I've setup a POC with the following components:
JHipster registry
JHipster API gateway
2 JHipster microservices
The communication works very well between these components.
Another requirement of my POC is to register an legacy webservice(SOAP or REST not developed with JHipster) in the JHipster gateway.
Is it possible?
I would want to use the API Gateway as a unique entry point for all the clients(external and internal)to access all the webservices of my company.
Thank you.
Two important criteria are service discovery and security.
For service discovery, JHipster offers 2 options: JHipster Registry (Eureka) and HashiCorp Consul. Consul is better suited for legacy apps as it is less invasive because you can use DNS resolution and templates and a sidecar proxy approach.
For security, legacy apps should be able to consume authentication tokens to apply authorizations.
Related
I am new to AKS. I am planning to deploy Micro Services using AKS cluster (Azure kubernetes services) on Azure platform and I want to secure it with solid Authentication and Authorization with Azure AD support. To Do this I am looking for best suited API gateway which supports kubernetes i.e. AKS
API gateway should have following feature -
1. Authentication and Authorization support
2. Azure Active directory integration
3. SSL termination
4. KPI Metrics
5. Load Balancing
6. Request Tracing
7. Auto scaling
8. Pre/Post request processing
I have explored couple of options like Ingress Controller, Ambassador.
Also we cannot use Azure API Management due to some restrictions from client.
Nothing supports all of those "in box". You can use Azure application gateway, but it wont do 1,2,6,8 (not sure what you mean by 6 exactly). You can take a look at Istio, it has got lots of features. But for tracing you'd probably need to use something like Jaeger\Zipkin.
I think you might be able to use oAuth feature of zipkin to validate oAuth token from Azure AD, but you might need to offload that piece to a service.
I have some questions regarding the creation of Microservice gateway and Jhipster UAA.
When I generate the gateway connects with Jhipster-register and when I generate the JHipster UAA too?
In other words: Both should connect with Jhipster-register?
The image of the architecture diagram found in this Jhipster documentation creates the doubt: Using JHipster UAA for Microservice Security - Architecture diagram
Yes, all services including the gateway, UAA, and any microservices will connect to JHipster Registry. This allows the services to fetch the necessary information from the UAA to authenticate users and validate JWT tokens (passed via cookies).
I've just started working with docker and I'm currently trying to work out how to setup a project using microservice architecture.
My goal is to move out different services from the api and instead have each one in their own container.
Current architecture
Desired architecture
Questions
How does the API gateway communicate with the internal services? Should all microservices have their own API which only accept communication from the API gateway? Any other means of communications?
What would be the ideal authentication between the gateway and the microservices? JWT token? Basic Auth?
Do you see any problems with this architecture if hosted in Azure?
Is integration testing even possible in the desired architecture? For example, I use EF SQlite inmemory for integration testing and its easily accessible within the api, but I don't see this working if the database is located in it's own container.
Anything important here that i've missed?
I had created an application that is completely a micro service based architecture running on AWS ECS(Container Service), Each microservice is pushed on container as Docker image. There are 2 instances of EC2 are running for achieving High Availability and same mircoservices are running on both instances so if one instance goes down another can take care of requests.
each microservice use its own database and inter microservice communication is happening using client registry on HTTP protocol and discovery, Spring Cloud Consul and Netflix Eureka can be used for service discovery and registery.
.
Please find the diagram below :
Can JHipster gateway work with non-java, non JHipster microservices? Say, by importing swagger.json of the target microsevrice and by making those microservice instances register with jH registry and UAA?
Yes it should work as long as the microservice exposes its swagger spec at /v2/api-docs. The service should register with the JHipster registry probably using Spring Cloud Netflix Sidecar as explained by David Steiman in this article and David is also the man behind UAA for JHipster.
I have setup my Jhipster Uaa server, gateways and others micro services and i want to use #AuthorizedFeignClient annotation for inter-service-communication as well explained here : https://jhipster.github.io/using-uaa/
But i cannot find it into the java source generated(Jhispter Release 3.11.0).
Did i have to copy manually in my project this only 2 classes found in jhispter github generator for the moment ? (because still in beta ?) :
.../client/_AuthorizedFeignClient.java
and
.../client/_OAuth2InterceptedFeignConfiguration.java
Thanks,
Francois
currently the #AuthorizedFeignClient annotation is only available for microservice applications using UAA as authentication type, but not for gateways and UAA server itself!
I guess you were looking for the annoation in the gateway, or the the UAA server.
Why is this like this? For the gateway it is because the gateway already has a couple of responsibilities, so building composite logic in there is not a good idea.
If you generate a microservice (not gateway, not uaa server), you should have the client package in your Java root with this annoatation, as well as some more configurations (feign client config, load balanced resource details...)
You can copy those to your gateway, to make it working there.
You can copy them to the UAA, too. More on that, this even will work, but with some weird fact...when UAA will ask service "foo" for some data, it will first ask the UAA for a client credentials authentication....like performing a query to itself...while it could just access grant it itself. There is no accurate way to do it, but I didn't want to keep it in this uncool way in JHipster, so the annotation is for microservice only.