diff --git a/doc/SERVING_AUTH_DOCKER.md b/doc/SERVING_AUTH_DOCKER.md
new file mode 100644
index 0000000000000000000000000000000000000000..2ef2bbb8ab9341e7c3aca55dc63b3f7bd80b54ca
--- /dev/null
+++ b/doc/SERVING_AUTH_DOCKER.md
@@ -0,0 +1,199 @@
+# 在Paddle Serving使用安全网关
+
+## 简介
+
+在之前的服务部署示例中,我们都从开发的角度切入,然而,在现实的生产环境中,仅仅提供一个能够预测的远端服务接口还远远不够。我们仍然要考虑以下不足。
+
+- 这个服务还不能以网关的形式提供,访问路径难以管理。
+- 这个服务接口不够安全,需要做相应的鉴权。
+- 这个服务接口不能够控制流量,无法合理利用资源。
+
+本文档的作用,就以 Uci 房价预测服务为例,来介绍如何强化预测服务API接口安全。API网关作为流量入口,对接口进行统一管理。但API网关可以提供流量加密和鉴权等安全功能。
+
+## Docker部署
+
+可以使用docker-compose来部署安全网关。这个示例的步骤就是 [部署本地Serving容器] - [部署本地安全网关] - [通过安全网关访问Serving]
+
+**注明:** docker-compose与docker不一样,它依赖于docker,一次可以部署多个docker容器,可以类比于本地版的kubenetes,docker-compose的教程请参考[docker-compose安装](https://docs.docker.com/compose/install/)
+
+```shell
+docker-compose -f tools/auth/auth-serving-docker.yaml up -d
+```
+
+可以通过 `docker ps` 来查看启动的容器。
+
+```shell
+3035cf445029 pantsel/konga:next "/app/start.sh" About an hour ago Up About an hour 0.0.0.0:8005->1337/tcp anquan_konga_1
+7ce3abee550c registry.baidubce.com/serving_gateway/kong:paddle "/docker-entrypoint.…" About an hour ago Up About an hour (healthy) 0.0.0.0:8000->8000/tcp, 127.0.0.1:8001->8001/tcp, 0.0.0.0:8443->8443/tcp, 127.0.0.1:8444->8444/tcp anquan_kong_1
+25810fd79a27 postgres:9.6 "docker-entrypoint.s…" About an hour ago Up About an hour (healthy) 5432/tcp anquan_db_1
+ee59a3dd4806 registry.baidubce.com/serving_dev/serving-runtime:cpu-py36 "bash -c ' wget --no…" About an hour ago Up About an hour 0.0.0.0:9393->9393/tcp anquan_serving_1
+665fd8a34e15 redis:latest "docker-entrypoint.s…" About an hour ago Up About an hour 0.0.0.0:6379->6379/tcp anquan_redis_1
+```
+
+其中我们之前serving容器 以 9393端口暴露,KONG网关的端口是8443, KONG的Web控制台的端口是8001。接下来我们在浏览器访问 `https://$IP_ADDR:8001`, 其中 IP_ADDR就是宿主机的IP。
+
+
+可以看到在注册结束后,登陆,看到了 DASHBOARD,我们先看SERVICES,可以看到`serving_service`,这意味着我们端口在9393的Serving服务已经在KONG当中被注册。
+
+
+
+
+然后在ROUTES中,我们可以看到 serving 被链接到了 `/serving-uci`。
+
+最后我们点击 CONSUMERS - default_user - Credentials - API KEYS ,我们可以看到 `Api Keys` 下看到很多key
+
+
+
+接下来可以通过curl访问
+
+```shell
+ curl -H "Content-Type:application/json" -H "X-INSTANCE-ID:kong_ins" -H "apikey:hP6v25BQVS5CcS1nqKpxdrFkUxze9JWD" -X POST -d '{"feed":[{"x": [0.0137, -0.1136, 0.2553, -0.0692, 0.0582, -0.0727, -0.1583, -0.0584, 0.6283, 0.4919, 0.1856, 0.0795, -0.0332]}], "fetch":["price"]}' https://127.0.0.1:8443/serving-uci/uci/prediction -k
+```
+
+与之前的Serving HTTP服务相比,有以下区别。
+
+- 使用https加密访问,而不是http
+- 使用serving_uci的路径映射到网关
+- 在header处增加了 `X-INSTANCE-ID`和`apikey`
+
+
+## K8S部署
+
+同样,我们也提供了K8S集群部署Serving安全网关的方式。
+
+### Step 1:启动Serving服务
+
+我们仍然以 [Uci房价预测](../python/examples/fit_a_line)服务作为例子,这里省略了镜像制作的过程,详情可以参考 [在Kubernetes集群上部署Paddle Serving](./PADDLE_SERVING_ON_KUBERNETES.md)。
+
+在这里我们直接执行
+```
+kubectl apply -f tools/auth/serving-demo-k8s.yaml
+```
+
+可以看到
+
+### Step 2: 安装 KONG (一个集群只需要执行一次就可以)
+接下来我们执行KONG Ingress的安装
+```
+kubectl apply -f tools/auth/kong-install.yaml
+```
+
+输出是
+```
+namespace/kong created
+customresourcedefinition.apiextensions.k8s.io/kongclusterplugins.configuration.konghq.com created
+customresourcedefinition.apiextensions.k8s.io/kongconsumers.configuration.konghq.com created
