalancer

Gateways can be configured to either expose as LoadBalancer or be positioned as ingressed service.

Self-Configuring Gateways

Spawned Gateways will watch specs like HTTPRoutes, TCPRoutes to configure themselves at runtime.

Extended Authorization methods with APIKeys

The gateways support standard OIDC which can be configured with a broad range of identity providers which already works of-the-shelf with Spring Security 5.

In addition machine-to-machine communication can be secured using APIKeys with headers, e.g. Authorization: apikey <BRILLIANTSECRET>

APIKeys are configured via standard Kubernetes Secrets.

About Spring Cloud Gateway

In case you are not familiar with SCG, a short intro from the docs:

“This project provides a library for building an API Gateway on top of Spring WebFlux. Spring Cloud Gateway aims to provide a simple, yet effective way to route to APIs and provide cross cutting concerns to them such as: security, monitoring/metrics, and resiliency.”

• Built on Spring Framework 5, Project Reactor and Spring Boot 2.0

• Able to match routes on any request attribute.

• Predicates and filters are specific to routes.

• Circuit Breaker integration.

• Spring Cloud DiscoveryClient integration

• Easy to write Predicates and Filters

• Request Rate Limiting

• Path Rewriting

Quickstart

Prepare CRDs

Install CRDs of the Gateway API manually

Use with latest release https://github.com/kubernetes-sigs/gateway-api/releases (current is v0.3.0):

kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.3.0" | kubectl apply -f -

Operator Installation

via Kubectl

$ kubectl apply -n gateway-operator -f https://raw.githubusercontent.com/verticle-io/gateway-operator/main/manifests/install.yaml 

via Helm

$ helm repo add verticle https://raw.githubusercontent.com/verticle-io/gateway-operator/main/charts
$ helm repo update
"verticle" has been added to your repositories

$ helm install operator verticle/verticle-gateway-operator
NAME: gateway-operator
...

Checkout configuration values on the wiki.

Create a new GatewayClass

Following the API specs, GatewayClass resources are supposed to be provisioned by the infrastructure provider, who manages the cluster. They can supply multiple different Gateway types with specific configuration.

cat <<EOF | kubectl apply -f -
apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
  name: secured-gateway
spec:
  controller: "io.verticle.operator/gateway-apikey"
  parametersRef:
    group: v1
    kind: ConfigMap
    name: secured-gateway-config

---
# Configuring a gateway class that supports APIKey auth
kind: ConfigMap
#apiVersion: io.verticle.operator/v1alpha1
apiVersion: v1
metadata:
  name: secured-gateway-config

data:
  daemonSetEnabled: false
  replicas: 3 // (default)
  auth-apikey-from: Kubernetes
  auth-apikey-namespace: default

EOF

The operator will register this GatewayClass configuration and watch for approproate Gateway CRDs matching it.

Spawning a Gateway

Users ref the GatewayClass and define a gateway that will route their workload traffic. They specify the frontend port and protocol the gateway will listen on.

The operator will spawn the Spring Cloud Gateway while watching this CRD.

cat <<EOF | kubectl apply -f -
apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata:
  name: private-gateway
spec:
  gatewayClassName: secured-gateway
  addresses: []
  listeners:
    - protocol: HTTP
      port: 80
      routes:
        kind: HTTPRoute
        selector:
          matchLabels:
            route: route-echo
EOF

All routes matching app: route-echo will be selected for this gateway.

Configuring a HTTP route

Routing definitions are decoupled and match to a Gateway.

cat <<EOF | kubectl apply -f -
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
  name: route-echo-http-1
  labels:
    route: route-echo
spec:
  gateways:
    allow: SameNamespace
    gatewayRefs:
      - name: private-gateway
        namespace: default
  hostnames:
    - "localhost"
  rules:
    - matches:
        - path:
            type: Exact
            value: /echo
      forwardTo:
        - serviceName: echoservice
          port: 8080
          weight: 100
    - matches:
        - path:
            type: Exact
            value: /get
      forwardTo:
        - serviceName: httpbin.org
          port: 80
          weight: 100


EOF

Configure an APIKey as secret

Create one or more secrets in the same namespace as the Gateway.

$ kubectl create secret generic apikey-1 \
  --from-literal=key=foo \
  --from-literal=name=testkey \
  --from-literal=owner=sam@verticle.io \
  --from-literal=purpose=testing
  
$ kubectl label secret apikey-1 io.verticle.authgateway=apikey
  

Test Authentication

Add the Authorization header to your request, like

$ curl -v http://localhost/get -H "Authorization: apikey foo"

Documentation

See wiki.

Roadmap

Vault support for APIKeys

Storing and managing APIKeys in vaults, e.g. Azure Keyvault, HashiCorp Vault etc.

Horizontal Pod Autoscaling

Support for autoscaling gateway pods.

Operator Frontend

Managing gateways, configure routes and security in webbased frontend.

OLM support

Deploying and managing the Operator lifecycle via OLM

Customization Support

Ability to spawn your own extensions of the standard Spring Cloud Gateway functionality via the operator