Multi-tenant mode on Kubernetes
Supporting multiple tenants on Kubernetes deployment
When deployed on Kubernetes, Authgear supports hosting multiple apps as tenants. In multi- tenant mode, configuration of individual apps are stored in Kubernetes as ConfigMap/Secret, which Authgear would retrieve them at runtime.

Deployment

Deploying Authgear in multi-tenant mode is mostly same as deploying normally. Additional configuration is needed to allow Authgear to operate in multi-tenant mode.

Authgear namespace

The app configurations are stored in ConfigMap/Secret in a namespace; create the namespace and set its name in environment varaible KUBE_NAMESPACE of Authgear pod.

Configuration source

Authgear should be configured to use Kubernetes as configuration source; set environment variable CONFIG_SOURCE_TYPE to kubernetes.
A Kubernetes service account credentials should be available to the Authgear pod, for interacting with Kubernetes resources. It should have permission to get/watch the ConfigMap/Secret resources in the specified Authgear namespace.

Kubernetes resources

In multi-tenant mode, Authgear would use resources in Kubernetes to serve apps. Authgear would watch the resources and reload automatically when changed. There are two kind of resources to configure: Host mapping and App configuration.

Host mapping

Host mapping is a mapping from HTTP hosts to Authgear app IDs. It is stored as a ConfigMap in Authgear namespace in Kubernetes. It should be marked with label authgear.com/host-mapping: true.
The ConfigMap contains single entry hosts.json, which content is a JSON object containing the mapping.
Multiple hosts can map to the same app ID, in case of having separate hosts for main server and admin API server.
NOTE: TRUST_PROXY environment variable may needed to be set to true, if there is a reverse proxy in front of the Authgear pod.
Sample resource:
1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
name: app-hosts
5
labels:
6
authgear.com/host-mapping: "true"
7
data:
8
hosts.json: |
9
{
10
"localhost:3000": "app-1",
11
"example.com": "app-2",
12
"admin.example.com": "app-2"
13
}
Copied!

App configuration

App configuration is logically stored in a directory, the directory should contains authgear.yaml and authgear.secrets.yaml configuration files.
In Kubernetes, the app configuration is stored in a ConfigMap and a Secret. The data key is the relative path, and the data value is the file content. These resources should be marked with label authgear.com/config-app-id: <app ID>.
At runtime, the ConfigMap and Secret would be combined into a virtual directory, and app configuration files would be resolved from it.
NOTE: App ID is stored in database along with app data, so it should not be changed after first use.
NOTE: App ID in host mapping should be same as the app ID in configuration.
Sample resources:
1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
name: app-config-app-2
5
labels:
6
authgear.com/config-app-id: "app-2"
7
data:
8
authgear.yaml: |
9
id: my-app
10
http:
11
public_origin: http://example.com
12
---
13
apiVersion: v1
14
kind: Secret
15
metadata:
16
name: app-config-app-2
17
labels:
18
authgear.com/config-app-id: "app-2"
19
stringData:
20
authgear.secrets.yaml: |
21
secrets:
22
- key: db
23
data:
24
database_schema: app
25
database_url: postgres://postgres:[email protected]:5432/postgres?sslmode=disable
26
- key: redis
27
data:
28
redis_url: redis://localhost
Copied!
Last modified 1yr ago