+customresourcedefinition.apiextensions.k8s.io/kongingresses.configuration.konghq.com created
+customresourcedefinition.apiextensions.k8s.io/kongplugins.configuration.konghq.com created
+customresourcedefinition.apiextensions.k8s.io/tcpingresses.configuration.konghq.com created
+serviceaccount/kong-serviceaccount created
+clusterrole.rbac.authorization.k8s.io/kong-ingress-clusterrole created
+clusterrolebinding.rbac.authorization.k8s.io/kong-ingress-clusterrole-nisa-binding created
+service/kong-proxy created
+service/kong-validation-webhook created
+deployment.apps/ingress-kong created
+```
+我们可以输入
+```
+kubectl get service --all-namespaces
+```
+会显示
+```
+NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+default uci ClusterIP 172.16.87.89 9393/TCP 7d7h
+kong kong-proxy NodePort 172.16.23.91 80:8175/TCP,443:8521/TCP 102m
+kong kong-validation-webhook ClusterIP 172.16.114.93 443/TCP 102m
+
+```
+
+### Step 3: 创建Ingress资源
+
+接下来需要做Serving服务和KONG的链接
+
+```
+kubectl apply -f tools/auth/kong-ingress-k8s.yaml
+```
+
+我们也给出yaml文件内容
+```
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: demo
+ annotations:
+ konghq.com/strip-path: "true"
+ kubernetes.io/ingress.class: kong
+spec:
+ rules:
+ - http:
+ paths:
+ - path: /foo
+ backend:
+ serviceName: {{SERVING_SERVICE_NAME}}
+ servicePort: {{SERVICE_PORT}}
+```
+其中serviceName就是uci,servicePort就是9393,如果是别的服务就需要改这两个字段,最终会映射到`/foo`下。
+在这一步之后,我们就可以
+```
+curl -H "Content-Type:application/json" -X POST -d '{"feed":[{"x": [0.0137, -0.1136, 0.2553, -0.0692, 0.0582, -0.0727, -0.1583, -0.0584, 0.6283, 0.4919, 0.1856, 0.0795, -0.0332]}], "fetch":["price"]}' http://$IP:$PORT/foo/uci/prediction
+```
+
+### Step 4: 增加安全网关限制
+
+之前的接口没有鉴权功能,无法验证用户身份合法性,现在我们添加一个key-auth插件
+
+执行
+```
+kubectl apply -f key-auth-k8s.yaml
+```
+
+其中,yaml文内容为
+```
+apiVersion: configuration.konghq.com/v1
+kind: KongPlugin
+metadata:
+ name: key-auth
+plugin: key-auth
+```
+
+现在,需要创建secret,key值为用户指定,需要在请求时携带Header中apikey字段
+执行
+```
+kubectl create secret generic default-apikey \
+ --from-literal=kongCredType=key-auth \
+ --from-literal=key=ZGVmYXVsdC1hcGlrZXkK
+```
+
+在这里,我们的key是随意制定了一串 `ZGVmYXVsdC1hcGlrZXkK`,实际情况也可以
+创建一个用户(consumer)标识访问者身份,并未该用户绑定apikey。
+执行
+```
+kubectl apply -f kong-consumer-k8s.yaml
+```
+
+其中,yaml文内容为
+```
+apiVersion: configuration.konghq.com/v1
+kind: KongConsumer
+metadata:
+ name: default
+ annotations:
+ kubernetes.io/ingress.class: kong
+username: default
+credentials:
+- default-apikey
+```
+
+如果我们这时还想再像上一步一样的做curl访问,会发现已经无法访问,此时已经具备了安全能力,我们需要对应的key。
+
+
+### Step 5: 通过API Key访问服务
+
+执行
+```
+curl -H "Content-Type:application/json" -H "apikey:ZGVmYXVsdC1hcGlrZXkK" -X POST -d '{"feed":[{"x": [0.0137, -0.1136, 0.2553, -0.0692, 0.0582, -0.0727, -0.1583, -0.0584, 0.6283, 0.4919, 0.1856, 0.0795, -0.0332]}], "fetch":["price"]}' https://$IP:$PORT/foo/uci/prediction -k
+```
+我们可以看到 apikey 已经加入到了curl请求的header当中。
+
+
+
diff --git a/doc/kong-api_keys.png b/doc/kong-api_keys.png
new file mode 100644
index 0000000000000000000000000000000000000000..0b0413315a3940f8dde83c618a8563b683f73995
Binary files /dev/null and b/doc/kong-api_keys.png differ
diff --git a/doc/kong-dashboard.png b/doc/kong-dashboard.png
new file mode 100644
