Thomas Vitale Devoxx UK May 12th, 2021 Spring Cloud Gateway Resilience, Security, and Observability @vitalethomas

Systematic • Software Architect at Systematic, Denmark. • Author of “Cloud Native Spring in Action” (Manning). • Spring Security and Spring Cloud contributor. Thomas Vitale thomasvitale.com @vitalethomas

API Gateway thomasvitale.com @vitalethomas

Scenarios Di ff erent clients need di ff erent APIs Cross-cutting concerns in distributed systems Uni fi ed interface for microservices Strangling the monolith thomasvitale.com @vitalethomas

$FFRXQW6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJPHPEHUV DFFRXQWV /RDQ6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNORDQV /LEUDU\ >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $PHPEHURIWKH/LEUDU\ 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@

Reactive Spring thomasvitale.com @vitalethomas

Thread-per-request thomasvitale.com @vitalethomas 7KUHDG3RRO ,QWHQVLYH 2SHUDWLRQ 7KUHDG 7KUHDG 7KUHDG 5HTXHVW 5HTXHVW 5HTXHVW %ORFNLQJ ZDLWIRUUHVXOW 2QHWKUHDG SHUUHTXHVW

Event Loop thomasvitale.com @vitalethomas ,QWHQVLYH 2SHUDWLRQ 1RQ%ORFNLQJ QRQZDLWLQJIRUUHVXOW -XVWDIHZWKUHDGV SURFHVVLQJPXOWLSOH UHTXHVWV (YHQW/RRS (YHQW4XHXH 5HTXHVW5HVSRQVH VFKHGXOH HYHQW UHJLVWHU FDOOEDFN RSHUDWLRQ FRPSOHWH WULJJHU FDOOEDFN

thomasvitale.com @vitalethomas

Routing thomasvitale.com @vitalethomas

The Architecture thomasvitale.com @vitalethomas

Observability thomasvitale.com @vitalethomas

grafana.com

No content

Monitoring and management thomasvitale.com @vitalethomas Operating applications in production Spring Boot Actuator ‣Health (liveness and readiness) ‣Metrics (Prometheus, OpenMetrics) ‣Flyway, Thread Dumps, Heap Dumps Spring Cloud Sleuth (Micrometer Tracing) ‣Distributed tracing ‣Instrumentation ‣OpenZipkin and OpenTelemetry

Resilience thomasvitale.com @vitalethomas

Retry thomasvitale.com @vitalethomas

Retry thomasvitale.com @vitalethomas %RRN5RXWH 5HWU\ %RRN&RQWUROOHU (GJH6HUYLFH %RRN6HUYLFH W W W 6HQG+773UHTXHVW 5HFHLYH+773HUURU 5HWU\+773UHTXHVW 5HFHLYH+773HUURU 5HWU\+773UHTXHVW 5HFHLYHVXFFHVVIXOO+773UHVSRQVHDIWHUVHFRQGUHWU\DWWHPSW

Request Rate Limiter thomasvitale.com @vitalethomas

Rate Limiter thomasvitale.com @vitalethomas https://stripe.com/blog/rate-limiters

Circuit Breaker thomasvitale.com @vitalethomas

Circuit Breaker thomasvitale.com @vitalethomas &/26(' +$/)B23(1 23(1 7ULSEUHDNHUZKHQ IDLOXUHUDWHDERYH WKUHVKROG $WWHPSWUHVHWDIWHU ZDLWGXUDWLRQ 7ULSEUHDNHUDIWHU IDLOXUHUDWHDERYH WKUHVKROG 5HVHWEUHDNHUZKHQ IDLOXUHUDWHEHORZ WKUHVKROG

Time Limiter thomasvitale.com @vitalethomas

Time Limiter and Fallback thomasvitale.com @vitalethomas %RRN5RXWH 7LPH/LPLWHU )DOOEDFN 7LPH/LPLWHU %RRN&RQWUROOHU (GJH6HUYLFH %RRN6HUYLFH W W W W 6HQG+773UHTXHVW D5HFHLYHVXFFHVVIXOO+773UHVSRQVHZLWKLQWKHWLPHOLPLW E7KURZH[FHSWLRQZKHQWLPHRXWH[SLUHVDQGQRIDOOEDFNGHILQHG F5HWXUQIDOOEDFNZKHQGHILQHGDQGWLPHRXWH[SLUHV

User Authentication thomasvitale.com @vitalethomas

,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@ $XWK6HUYLFH 'HOHJDWHVDXWKHQWLFDWLRQWR Strategy ? Protocol? Data Format?

Login thomasvitale.com @vitalethomas /LEUDU\ >6RIWZDUH6\VWHP@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $PHPEHURIWKHOLEUDU\ 8VHV 2$XWK&OLHQW 2$XWK8VHU .H\FORDN >&RQWDLQHU:LOG)O\@ 3URYLGHVLGHQWLW\DQGDFFHVV PDQDJHPHQW 2$XWK$XWKRUL]DWLRQ6HUYHU 8VHV 'HOHJDWHVDXWKHQWLFDWLRQDQG WRNHQPDQDJHPHQWWR OAuth2 + OIDC

OpenID Connect A protocol built on top of OAuth2 that enables an application (Client) to verify the identity of a user based on the authentication performed by a trusted party (Authorization Server). thomasvitale.com @vitalethomas

.H\FORDN >&RQWDLQHU:LOGIO\@ 3URYLGHVLGHQWLW\DQG DFFHVVPDQDJHPHQW ,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@ 'HOHJDWHVDXWKHQWLFDWLRQWR 2$XWK&OLHQW 2$XWK$XWKRUL]DWLRQ6HUYHU 8VHV { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } ID Token ID Token

.H\FORDN >&RQWDLQHU:LOGIO\@ 3URYLGHVLGHQWLW\DQG DFFHVVPDQDJHPHQW ,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@ 'HOHJDWHVDXWKHQWLFDWLRQWR 2$XWK&OLHQW 2$XWK$XWKRUL]DWLRQ6HUYHU 8VHV Security context propagation ? Authorized access?

OAuth2 An authorization framework that enables an application (Client) to obtain limited access to a protected resource provided by another application (called Resource Server) on behalf of a user. thomasvitale.com @vitalethomas

.H\FORDN >&RQWDLQHU:LOGIO\@ 3URYLGHVLGHQWLW\DQG DFFHVVPDQDJHPHQW ,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@ 'HOHJDWHVDXWKHQWLFDWLRQWR 2$XWK&OLHQW 2$XWK$XWKRUL]DWLRQ6HUYHU 8VHV 2$XWK5HVRXUFH6HUYHU 2$XWK5HVRXUFH6HUYHU 2$XWK5HVRXUFH6HUYHU { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } Access Token Access Token

Token Relay thomasvitale.com @vitalethomas %URZVHU (GJH6HUYLFH %RRN 6HUYLFH $FFHVV7RNHQ 6HVVLRQ&RRNLH 5HVRXUFH 6HUYHU $FFHVV7RNHQ 5HVRXUFH 6HUYHU $FFHVV7RNHQ .HHSVPDSSLQJ 6HVVLRQ!$FFHVV7RNHQ OAuth2

Resources Source code • Sample project: • https://github.com/ThomasVitale/devoxx-uk-2022-spring-cloud- gateway • Spring Cloud Gateway: • https://spring.io/projects/spring-cloud-gateway • Spring Security, OAuth2, OpenID Connect: • https://www.youtube.com/watch?v=g7Dwv1BKnkg

Thomas Vitale Devoxx UK May 12th, 2021 Spring Cloud Gateway Resilience, Security, and Observability @vitalethomas