Contact Us 1-800-596-4880

Secure an API with an Automated Resource-Level Policy

Publish an API running behind Flex Gateway in Local Mode, modifying YAML configuration data by the following method:

  • Linux and Docker: .yaml files

The following procedures demonstrate applying a simple resource-based YAML configuration for an API with multiple upstream services, all secured with an automated resource-level authentication policy.

Refer to Automated Policies and Resource-Level Policies for more information.

Automated policies can only be defined in resource-based configurations. The inline configuration model is not supported. For more information about the difference between resource-based and inline configuration models, see Declarative Configuration Reference Guide.

20%

25%

Publish an API Running Behind Flex Gateway on Linux

Publish an API Running Behind Flex Gateway in a Docker Container

Publish an API Running Behind Flex Gateway on Linux

Before You Begin

Before getting started, ensure that you have:

  • Flex Gateway installed and running in local mode. See Installing Flex Gateway for more information about installing and running the gateway.

  • Your upstream service URLs. The following example refers to fictional products-api and users-api services, but you can specify your own API name in metadata.name and your service details in spec.services.

Publish an API

  1. Create a configuration file with a .yaml file extension:

    1. Give the file a custom name.

    2. Save the file in the Flex Gateway configuration directory /etc/mulesoft/flex-gateway/conf.d/custom. This directory can contain multiple configuration files.

  2. Copy and paste the following two ApiInstance resources into the file, substituting your values where indicated:

    ---
    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: ApiInstance
    metadata:
      name: products-api
      labels:
        secured-by-automated-policy: yes
    spec:
      address: http://0.0.0.0:8080
      services:
        products:
          address: https://<your products URL>:<your port>/
          routes:
            - rules:
                - path: /products(/.*)
                - path: /products-featured(/.*)
              config:
                destinationPath: /api
    ---
    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: ApiInstance
    metadata:
      name: users-api
      labels:
        secured-by-automated-policy: yes
    spec:
      address: http://0.0.0.0:8081
      services:
        users:
          address: https://<your users URL>:<your port>/
          routes:
            - rules:
                - path: /api/users(/.*)
  3. Define an automated basic authentication policy by adding the following PolicyBinding resource after the ApiInstance resources:

    ---
    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: PolicyBinding
    metadata:
      name: security-protection
    spec:
      targetRef:
        kind: Selector
        selector:
          kind: ApiInstance
          labels:
            secured-by-automated-policy: yes
      policyRef:
        name: http-basic-authentication-flex
      config:
        username: chris
        password: admin

    Applying an automated policy to multiple API instances requires that you specify the Selector kind in your policy binding. The example PolicyBinding resource includes a spec.targetRef.kind value of Selector, and a spec.targetRef.selector.kind value of ApiInstance.

    The example resource also applies a basic authentication policy to two API instances. It defines a secured-by-automated-policy label (the label name is customizable) in spec.targetRef.selector.labels. This label matches the label defined in the ApiInstance metadata.labels property, which associates the automated policy with that resource.

    Alternatively, automated policies can be applied to all API instances by omitting the labels.

  4. Save the file. The gateway automatically refreshes the configuration.

  5. View the logs by executing the following command:

    journalctl -u flex-gateway-*

    The response looks something like this:

    [agent][info] Generating config
    [agent][info] Gateway default/21cf4286e38f: Adding ApiInstance default/products-api http://0.0.0.0:8080
    [agent][info] Gateway default/21cf4286e38f: Adding Policy default/security-protection
    [agent][info] Gateway default/21cf4286e38f: Adding Route: &{host: path:/api/products(/.*) methods: headerConditions:[] profile:0xc00004f750} => {Kind:Service Name:products-api-products Namespace:default}
    [agent][info] Gateway default/21cf4286e38f: Adding Policy default/envoy.filters.http.router
    [agent][info] Gateway default/21cf4286e38f: Adding ApiInstance default/users-api http://0.0.0.0:8081
    [agent][info] Gateway default/21cf4286e38f: Adding Policy default/security-protection
    [agent][info] Gateway default/21cf4286e38f: Adding Route: &{host: path:/api/users(/.*) methods: headerConditions:[] profile:0xc0061823f0} => {Kind:Service Name:users-api-users Namespace:default}
    [agent][info] Gateway default/21cf4286e38f: Adding Policy default/envoy.filters.http.router
    [agent][info] Gateway default/21cf4286e38f: Adding Service default/products-api-products https://<your products URL>:<your port>/
    [agent][debug] generating service products-api-products.default.svc hostname: https://<your products URL> port: <your port>
    [agent][info] Gateway default/21cf4286e38f: Adding Service default/users-api-users https://<your users URL>:<your port>/
    [agent][debug] generating service users-api-users.default.svc hostname: https://<your users URL> port: <your port>
    [agent][info] Writing envoy bootstrap configuration to /tmp/envoy.json
    [envoy][info] cds: add 2 cluster(s), remove 3 cluster(s)
    [envoy][info] cds: added/updated 0 cluster(s), skipped 2 unmodified cluster(s)
  6. Test the APIs with a tool such as curl, specifying the given authentication credentials. The automated authentication policy secures both APIs.

  7. Apply resource-level granularity to the automated authentication policy by substituting the PolicyBinding resource with the following:

    ---
    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: PolicyBinding
    metadata:
      name: security-protection
    spec:
      targetRef:
        kind: Selector
        selector:
          kind: ApiInstance
          labels:
            secured-by-automated-policy: yes
      policyRef:
        name: http-basic-authentication-flex
      config:
        username: chris
        password: admin
      rules:
       - methods: GET

    In this example, the automated authentication policy is applied only to the GET method resource, as specified in spec.rules.

