airbag is a tiny sidecar for your docker containers, meant to handle jwt authentication and basic metrics collection for you.
- Deploy airbag next to your container (In kubernetes, you would usually put them in the same pod).
airbag's image can be found at https://hub.docker.com/r/soluto/airbag/ - Configure airbag's BACKEND_HOST_NAME (if airbag and your container are in the same pod, set this to localhost) and BACKEND_SERVICE_PORT (the port your service is listening on).
- Route traffic directed to your container to airbag.
airbag uses environment variables for configuration, and supports the following options:
- BACKEND_HOST_NAME - The name or ip of your service. Requests will be forwarded to this host once authenticated. Defaults to localhost.
- BACKEND_SERVICE_PORT - The port exposed by your service. Requests will be forwarded to this port on the host once authenticated. Defaults to 80.
- AUTHORITY - The jwt authentication authority to use for authentication and token validation.
- AUDIENCE - Only tokens for this audience will be accepted and considered valid.
- ISSUER - Only tokens from this issuer will be accepted and considered valid.
- UNAUTHENTICATED_ROUTES - Backend routes that shouldn't be authenticated (for example, a health-check endpoint). Seperate the routes with
,.
Example:/isAlive,/health,/something/anonymous
If a route contains a wildcard ( * ) then all matching routes will not be authenticated (for example -/swagger/*will cause all routes that start with/swagger/to be unauthenticated). - COLLECT_METRICS - Enable or disable metrics collection. Metrics are collected using AppMetrics.
Metrics will be available under
/airbag/metrics - AUTHORIZED_ROUTES_ENABLED - Enable or disable route white-listing.
To use multiple auth providers, provide these parmaters for every provider as a prefix:
- AUTHORITY_{{providerName}}
- AUDIENCE_{{providerName}}
- ISSUER_{{providerName}}
# Foo provider parameters
- AUTHORITY_FOO=http://foo_auth_server
- ISSUER_FOO=http://foo
- AUDIENCE_FOO=foo_api
# Bar provider parameters
- AUTHORITY_BAR=http://bar_auth_server
- ISSUER_BAR=http://bar
- AUDIENCE_BAR=bar_apiairbag support authorization of incoming request with Open Policy Agent(OPA). If enabled, airbag will query OPA for a decision on each incoming request, and based on OPA decision approve or deny the request. Approved requests will be passed to upstream, denied request will return to client with a 403 status code.
To use OPA, you need to configure the following environment variables:
- OPA_URL - The URL of the OPA server.
- OPA_QUERY_PATH - The path used for OPA query. This path should return a single boolean result.
- OPA_MODE - The mode of OPA authorization. Supports 3 values:
- Disabled - Do not query OPA at all. This is the default value.
- LogOnly - Query OPA, but only log result - do not perform authorization.
- Enabled - Query OPA and perform authorization.