1.) How to configure Zuul to redirect the request to another Zuul instances in the other cloud region when there is a service cluster failover?.
2.) How to configure Zuul to accept https request & forward request as https to the service cluster.
3.) Is there a document that explains what are the different configuration options that can used to configure the Zuul server using yml.
Related
I have a Spring based application, which uses keycloak-spring-security-adapter to handle the Keycloak specific stuff. This server is deployed on same machine as the Keycloak server, and both of them are running behind Nginx reverse proxy.
The Spring app has in its keycloak.json configuration the correct proxy-url. The Keycloak server has the the frontendUrl set to the correct proxy-url. When testing on localhost without the reverse proxy everything works as expected.
The issue is when deployed with the reverse-proxy in front. The Spring application runs the OIDC service discovery during startup. But to do this, is uses the public URL. This fails, because the on the backend side, the reverse proxy is not in DNS record.
How to setup the keycloak-spring-security-adapter in such a way, that for the backend requests it uses local URL. But for the logins that are done through the JSP pages in the browser, it uses the proxied URL?
I have the following setup (everything as docker containers):
Two web services running on HTTPS mode (self-signed certificate).
The web services are registered in consul.
Web service 1 calls web service 2 using feign client.
web service 2 is named authentication-service.
The docker containers cacerts were updated to include the self-signed certificate, however, the certificate does not have the IP address because they are dynamically generated by docker.
#FeignClient(name = "authentication-service")
public interface AuthenticationClient extends AuthenticationApi {
}
When web service 1 calls web service 2 Ribbon internally is using docker's IP address. (the problem)
Moreover, It is not clear to me why feign is using HTTP protocol instead of HTTPS.
feign.RetryableException: No subject alternative names matching IP address 172.20.0.10 found executing POST http://authentication-service/api/auth/authenticate
What am I missing?
How should I overcome this situation?
Thank you in advance.
Following services are running
Eureka server
ZUUL gateway (api-gateway)
User service (user-service)
Plan service (plan-service)
User service will communicate to Plan service via ZUUL using "OpenFeign" for invocation.
"User service" has the the following "PlanService" open feign client
#FeignClient(name = "api-gateway")
#RibbonClient(name = "plan-service")
public interface PlanServiceFeign {
#GetMapping("/plan-service/plandetails/{userId}")
PlanDetails getPlanDetails(#PathVariable("userId") String userId);
}
In the logs following URL is getting fired to API gateway, but zuul is not navigating to the "plan-service" micro setvice
GET http://api-gateway/plan-service/plandetails/12345
Am I missing any other configuration for setting up ZUUL between micro services communication
There is a configuration, you should configure in an application.properties file or application.yaml file.
If you used an application.yaml file please configure like this.
zuul:
routes:
plan:
path: /plandetails/**
serviceId: plan-service
If you used an application.properties file Please configure like this.
zuul.routes.plan-service.path = /plandetails/**
Fixed by adding routing settings to the application.properties
zuul.routes.<service-registry-name>.path=/<service-mapping>/*
I want to deploy a few Spring Boot microservices on Kubernetes cluster. One of them is authorization server serving OAuth 2.0 tokens. With current deployment (no k8s) only two services are visible to the outer world: api-gateway (Zuul) and authorization-server (Spring OAuth). The rest is hidden behind the api-gateway. During k8s deployment Zuul proxy probably will be substituted by Kubernetes Ingress.
Now the questions:
Should I put authorization-server behind the Ingress or not?
What are pros and cons concerning these two solutions?
What are best practices?
Maybe I shouldn't get rid of Zuul at all?
Getting rid of Zuul is perfectly reasonable. Ingress should be the only outer-cluster accessible component that provides access to the cluster through ingress rules.
So yes, authorization-server and microservices should be accessible through ingress.
The main issue is the compatibility of the registry.
If not, how to deal with gateway issues?
Depends what you mean. You can use Zuul or Spring Cloud Gateway as your gateway solution in front of a Micronaut application.
Ultimately a Micronaut application will register itself with Eureka or Consul and then Zuul or SCG will discovery the service via service discovery and route requests to the Micronaut app over HTTP.