Reference Secrets in Kubernetes Secret
Kubernetes Secrets are objects that store sensitive data like passwords, API keys, and tokens. They can be exposed as environment variables within Pods or integrated as a secret provider to enhance API security.
This tutorial demonstrates how to integrate API7 Enterprise with Kubernetes as a secret provider, enabling you to securely store and reference consumer credentials and plugin configurations from Kubernetes secrets.
Prerequisites
- Install API7 Enterprise.
- Have at least one gateway instance in your gateway group.
- Prepare your Kubernetes cluster to store secrets.
- Install cURL to send requests to the services for validation.
Add Secret Provider in Gateway Group
- Dashboard
- ADC
- Ingress Controller
- Select Secret Providers of your gateway group from the side navigation bar, then click Add Secret Provider.
- From the dialog box, do the following:
- In the Secret Provider ID field, enter
my-kubernetes-secret. - In the Secret Manager field, choose
Kubernetes. - Fill in the API Server Address field. For example,
http://127.0.0.1. - Fill in the Token field.
- Click Add.
- Copy the Secret Variable for future reference. All secret references are generated from it, for example,
$secret://kubernetes/my-kubernetes-secret/$namespace/$secret_name/$key.
Coming soon.
Coming soon.
Reference Secrets for SSL Certificate
The sensitive fields certificate and private key within an SSL certificate object can be securely stored in an external secret manager (such as HashiCorp Vault, AWS Secret Manager or Kubernetes Secret) and referenced within API7 Gateway.
Store Secrets
Create a ssl-secret YAML file:
apiVersion: v1
kind: Secret
metadata:
namespace: default
name: ssl
type: kubernetes.io/tls
data: # Must use base64 value
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
RklDQVRFLS0tLS0K
tls.key: RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==
Then apply to your Kubernetes cluster:
kubectl apply -f ssl-secret.yaml
Add SSL Certificate
- Select Certificates of your gateway group from the side navigation bar, enter the SSL Certificates tab.
- Click Add SSL Certificate.
- From the dialog box, do the following:
- In the Name field, enter
Test SSL Certificate. - In the Certificate field, enter
$secret://kubernetes/my-kubernetes-secret/default/ssl/tls.crt. - In the Private Key field, enter
$secret://kubernetes/my-kubernetes-secret/default/ssl/tls.key. - Click Add.
- For full use and validation of SSL certificate, see Configure mTLS between Client and API7 Gateway.
Reference Secrets to Create Consumer Credential
The following sensitive field in consumer credentials can be stored in an external secret manager(HashiCorp Vault, AWS Secret Manager or Kubernetes Secret) and referenced within API7 Gateway:
keyin Key Authentication credentialpasswordin Basic Authentication credentialsecret,public keyin JWT Authentication credentialsecret keyin HMAC Authentication credential
Add a Consumer
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Click Add Consumer.
- From the dialog box, do the following:
- In the Name field, enter
Alice. - Click Add.
Coming soon.
Coming soon.
Store Secrets
Create a alice-secret YAML file:
apiVersion: v1
kind: Secret
metadata:
namespace: default
name: alice
type: Opaque
stringData: # Must use base64 value
key: alice-key # for key authentication credential
password: alice-password # for basic authentication credential
secret: alice-secret # for JWT credential
secret-key: alice-secret-key # for HMAT authentication credential
Then apply to your Kubernetes cluster:
kubectl apply -f alice-secret.yaml
Add Key Authentication Credential
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Select your target consumer, for example,
Alice. - Under the Credentials tab, click Add Key Authentication Credential.
- From the dialog box, do the following:
- In the Name field, enter
primary-key. - In the Key field, enter
$secret://kubernetes/my-kubernetes-secret/default/alice/key. - Click Add.
Coming soon.
Coming soon.
Add Basic Authentication Credential
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Select your target consumer, for example,
Alice. - Under the Credentials tab, click Basic Authenticationtab, then click Add Basic Authentication Credential.
- From the dialog box, do the following:
- In the Name field, enter
primary-basic. - In the Username field, enter
Alice. - In the Password field, enter
$secret://kubernetes/my-kubernetes-secret/default/alice/password. - Click Add.
