Expose and Secure a Workload with JWT

This tutorial shows how to expose and secure Services using APIGateway Controller. The Controller reacts to an instance of the APIRule custom resource (CR) and creates an Istio VirtualService, Authorization Policy and Request Authentication according to the details specified in the CR. To interact with the secured workloads, the tutorial uses a JWT token.

Prerequisites

• You have the Istio and API Gateway modules added.

• You have a deployed workload.

  NOTE

  To expose a workload using APIRule in version v2, the workload must be a part of the Istio service mesh. See Enable Istio Sidecar Proxy Injection.

• You have set up your custom domain. Alternatively, you can use the default domain of your Kyma cluster and the default Gateway kyma-system/kyma-gateway.

  NOTE

  Because the default Kyma domain is a wildcard domain, which uses a simple TLS Gateway, it is recommended that you set up your custom domain for use in a production environment.

  TIP

  To learn what the default domain of your Kyma cluster is, run kubectl get gateway -n kyma-system kyma-gateway -o jsonpath='{.spec.servers[0].hosts}'.

• You have a JSON Web Token. See Obtain a JWT.

• To use CLI instructions, you must install kubectl and curl. Alternatively, you can use Kyma dashboard.

Steps

Access the Secured Resources

1. To call the endpoint, send a GET request to the HTTPBin Service.

   curl -ik -X GET https://{SUBDOMAIN}.{DOMAIN_NAME}/headers

   You get the error 401 Unauthorized.

2. Now, access the secured workload using the correct JWT.

   curl -ik -X GET https://{SUBDOMAIN}.{DOMAIN_NAME}/headers --header "Authorization:Bearer $ACCESS_TOKEN"

   You get the 200 OK response code.