  8. Save the file. The gateway automatically refreshes the configuration.

Two APIs secured with the an automated resource-level authentication policy are now running behind Flex Gateway.

Publish an API Running Behind Flex Gateway in a Docker Container

Before You Begin

Before getting started, ensure that you have:

  • Flex Gateway installed. See Install Flex Gateway for more information.

  • Flex Gateway registered and running in Local Mode. See Register and Run in Local Mode for more information.

  • Your upstream service URLs. The following example refers to fictional products-api and users-api services, but you can specify your own API name in metadata.name and your service details in spec.services.

Publish an API

  1. Open a terminal and navigate to the directory that will contain your Flex Gateway configuration files. This directory was specified when you started Flex Gateway.

  2. Create a configuration file with a .yaml file extension:

    1. Give the file a custom name.

    2. Save the file.

  3. Copy and paste the following two ApiInstance resources into the file, substituting your values where indicated:

    ---
    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: ApiInstance
    metadata:
      name: products-api
      labels:
        secured-by-automated-policy: yes
    spec:
      address: http://0.0.0.0:8080
      services:
        products:
          address: https://<your products URL>:<your port>/
          routes:
            - rules:
                - path: /products(/.*)
                - path: /products-featured(/.*)
              config:
                destinationPath: /api
    ---
    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: ApiInstance
    metadata:
      name: users-api
      labels:
        secured-by-automated-policy: yes
    spec:
      address: http://0.0.0.0:8081
      services:
        users:
          address: https://<your users URL>:<your port>/
          routes:
            - rules:
                - path: /api/users(/.*)
  4. Define an automated basic authentication policy by adding the following PolicyBinding resource after the ApiInstance resources:

    ---
    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: PolicyBinding
    metadata:
      name: security-protection
    spec:
      targetRef:
        kind: Selector
        selector:
          kind: ApiInstance
          labels:
            secured-by-automated-policy: yes
      policyRef:
        name: http-basic-authentication-flex
      config:
        username: chris
        password: admin

    Applying an automated policy to multiple API instances requires that you specify the Selector kind in your policy binding. The example PolicyBinding resource includes a spec.targetRef.kind value of Selector, and a spec.targetRef.selector.kind value of ApiInstance.

    The example resource also applies a basic authentication policy to two API instances. It defines a secured-by-automated-policy label (the label name is customizable) in spec.targetRef.selector.labels. This label matches the label defined in the ApiInstance metadata.labels property, which associates the automated policy with that resource.

    Alternatively, automated policies can be applied to all API instances by omitting the labels.

  5. Save the file. The gateway automatically refreshes the configuration.

  6. View the Docker container logs, which look something like this:

    [agent][info] Generating config
    [agent][info] Gateway default/21cf4286e38f: Adding ApiInstance default/products-api http://0.0.0.0:8080
    [agent][info] Gateway default/21cf4286e38f: Adding Policy default/security-protection
    [agent][info] Gateway default/21cf4286e38f: Adding Route: &{host: path:/api/products(/.*) methods: headerConditions:[] profile:0xc00004f750} => {Kind:Service Name:products-api-products Namespace:default}
    [agent][info] Gateway default/21cf4286e38f: Adding Policy default/envoy.filters.http.router
    [agent][info] Gateway default/21cf4286e38f: Adding ApiInstance default/users-api http://0.0.0.0:8081
    [agent][info] Gateway default/21cf4286e38f: Adding Policy default/security-protection
    [agent][info] Gateway default/21cf4286e38f: Adding Route: &{host: path:/api/users(/.*) methods: headerConditions:[] profile:0xc0061823f0} => {Kind:Service Name:users-api-users Namespace:default}
    [agent][info] Gateway default/21cf4286e38f: Adding Policy default/envoy.filters.http.router
    [agent][info] Gateway default/21cf4286e38f: Adding Service default/products-api-products https://<your products URL>:<your port>/
    [agent][debug] generating service products-api-products.default.svc hostname: https://<your products URL> port: <your port>
    [agent][info] Gateway default/21cf4286e38f: Adding Service default/users-api-users https://<your users URL>:<your port>/
    [agent][debug] generating service users-api-users.default.svc hostname: https://<your users URL> port: <your port>
    [agent][info] Writing envoy bootstrap configuration to /tmp/envoy.json
    [envoy][info] cds: add 2 cluster(s), remove 3 cluster(s)
    [envoy][info] cds: added/updated 0 cluster(s), skipped 2 unmodified cluster(s)
  7. Test the APIs with a tool such as curl, specifying the given authentication credentials. The automated authentication policy secures both APIs.

  8. Apply resource-level granularity to the automated authentication policy by substituting the PolicyBinding resource with the following:

    ---
    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: PolicyBinding
    metadata:
      name: security-protection
    spec:
      targetRef:
        kind: Selector
        selector:
          kind: ApiInstance
          labels:
            secured-by-automated-policy: yes
      policyRef:
        name: http-basic-authentication-flex
      config:
        username: chris
        password: admin
      rules:
       - methods: GET

    In this example, the automated authentication policy is applied only to the GET method resource, as specified in spec.rules.

  9. Save the file. The gateway automatically refreshes the configuration.

Two APIs secured with the an automated resource-level authentication policy are now running behind Flex Gateway.