Coming soon.
Coming soon.
Add JWT Authentication Credential
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Select your target consumer, for example,
Alice. - Under the Credentials tab, click JWT tab, then click Add JWT Credential.
- From the dialog box, do the following:
- In the Name field, enter
primary-jwt. - In the Key field, enter
alice-key. - In the Algorithm field, choose
HS256. - In the Secret field, enter
$secret://kubernetes/my-kubernetes-secret/default/alice/secret. - Click Add.
Coming soon.
Coming soon.
Add HMAC Authentication Credential
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Select your target consumer, for example,
Alice. - Under the Credentials tab, click HMAC Authenticationtab, then click Add HMAC Authentication Credential.
- From the dialog box, do the following:
- In the Name field, enter
primary-hmac. - In the Key ID field, enter
alice-keyid. - In the Secret Key field, enter
$secret://kubernetes/my-kubernetes-secret/default/alice/secret-key. - Click Add.
Coming soon.
Coming soon.
Validate Consumer Credentials
Validate Key Authentication
See Enable Key Authentication for APIs for instruction, and enable the Key Auth Plugin on the service level.
Then follow Validate Key Authentication instruction.
Validate Basic Authentication
See Enable Basic Authentication for APIs for instruction, and enable the Basic Auth Plugin on the service level.
Then follow Validate Basic Authentication instruction.
Validate JWT Authentication
See Enable JWT Authentication for APIs for instruction, and enable the JWT Auth Plugin on the service level.
Then follow Validate JWT Authentication instruction.
Validate HMAC Authentication
See Enable HMAC Authentication for APIs for instruction, and enable the HMAC Auth Plugin on the service level.
Then follow Validate HMAC Authentication instruction.
Reference Secrets to Enable Plugin
The following sensitive field in plugin configurations can be stored in an external secret manager(HashiCorp Vault, AWS Secret Manager, Kubernetes Secret) and referenced in API7 Gateway:
| Plugin | Field |
|---|---|
| Limit Count | redis_username, redis_password |
| Authz-Casdoor | client_id, client_secret |
| Wolf RBAC | appid |
| LDAP Authentication | user_dn |
This section demonstrates configuring Limit Count Plugin as an example.
Store Secret
Create a redis-secret YAML file:
apiVersion: v1
kind: Secret
metadata:
namespace: default
name: redis
type: Opaque
stringData:
username: YXBpNw==
password: cmVkaXMtYXBpNw==
Then apply to your Kubernetes cluster:
kubectl apply -f redis-secret.yaml
Configure Limit Count Plugin
For where and how to enable the Limit Count plugin, refer to Apply Rate Limiting to APIs.
- Dashboard
- ADC
- Ingress Controller
Add the following configuration to the JSON Editor:
{
"count": 3,
"time_window": 60,
"key_type": "var",
"rejected_code": 429,
"rejected_msg": "Too many requests",
"key": "remote_addr",
"policy": "redis",
"redis_host": "127.0.0.1",
"redis_port": 6379,
"redis_username": "$secret://kubernetes/my-kubernetes-secret/default/redis/username"
"redis_password": "$secret://kubernetes/my-kubernetes-secret/default/redis/password",
"redis_database": 1,
"redis_timeout": 1001,
"allow_degradation": false,
"show_limit_quota_header": true
}
The following is only the plugin configuration and not a complete configuration file to synchronize. Refer to Apply Rate Limiting to APIs for where and how to enable the Limit Count plugin using ADC.
limit-count:
count: 3
time_window: 60
key_type: var
rejected_code: 429
rejected_msg: Too many requests
key: remote_addr
policy: redis
redis_host: 127.0.0.1
redis_port: 6379
redis_username: $secret://kubernetes/my-kubernetes-secret/default/redis/username
redis_password: $secret://kubernetes/my-kubernetes-secret/default/redis/password
redis_database: 1
redis_timeout: 1001
allow_degradation: false
show_limit_quota_header: true
Coming soon.
Additional Resources
- Key Concepts
- API Consumption