Cortex Gateway: a microservice which strives to help you administrating and operating your Cortex Cluster in multi tenant environments

Cortex Gateway

License Go Report Card GitHub release Docker Repository on Quay

Cortex Gateway is a microservice which strives to help you administrating and operating your Cortex Cluster in multi tenant environments.

Features

  • Authentication of Prometheus & Grafana instances with JSON Web Tokens
  • Prometheus & Jager instrumentation, compatible with the rest of the Cortex microservices

Authentication Feature

If you run Cortex for multiple tenants you need to identify your tenants every time they send metrics or query them. This is needed to ensure that metrics can be ingested and queried separately from each other. For this purpose the Cortex microservices require you to pass a Header called X-Scope-OrgID. Unfortunately the Prometheus Remote write API has no config option to send headers and for Grafana you must provision a datasource to do so. Therefore the Cortex k8s manifests suggest deploying an NGINX server inside of each tenant which acts as reverse proxy. It's sole purpose is proxying the traffic and setting the X-Scope-OrgID header for your tenant.

We try to solve this problem by adding a Gateway which can be considered the entry point for all requests towards Cortex (see Architecture). Prometheus and Grafana can both send a self contained JSON Web Token (JWT) along with each request. This JWT carries a claim which is the tenant's identifier. Once this JWT is validated we'll set the required X-Scope-OrgID header and pipe the traffic to the upstream Cortex microservices (distributor / query frontend).

Architecture

Cortex Gateway Architecture

Configuration

Flag Description Default
-gateway.distributor.address Upstream HTTP URL for Cortex Distributor (empty string)
-gateway.query-frontend.address Upstream HTTP URL for Cortex Query Frontend (empty string)
-gateway.auth.jwt-secret HMAC secret to sign JSON Web Tokens (empty string)

Expected JWT payload

The expected Bearer token payload can be found here: https://github.com/rewe-digital/cortex-gateway/blob/b74de65d10a93e1ec0d223e92c08d16d59bbf3c4/gateway/tenant.go#L7-L11

  • "tenant_id"
  • "aud"
  • "version" (must be an integer)

The audience and version claim is currently unused, but might be used in the future (e. g. to invalidate tokens).

Forked from: https://github.com/rewe-digital/cortex-gateway

Owner
Delivery Hero SE
Delivery Hero SE
https://github.com/deliveryhero/cortex-gateway
Similar Resources

This is a shopping basket workshop that shows how to use KrakenD API Gateway.

This is a shopping basket workshop that shows how to use KrakenD API Gateway.

Go Restful Microservices and KrakenD API Gateway Workshop This is a shopping basket workshop that shows how to use KrakenD API Gateway. Consist of 5 m

Jan 3, 2023

TiDB Gateway

TiDB Gateway Building go build Running ./tidbgw Optionally set the address of PD and address to listen on via flags. Using Connect your MySQL client

Jul 15, 2022

Blue is a lightweight cloud-native gateway solution to handle millions of routing endpoints with a large number of connections.

Blue is a lightweight cloud-native gateway solution to handle millions of routing endpoints with a large number of connections.

Blue is a lightweight cloud-native gateway solution to handle millions of routing endpoints with a large number of connections.

Jan 19, 2022

a simple api gateway

鉴权网关 根据登录接口返回UIN判断是否登录/退出成功 自动添加跨域处理 会话重启即失效 TLS鉴权 负载均衡 随机 Config # 开启验证 enable_verify: false # 验证证书 ca_path: "./conf/ca.pem" module_cert_pem: "./conf

Feb 10, 2022

The Consul API Gateway is a dedicated ingress solution for intelligently routing traffic to applications running on a Consul Service Mesh.

The Consul API Gateway is a dedicated ingress solution for intelligently routing traffic to applications running on a Consul Service Mesh.

Dec 14, 2022

A gateway to expose s3 standard API for any storage type.

s3-gateway this project is used to be compatible with any other storage type. there are tons of object storage services in the internat. However, many

Nov 28, 2021

Micro-serviço em Golang para processar pagamentos de um Gateway.

