Using the API Gateway Module to Expose Services

Objectives

After completing this lesson, you will be able to:
  • Describe the components of the API Gateway module
  • Use the API Gateway components to expose services

The API Gateway Module

Project "Kyma" extends the Kubernetes platform with modules that allow you to expose your Services and Functions outside the cluster. You can use the API Gateway module to make your Kubernetes Services accessible from outside of the Kyma cluster.

Istio and API Gateway are default Kyma modules, which means that they are added to your Kyma runtime once you provision it. If you want to create Functions and expose them using API Gateway, you must also add the Serverless module. To trigger exposed Services with events, add the Eventing module. To monitor exposed workloads, add the Telemetry module and use the observability features it provides.

Features of the API Gateway Module

Exposing a Service with the API Gateway module

The API Gateway is based on the open-source project Istio, which is installed by the Istio module. The next unit provides more information about Istio.

The API Gateway module installs a custom-configured Istio Ingress Gateway called kyma-gateway in the kyma-system namespace. The kyma-gateway is the central point of contact for all external traffic that enters the Kyma cluster. It uses the Envoy Proxy as an application-based service proxy to handle the traffic and forward it to the correct Service.

The module also uses Istio features for authorizing incoming HTTP requests. It provides an APIRule custom resource that you can use to securely expose your workloads. With an APIRule, you can:

  • Group multiple workloads and expose them under a single host.
  • Use a short host name to simplify the migration of resources to a new cluster.
  • Configure the noAuth access strategy, which offers a simple configuration to allow access to specific HTTP methods.
  • Secure your workloads by configuring jwt or extAuth access strategies. The jwt access strategy enables you to use Istio's JWT configuration to protect your exposed Services and interact with them using JSON Web Tokens. The extAuth access strategy allows you to implement custom authentication and authorization logic.

What Is the APIRule Custom Resource

To expose a Service using the API Gateway module, you must create a Kubernetes custom resource (CR) called APIRule (apirules.gateway.kyma-project.io). By creating an APIRule for a Service, API Gateway Controller creates an Istio VirtualService for you behind the kyma-gateway. So with APIRule CR, you have a higher-level abstraction that allows you to provision Services quickly and securely.

To define an APIRule, you must create a CR of the kind apirules.gateway.kyma-project.io. A simple APIRule manifest looks like this:

YAML
123456789101112131415
apiVersion: gateway.kyma-project.io/v2
kind: APIRule
metadata:
  name: my-api-rule
spec:
  hosts:
    - my-api-rule.xxxxx.kyma.ondemand.com
  service:
    name: hello-kyma-svc
    port: 80
  gateway: kyma-system/kyma-gateway
  rules:
    - path: /*
      methods: ["GET"]
      noAuth: true

Let's have a closer look at the spec section of the APIRule CR:

  • gateway: The Istio Ingress Gateway to expose the Service. For development purposes, you can use a Kyma domain and the default Gateway kyma-system/kyma-gateway. In the production environment, use your custom domain to set up a TLS Gateway.
  • hosts: Specifies the host or subdomain of the host where the Service should be exposed. You can expose multiple Services behind the same host through Istio VirtualServices.
  • service: Specifies the Kubernetes Service to be exposed. The name is the name of the Kubernetes Service that you want to expose. The port is the port of the Kubernetes Service that you want to expose.
  • rules: Specifies the array of access rules. For each rule, the path field specifies the request's path that must be matched, and the methods array specifies the HTTP methods. APIRule allows you to define the security configuration of an exposed endpoint using the concept of access strategies. The supported access strategies are noAuth, jwt, and extAuth. Setting noAuth to true disables authorization. The jwt field specifies the Istio JWT access strategy, and the extAuth field specifies the Istio External Authorization access strategy.

For more information, see APIRule Custom Resource.

APIRule Custom Resource in Kyma Dashboard

Kyma dashboard provides a simple way to create APIRules to expose your workload. The creation of APIRules is integrated into the view of Functions and Services. However, you can also go to the APIRules view and create a new APIRule.

APIRules in Kyma dashboard

You can define the APIRule specification in a YAML file or use the form-based view in Kyma dashboard.

Create APIRules using Kyma dashboard

Summary

The API Gateway module enables the exposure of Services and Functions outside your Kyma runtime cluster. The module is based on the open-source project Istio and includes a custom-configured Istio Ingress Gateway called kyma-gateway, which handles external traffic entering the Kyma cluster. To expose a Service using the API Gateway module, you create an APIRule CR, which allows for grouping and securing workloads, for example, by using JWT tokens or custom authentication.

Further Reading

Learning

SAP FacebookSAP YoutubeSAP LinkedIn