HashiCorp Developer AI Private beta now available Sign up today
Consul
Consul Home

You are viewing documentation for version v1.16.x. View latest version.

Delegate authorization to Apigee

This topic describes how to use the external authorization Envoy extension to delegate data plane authorization requests to Apigee.

For more detailed guidance, refer to the learn-consul-apigee-external-authz repo on GitHub.

Workflow

Complete the following steps to use the external authorization extension with Apigee:

  1. Deploy the Apigee Adapter for Envoy and register the service in Consul.
  2. Configure the EnvoyExtensions block in a service defaults or proxy defaults configuration entry.
  3. Apply the configuration entry.

Deploy the Apigee Adapter for Envoy

The Apigee Adapter for Envoy is an Apigee-managed API gateway that uses Envoy to proxy API traffic.

To download and install Apigee Adapter for Envoy, refer to the getting started documentation or follow along with the learn-consul-apigee-external-authz repo on GitHub.

After you deploy the service in your desired runtime, create a service defaults configuration entry for the service's gRPC protocol.

apigee-remote-service-envoy.hcl
Kind = "service-defaults"
Name = "apigee-remote-service-envoy"
Protocol = "grpc"

Configure the EnvoyExtensions

Add Envoy extension configurations to a proxy defaults or service defaults configuration entry. Place the extension configuration in an EnvoyExtensions block in the configuration entry.

  • When you configure Envoy extensions on proxy defaults, they apply to every service.
  • When you configure Envoy extensions on service defaults, they apply to all instances of a service with that name.

Warning

Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.

Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.

The following example configures the default behavior for all services named api so that the Envoy proxies running as sidecars for those service instances target the apigee-remote-service-envoy service for gRPC authorization requests:

api-auth-service-defaults.hcl
Kind = "service-defaults"
Name = "api"
EnvoyExtensions = [
  {
    Name = "builtin/ext-authz"
    Arguments = {
      ProxyType = "connect-proxy"
      Config = {
        GrpcService = {
          Target = {
            Service = {
              Name = "apigee-remote-service-envoy"
            }
          }
        }
      }
    }
  }
]

Refer to the external authorization extension configuration reference for details on how to configure the extension.

Refer to the proxy defaults configuration entry reference and service defaults configuration entry reference for details on how to define the configuration entries.

Apply the configuration entry

On the CLI, you can use the consul config write command and specify the names of the configuration entries to apply them to Consul. For Kubernetes-orchestrated networks, use the kubectl apply command to update the relevant CRD.

$ consul config write apigee-remote-service-envoy.hcl
$ consul config write api-auth-service-defaults.hcl