Micro-serviço em Golang para processar pagamentos de um Gateway.

Go Payment Processor Projeto Este repositório contém um micro-serviço em Golang que faz parte de um conjunto de serviços necessário para o projeto do

Dec 13, 2021

A simple HTTP/HTTPS API Gateway in Golang.

A simple HTTP/HTTPS API Gateway in Golang.

mice A simple API Gateway in Golang. Installation: Using go install: First install Go, if not already there Set GOPATH and GOBIN if not already set as

May 19, 2022

Search-gateway - Golang restfull Service

Search Gateway Specifications Gin framework Development PORT=3000 go run main.go

Jan 25, 2022
Comments
  • Update the End-to-End environment

    Update the End-to-End environment

    Run Cortex as part of the stack Migrate from Prometheus to Grafana Agent to collect and push metrics to Cortex Gateway Setup Grafana to support OAuth authentication and add a new Datasource with OAuth passthrough enabled High level instructions

  • Add JWKS support and the other Digital Signatures alg

    Add JWKS support and the other Digital Signatures alg

    Add support for Token signed with RSA, ECDSA, EdDSA,... algorithms. Use JWKS to download and find the Public certificate. This is to allow Prometheus remote write using OAuth2 (https://prometheus.io/docs/prometheus/latest/configuration/configuration/#oauth2)

  • Allow tenant name to disable jwt auth

    Allow tenant name to disable jwt auth

    At this point, the gateway only supports jwt auth. This PR allows the user to specify a tenant name which allows the gateway to run without jwt auth. The tenant name specified is directly added to the X-Scope-OrgID header to determine the cortex tenant.

  • Support ID tokens in additional HTTP Headers

    Support ID tokens in additional HTTP Headers

    Add a new flag to allow searching and parsing ID tokens in additional HTTP Headers. This is to support passing the OAuth ID Token in Grafana Prometheus Datasource. Grafana passes the ID token in the X-Id-Token header. The Authorization header is used for Access token in that case.

Related tags
Microservices cortex-gateway
Ruuvi-go-gateway - Software replica of the Ruuvi Gateway

ruuvi-go-gateway ruuvi-go-gateway is a software that tries to replicate Ruuvi Ga

Dec 21, 2022
Authentication-microservice - Microservice for user authentication built with golang and gRPC

Authentication-microservice - Microservice for user authentication built with golang and gRPC

May 30, 2022
Customer-microservice - Microservice of customer built with golang and gRPC

?? Building microservices to manage customer data using Go and gRPC Command to g

Sep 8, 2022
Microservice - A sample architecture of a microservice in go

#microservice Folder structure required. service certs config config.yaml loggin

Feb 3, 2022
Microservice - Microservice golang & nodejs
 Microservice - Microservice golang & nodejs

Microservice Gabungan service dari bahasa pemograman go, nodejs Demo API ms-auth

May 21, 2022
micro-draft-manager is a microservice that helps you to manage unstructured data in your application with sorting and full-text search

micro-draft-manager is a microservice that helps you to manage unstructured data in your application with sorting and full-text search. For example, y

Nov 24, 2021
🔥 Kubernetes multi-cluster deployment automation service.
 🔥 Kubernetes multi-cluster deployment automation service.

Beetle Kubernetes multi-cluster deployment automation service ?? Check out the demo! Application deployment and management should be automated, audita

Dec 11, 2022
Test your API gateway routed lambdas locally and in CI
 Test your API gateway routed lambdas locally and in CI

Lambo Test API Gateway wrapped lambda functions locally. Lambo can also be used to test API GW lambdas in CI without needing docker-in-docker. It will

Jun 22, 2022
A library to help you create pipelines in Golang

pipeline Pipeline is a go library that helps you build pipelines without worrying about channel management and concurrency. It contains common fan-in

Dec 13, 2022
HTTP API Gateway
 HTTP API Gateway

Manba/简体中文 Manba is a restful API gateway based on HTTP, which can be used as a unified API access layer. Tutorial A very detailed tutorial for beginn

Dec 29, 2022