The open-source Spring Cloud Gateway project includes a number of built-in filters for use in Gateway routes. The following commercial filters provided by VMware Spring Cloud Gateway for Kubernetes can be used in addition to those included in the OSS project.
BasicAuth
The BasicAuth
filter relays Basic Authorization credentials to a route. It does not authenticate requests. It also does not return an HTTP 401 Unauthorized
status line with a WWW-Authenticate
header for unauthenticated requests.
To use the BasicAuth
filter:
Store the basic auth username and password in a Kubernetes secret, using their respective keys, username
and password
.
To do this, run:
kubectl create secret generic basic-auth-secret \
--from-literal=username=***** \
--from-literal=password=*****
The secret must be created in the same namespace as the SpringCloudGatewayRouteConfig
that will reference it.
In your SpringCloudGatewayRouteConfig
, enter the name of the secret you created at spec.basicAuth.secret
.
Add the BasicAuth
filter to the route.
For example:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
name: test-gateway-routes
spec:
service:
name: myapp
basicAuth:
secret: basic-auth-secret
routes:
- predicates:
- Path=/api/**
filters:
- StripPrefix=0
- BasicAuth
If you have multiple routes, the Basic Auth credentials are relayed only to the routes that include the BasicAuth
filter.
If the secret cannot be found, a Kubernetes event is emitted in the namespace, as shown here:
$ kubectl get event
LAST SEEN TYPE REASON OBJECT MESSAGE
117s Warning RoutesDefinitionException springcloudgatewaymapping/test-gateway-mapping Failed to retrieve routes from route config in mapping test-gateway-mapping: Failed to find secret 'basic-auth-secret' in the 'user-namespace' namespace.
This will also be logged in the scg-operator
pod, which runs in the spring-cloud-gateway
namespace by default:
$ kubectl logs deployment.apps/scg-operator
2021-06-16 19:38:01.459 ERROR 1 --- [ingController-2] c.v.t.s.route.RoutesDefinitionResolver : Failed to find secret 'basic-auth-secret' in the 'user-namespace' namespace.
Important You cannot use the BasicAuth
filter with the TokenRelay
filter, because both filters use the Authorization
header.
When using the BasicAuth
filter in a Gateway instance running in standalone mode, you must add the Base64-encoded credentials alongside the filter in the form username:password
.
The following examples show the encoding and configuration when the username and password are respectively my-username
and my-password
:
$ echo -n 'my-username:my-password' | base64
bXktdXNlcm5hbWU6bXktcGFzc3dvcmQ=
spring:
cloud:
gateway:
routes:
- id: basic-auth-relay
uri: https://example.org
filters:
- BasicAuth=bXktdXNlcm5hbWU6bXktcGFzc3dvcmQ=
BlockAccess
The BlockAccess
filter provides the ability to block access to requests by IP address, domain, or JWT claims.
This filter works globally across the entire Gateway instance, so it is configured using environment variables in the SpringCloudGateway
resource, rather than per-route in SpringCloudGatewayRouteConfig
.
To activate the filter, first use the SpringCloudGateway
resource to set the spring.cloud.gateway.k8s.block.access.enabled
environment variable to true
.
Three variables are used to set up the blocking rules.
The spring.cloud.gateway.k8s.block.access.domains
variable accepts a comma-separated list of IP addresses or domains. Any request coming from any of these origins will be blocked.
For example, the following configuration causes all requests originating from 192.168.0.1
or test.com
to be blocked:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
name: my-gateway
spec:
env:
- name: spring.cloud.gateway.k8s.block.access.enabled
value: "true"
- name: spring.cloud.gateway.k8s.block.access.domains
value: "192.168.0.1,test.com"
The spring.cloud.gateway.k8s.block.access.claimValues
variable accepts a comma-separated list of JWT claim values. When configured, the Gateway blocks any authenticated request if any of the configured values are present in the claims.
For example, the following configuration causes all authenticated requests containing any JWT claim with a value of client.write
or cc_testuser
to be blocked:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
name: my-gateway
spec:
env:
- name: spring.cloud.gateway.k8s.block.access.enabled
value: "true"
- name: spring.cloud.gateway.k8s.block.access.claimValues
value: "client.write,cc_testuser"
The spring.cloud.gateway.k8s.block.access.claimNames
variable is complementary to spring.cloud.gateway.k8s.block.access.claimValues
, and must be used with it. It works by restricting the search for JWT claim values to a defined set of claim names.
The variable accepts a comma-separated list of claim names. When configured, the Gateway blocks any authenticated request in which a claim with one of the specified names contains any value specified in the spring.cloud.gateway.k8s.block.access.claimValues
variable.
For example, the following configuration causes any authenticated request containing a value of write
or cc_testuser
in the JWT sub
claim to be blocked:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
name: my-gateway
spec:
env:
- name: spring.cloud.gateway.k8s.block.access.enabled
value: "true"
- name: spring.cloud.gateway.k8s.block.access.claimNames
value: "sub"
- name: spring.cloud.gateway.k8s.block.access.claimValues
value: "write,cc_testuser"
Note The JWT Claim BlockAccess
global filter only supports blocking requests with the Authorization
header. It does not support blocking by cookie session.
Cors
Caution The Cors
filter from previous versions of Spring Cloud Gateway for Kubernetes has been deprecated in favor of the new metadata.cors
section.
Previous versions of Spring Cloud Gateway supported a Cors
filter configuration as shown in the example below:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
name: my-gateway-routes
spec:
routes:
- uri: https://example
predicates:
- Path=/get/**
filters:
- Cors=[allowedOrigins:https://origin-1,allowedMethods:GET;POST;DELETE,allowedHeaders:*,maxAge:400,allowCredentials:true,allowedOriginPatterns:https://*.test.com:8080]
This format has now been deprecated, and can be converted to the equivalent configuration in the newly supported format, as shown in the example below:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
name: my-gateway-routes
spec:
routes:
- uri: https://example
predicates:
- Path=/get/**
metadata:
cors:
allowedOrigins: https://origin-1
allowedMethods: [GET,POST,DELETE]
allowedHeaders: '*'
maxAge: 400
allowCredentials: true
allowedOriginPatterns: https://*.test.com:8080
See Configuring per-route Cross-Origin Resource Sharing (CORS) behavior using metadata guide for further information.