index 0000000000000000000000000000000000000000..f5f383a24df0aa83fc3fbf61bb85ae1dc7adada0
Binary files /dev/null and b/doc/kong-dashboard.png differ
diff --git a/doc/kong-routes.png b/doc/kong-routes.png
new file mode 100644
index 0000000000000000000000000000000000000000..541f89a5dbc7d030db64f795c42cea1bfc85ce45
Binary files /dev/null and b/doc/kong-routes.png differ
diff --git a/doc/kong-services.png b/doc/kong-services.png
new file mode 100644
index 0000000000000000000000000000000000000000..e7e1e46d8f91b2f8718e3895e93741cb42598cdd
Binary files /dev/null and b/doc/kong-services.png differ
diff --git a/tools/auth/auth-serving-docker.yaml b/tools/auth/auth-serving-docker.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..49659563d74fc08a8d569bddb702b206b6225a51
--- /dev/null
+++ b/tools/auth/auth-serving-docker.yaml
@@ -0,0 +1,109 @@
+version: '3'
+
+volumes:
+ kong_data: {}
+
+services:
+ db:
+ image: postgres:9.6
+ environment:
+ - POSTGRES_DB=kong
+ - POSTGRES_USER=kong
+ - POSTGRES_PASSWORD=kong
+ volumes:
+ - kong_data:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres"]
+ interval: 10s
+ timeout: 5s
+ retries: 5
+ restart: always
+
+ kong-migrations:
+ image: registry.baidubce.com/serving_gateway/kong:paddle
+ command: kong migrations bootstrap
+ depends_on:
+ - db
+ environment:
+ - KONG_DATABASE=postgres
+ - KONG_PG_DATABASE=kong
+ - KONG_PG_HOST=db
+ - KONG_PG_USER=kong
+ - KONG_PG_PASSWORD=kong
+ restart: on-failure
+
+ kong:
+ image: registry.baidubce.com/serving_gateway/kong:paddle
+ depends_on:
+ - db
+ - redis
+ environment:
+ - KONG_DATABASE=postgres
+ - KONG_PG_HOST=db
+ - KONG_PG_DATABASE=kong
+ - KONG_PG_USER=kong
+ - KONG_PG_PASSWORD=kong
+ # - KONGKA_REDIS_HOST=redis
+ # - KONGKA_REDIS_PORT=6379
+ # - KONGKA_REDIS_DATABASE=0
+ ports:
+ - 8000:8000/tcp
+ - 127.0.0.1:8001:8001/tcp
+ - 8443:8443/tcp
+ - 127.0.0.1:8444:8444/tcp
+ healthcheck:
+ test: ["CMD", "kong", "health"]
+ interval: 10s
+ timeout: 10s
+ retries: 10
+ restart: always
+
+ kong-prepare:
+ image: registry.baidubce.com/serving_gateway/kong:paddle
+ entrypoint: ["bash", "/autoconfigure-admin-api.sh"]
+ depends_on:
+ - kong
+ restart: on-failure
+
+ konga-prepare:
+ image: pantsel/konga:next
+ command: -c prepare -a postgres -u postgresql://kong:kong@db/konga
+ depends_on:
+ - db
+ restart: on-failure
+ healthcheck:
+ test: "exit 0"
+
+ konga:
+ image: pantsel/konga:next
+ environment:
+ - DB_ADAPTER=postgres
+ - DB_HOST=db
+ - DB_USER=kong
+ - DB_PASSWORD=kong
+ - DB_DATABASE=konga
+ - NODE_ENV=production
+ depends_on:
+ - db
+ - konga-prepare
+ ports:
+ - 8005:1337/tcp
+
+ restart: always
+
+ redis:
+ image: redis:latest
+ ports:
+ - 6379:6379
+ restart: always
+
+ serving:
+ image: registry.baidubce.com/serving_dev/serving-runtime:cpu-py36
+ ports:
+ - 9393:9393
+ command: bash -c "
+ wget --no-check-certificate https://paddle-serving.bj.bcebos.com/uci_housing.tar.gz
+ && tar -xzf uci_housing.tar.gz
+ && python3.6 -m paddle_serving_server.serve --model uci_housing_model --thread 10 --port 9393 --name uci
+ "
+ restart: always
diff --git a/tools/auth/key-auth-k8s.yaml b/tools/auth/key-auth-k8s.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b5247c043d71c636d072913af1b917866e762d64
