Kyma

Appearance

Expose a Workload with noAuth in SAP BTP, Kyma Runtime ​

Learn how to expose an unsecured instance of the HTTPBin Service using the noAuth access strategy and call its endpoints.

Context ​

The noAuth access strategy allows public access to your workload without any authentication or authorization checks. This is useful for:

  • Development and testing environments
  • Public APIs that don't require authentication
  • Services that implement their own authentication logic

WARNING

Exposing a workload without authentication is a potential security vulnerability. In production environments, always secure your workloads with proper authentication such as JWT.

To expose a workload without authentication, create an APIRule with noAuth: true configured for each path you want to expose publicly.

Prerequisites ​

  • You have Istio and API Gateway modules in your cluster. See Adding and Deleting a Kyma Module.

  • You have a deployed workload.

    NOTE

    To expose a workload using APIRule in version v2, the workload must be a part of the Istio service mesh. See Enable Istio Sidecar Proxy Injection.

  • To set up a custom Gateway, see Configure a TLS Gateway in SAP BTP, Kyma Runtime. Alternatively, you can use the default domain of your Kyma cluster and the default Gateway kyma-system/kyma-gateway.

    NOTE

    Because the default Kyma domain is a wildcard domain, which uses a simple TLS Gateway, it is recommended that you set up your custom domain for use in a production environment. For more information, see Getting Started with Istio Gateways.

    TIP

    To learn what the default domain of your Kyma cluster is, run kubectl get gateway -n kyma-system kyma-gateway -o jsonpath='{.spec.servers[0].hosts}'.

Procedure ​

NOTE

To expose a workload using APIRule in version v2, the workload must be part of the Istio service mesh. See Enable Istio Sidecar Proxy Injection.

Example ​

Choose one of the following methods to create an APIRule that exposes a sample HTTPBin Deployment. You can either follow the example using the Kyma dashboard or the one using kubectl.

Kyma Dashboard ​

  1. Go to Namespaces and create a namespace with enabled Istio sidecar proxy injection.

  2. Select + Upload YAML, paste the following cofiguration and upload it.

    yaml
    apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

  3. Go to Discovery and Network > API Rules and select Create.

  4. Provide the name of the APIRule CR.

  5. In the Service section, add the name httpbin and port 8000.

  6. Use the default Gateway kyma-system/kyma-gateway. Alternatively, you can replace these values and use your custom Gateway. See Introduction to Istio Gateways and Set Up a TLS Gateway.

  7. Add the host httpbin.${PARENT_DOMAIN}.

To learn what your default parent domain is, go to the Kyma Environment section of your subaccount overview, and copy the part of the APIServerURL link after https://api.. For example, if your APIServerURL link is https://api.c123abc.kyma.ondemand.com, use httpbin.c123abc.kyma.ondemand.com as the host. If you use a custom Gateway, add the host configured in the Gateway.

  1. Add a rule with the following configuration:

    • Path: /post
    • Handler: No Auth
    • Methods: POST

  2. Add one more rule with the following configuration:

    • Path: /{**}
    • Handler: No Auth
    • Methods: GET

  3. Choose Create.

  4. You can access your Service at https://${WORKLOAD_DOMAIN}. To test the connection, send GET and POST request to the exposed workload:

    bash
    curl -ik -X GET "https://${WORKLOAD_DOMAIN}/ip"
curl -ik -X POST "https://${WORKLOAD_DOMAIN}/post" -d "test data"

    If successful, the calls return the 200 OK response code.

Kubectl ​

  1. Create a namespace with enabled Istio sidecar proxy injection.

    bash
    NAMESPACE="test"
kubectl create ns "${NAMESPACE}"
kubectl label namespace "${NAMESPACE}" istio-injection=enabled --overwrite

  2. Get the default domain of your Kyma cluster.

    bash
    PARENT_DOMAIN=$(kubectl get configmap -n kube-system shoot-info -o jsonpath="{.data.domain}")
WORKLOAD_DOMAIN="httpbin.${PARENT_DOMAIN}"
GATEWAY="kyma-system/kyma-gateway"
echo "Parent domain: ${PARENT_DOMAIN}"
echo "Workload domain: ${WORKLOAD_DOMAIN}"
echo "Gateway namespace and name: ${GATEWAY}"

    This procedure uses the default domain of your Kyma cluster and the default Gateway. Alternatively, you can replace these values and use your custom domain and Gateway instead. See Introduction to Istio Gateways and Set Up a TLS Gateway.

  3. Deploy a sample instance of the HTTPBin Service.

    bash
    cat <<EOF | kubectl -n "${NAMESPACE}" apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80
EOF

    To verify if an instance of the HTTPBin Service is successfully created, run:

    bash
    kubectl get pods -l app=httpbin -n "${NAMESPACE}"

    If successful, you get a result similar to this one:

    shell
    NAME                 READY    STATUS     RESTARTS    AGE
httpbin-{SUFFIX}     2/2      Running    0           96s

  4. Expose the workload with an APIRule using the noAuth access strategy.

    bash
    cat <<EOF | kubectl apply -n "${NAMESPACE}" -f -
apiVersion: gateway.kyma-project.io/v2
kind: APIRule
metadata:
  name: apirule-noauth
spec:
  hosts:
    - ${WORKLOAD_DOMAIN}
  service:
    name: httpbin
    namespace: ${NAMESPACE}
    port: 8000
  gateway: ${GATEWAY}
  rules:
    - path: /post
      methods: ["POST"]
      noAuth: true
    - path: /{**}
      methods: ["GET"]
      noAuth: true
EOF

    Check if the APIRule's status is ready:

    bash
    kubectl get apirules apirule-noauth -n "${NAMESPACE}"

  5. You can access your Service at https://${WORKLOAD_DOMAIN}. To test the connection, send GET and POST request to the exposed workload:

    bash
    curl -ik -X GET "https://${WORKLOAD_DOMAIN}/ip"
curl -ik -X POST "https://${WORKLOAD_DOMAIN}/post" -d "test data"

    If successful, the calls return the 200 OK response code.