User guide: Authentication with API keys
Issue API keys stored in Kubernetes
Secrets for clients to authenticate with your protected hosts.
Authorino features in this guide:
In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`.
API key `Secret`s must also include labels that match the `secretLabelSelector` field of the Authorino instance. See [Resource reconciliation and status update](../architecture.md#resource-reconciliation-and-status-update) for details.
For further details about Authorino features in general, check the [docs](./../features.md).
- Identity verification & authentication → API key
- Kubernetes server
Create a containerized Kubernetes server locally using Kind:
1. Install the Authorino Operator
2. Deploy the Talker API
The Talker API is just an echo API, included in the Authorino examples. We will use it in this guide as the service to be protected with Authorino.
3. Deploy Authorino
The command above will deploy Authorino as a separate service (as opposed to a sidecar of the protected API and other architectures), in
namespaced reconciliation mode, and with TLS termination disabled. For other variants and deployment options, check out the Getting Started section of the docs, the Architecture page, and the spec for the
Authorino CRD in the Authorino Operator repo.
4. Setup Envoy
The following bundle from the Authorino examples (manifest referred in the command below) is to apply Envoy configuration and deploy Envoy proxy, that wire up the Talker API behind the reverse-proxy and external authorization with the Authorino instance.
For details and instructions to setup Envoy manually, see Protect a service > Setup Envoy in the Getting Started page. For a simpler and straightforward way to manage an API, without having to manually install or configure Envoy and Authorino, check out Kuadrant.
The bundle also creates an
Ingress with host name
talker-api-authorino.127.0.0.1.nip.io, but if you are using a local Kubernetes cluster created with Kind, you need to forward requests on port 8000 to inside the cluster in order to actually reach the Envoy service:
5. Create the
6. Create an API key
7. Consume the API
With a valid API key:
With missing or invalid API key:
8. Delete an API key (revoke access to the API)
If you have started a Kubernetes cluster locally with Kind to try this user guide, delete it by running:
Otherwise, delete the resources created in each step:
kubectl delete authconfig/talker-api-protection kubectl delete authorino/authorino kubectl delete -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/envoy/envoy-notls-deploy.yaml kubectl delete -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml
To uninstall the Authorino Operator and manifests (CRDs, RBAC, etc), run: