Using the plugin framework for Ext. Auth Service in Gloo Enterprise, we can build any custom AuthN/AuthZ plugins to handle security requirements not provided out of the box.

1. 1 | Copyright © 2019
Solo.io Deep Dive
Building Go plugins for external auth service
for Gloo Enterprise

2. 2 | Copyright © 2019
The Gloo Control Plane

3. 3 | Copyright © 2019
External Auth Plugins

4. 4 | Copyright © 2019
External Auth Plugins

5. 5 | Copyright © 2019
External Auth Plugins

6. 6 | Copyright © 2019
External Auth Plugins

7. 7 | Copyright © 2019
Creating a plugin
https://github.com/solo-io/ext-auth-plugin-examplesSee example:

8. 8 | Copyright © 20198 | Copyright © 2019
Creating the plugin source

9. 9 | Copyright © 2019
Plugin implements ExtAuthPlugin interface
type ExtAuthPlugin interface {
NewConfigInstance(ctx context.Context) (configInstance interface{}, err error)
GetAuthService(ctx context.Context, configInstance interface{}) (AuthService, error)
}
https://docs.solo.io/gloo/latest/gloo_routing/virtual_services/security/plugin_auth/

10. 10 | Copyright © 2019
Config instance maps to what we configure in
VirtualService
virtualHostPlugins:
extensions:
configs:
extauth:
plugin_auth:
plugins:
- config:
RequiredHeader: my-header
AllowedValues:
- foo
- bar
- baz
name: RequiredHeader
plugin_file_name: RequiredHeader.so
exported_symbol_name: Plugin

11. 11 | Copyright © 2019
AuthService interface
type AuthService interface {
Start(ctx context.Context) error
Authorize(ctx context.Context, request *AuthorizationRequest) (*AuthorizationResponse, error)
}
https://docs.solo.io/gloo/latest/dev/writing_auth_plugins/

12. 12 | Copyright © 2019
Plugin implements ExtAuthPlugin interface
package main
import (
impl "github.com/solo-io/ext-auth-plugin-examples/plugins/required_header/pkg"
"github.com/solo-io/ext-auth-plugins/api"
)
func main() {}
var Plugin impl.RequiredHeaderPlugin

13. 13 | Copyright © 2019
Creating a plugin
https://github.com/solo-io/ext-auth-plugin-examplesSee example:

14. 14 | Copyright © 201914 | Copyright © 2019
Preparing and building the plugin for Gloo
Enterprise

15. 15 | Copyright © 2019
Align version dependencies with Gloo Enterprise
$ dep ensure –v
$ GLOOE_VERSION=0.20.7 make compare-deps
{
"pluginDependencies": {
"name": "github.com/gogo/protobuf",
"version": "v1.2.1",
"revision": "ba06b47c162d49f2af050fb4c75bcbc86a159d5c"
},
"glooeDependencies": {
"name": "github.com/gogo/protobuf",
"version": "v1.3.0",
"revision": "0ca988a254f991240804bf9821f3450d87ccbb1b"
}
},

16. 16 | Copyright © 2019
Align version dependencies with Gloo Enterprise
$ // correct the dep mismatches in Gopkg.toml
$ dep ensure –v
$ GLOOE_VERSION=0.20.7 make compare-deps
go run scripts/compare_dependencies.go Gopkg.lock _glooe/Gopkg.lock
All shared dependencies match

17. 17 | Copyright © 2019
Build plugin (needs access to docker daemon)
$ GLOOE_VERSION=0.20.7 make build-plugins
{"level":"info","ts":"2019-11-01T16:51:10.694Z","logger":"verify-plugins.header_value_plugin",
"caller":"pkg/impl.go:39","msg":"Parsed RequiredHeaderAuthService config",
"requiredHeader":"my-auth-header","allowedHeaderValues":["foo","bar","baz"]
}
{"level":"info","ts":"2019-11-01T16:51:10.695Z","logger":"verify-plugins",
"caller":"plugins/loader.go:63","msg":"Successfully loaded plugin. Adding it to the plugin chain.",
"pluginName":"RequiredHeader"}
{"level":"info","ts":"2019-11-01T16:51:10.696Z","logger":"verify-plugins",
"caller":"scripts/verify_plugins.go:62","msg":"Successfully verified that plugins can be loaded by Gloo!"}
Be on the lookout for this log line in the docker build:

18. 18 | Copyright © 2019
Tag the docker image and push to registry
$ docker images
$ docker tag <find tag> gcr.io/solo-public/ext-auth-example:v0.20.7
$ docker push gcr.io/solo-public/ext-auth-example:v0.20.7

19. 19 | Copyright © 2019
Now we have our plugin!
https://github.com/solo-io/ext-auth-plugin-examplesSee example:

20. 20 | Copyright © 201920 | Copyright © 2019
Deploying and verifying our plugin

21. 21 | Copyright © 2019
External Auth Plugins

22. 22 | Copyright © 2019
Configuration values for Gloo Enterprise install
plugin-values.yaml
license_key: YOUR_LICENSE_KEY
global:
extensions:
extAuth:
plugins:
my-plugin:
image:
repository: gloo-examples-extauth-required-header
registry: gcr.io/solo-public
pullPolicy: IfNotPresent
tag: 0.20.7

23. 23 | Copyright © 2019
Install Gloo with Ext-Auth plugin configured
$ helm fetch glooe/gloo-ee –-version ”0.20.7” --untar
$ kubectl create ns gloo-system
$ helm template gloo-ee -–namespace gloo-system –f
plugin-values.yaml | kubectl apply –f -

24. 24 | Copyright © 2019
Verify plugin got copied over correctly
$ kubectl exec -n gloo-system deploy/extauth -- ls -l /auth-plugins
total 28356
-rw-r--r-- 1 root root 29033304 Nov 1 20:03 RequiredHeader.so

25. 25 | Copyright © 2019
If already have Gloo Enterprise installed?
Just add the initcontainer to deploy/extauth:
initContainers:
- image: gcr.io/solo-public/gloo-examples-extauth-required-header:0.20.7
imagePullPolicy: IfNotPresent
name: plugin-my-plugin
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /auth-plugins
name: auth-plugins

26. 26 | Copyright © 201926 | Copyright © 2019
Configure the plugin and enforcement

27. 27 | Copyright © 2019
Config instance maps to what we configure in
VirtualService
virtualHostPlugins:
extensions:
configs:
extauth:
plugin_auth:
plugins:
- config:
RequiredHeader: my-header
AllowedValues:
- foo
- bar
- baz
name: RequiredHeader
plugin_file_name: RequiredHeader.so
exported_symbol_name: Plugin

28. 28 | Copyright © 2019