--- /dev/null
+++ b/tools/auth/key-auth-k8s.yaml
@@ -0,0 +1,5 @@
+apiVersion: configuration.konghq.com/v1
+kind: KongPlugin
+metadata:
+ name: key-auth
+plugin: key-auth
diff --git a/tools/auth/kong-consumer-k8s.yaml b/tools/auth/kong-consumer-k8s.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7cfcd3276b17f24c6b0a3934dddcd3f8d4a6b616
--- /dev/null
+++ b/tools/auth/kong-consumer-k8s.yaml
@@ -0,0 +1,9 @@
+apiVersion: configuration.konghq.com/v1
+kind: KongConsumer
+metadata:
+ name: default
+ annotations:
+ kubernetes.io/ingress.class: kong
+username: default
+credentials:
+- default-apikey
diff --git a/tools/auth/kong-ingress-k8s.yaml b/tools/auth/kong-ingress-k8s.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..acc45194d7c3337c71c6655fd18b5fac2131f37e
--- /dev/null
+++ b/tools/auth/kong-ingress-k8s.yaml
@@ -0,0 +1,15 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: demo
+ annotations:
+ konghq.com/strip-path: "true"
+ kubernetes.io/ingress.class: kong
+spec:
+ rules:
+ - http:
+ paths:
+ - path: /foo
+ backend:
+ serviceName: uci
+ servicePort: 9393
diff --git a/tools/auth/kong-ingress.yaml b/tools/auth/kong-ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8e49f8b13e52003d408684c6c790909c7a65760a
--- /dev/null
+++ b/tools/auth/kong-ingress.yaml
@@ -0,0 +1,731 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: kong
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: kongclusterplugins.configuration.konghq.com
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .plugin
+ description: Name of the plugin
+ name: Plugin-Type
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: Age
+ name: Age
+ type: date
+ - JSONPath: .disabled
+ description: Indicates if the plugin is disabled
+ name: Disabled
+ priority: 1
+ type: boolean
+ - JSONPath: .config
+ description: Configuration of the plugin
+ name: Config
+ priority: 1
+ type: string
+ group: configuration.konghq.com
+ names:
+ kind: KongClusterPlugin
+ plural: kongclusterplugins
+ shortNames:
+ - kcp
+ scope: Cluster
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ config:
+ type: object
+ configFrom:
+ properties:
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ - key
+ type: object
+ type: object
+ disabled:
+ type: boolean
+ plugin:
+ type: string
+ protocols:
+ items:
+ enum:
+ - http
+ - https
+ - grpc
+ - grpcs
+ - tcp
+ - tls
+ type: string
+ type: array
+ run_on:
+ enum:
+ - first
+ - second
+ - all
+ type: string
+ required:
+ - plugin
+ version: v1
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: kongconsumers.configuration.konghq.com
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .username
+ description: Username of a Kong Consumer
+ name: Username
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: Age
+ name: Age
+ type: date
+ group: configuration.konghq.com
+ names:
+ kind: KongConsumer
+ plural: kongconsumers
+ shortNames:
+ - kc
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ credentials:
+ items:
+ type: string
+ type: array
+ custom_id:
+ type: string
+ username:
+ type: string
+ version: v1
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: kongingresses.configuration.konghq.com
+spec:
+ group: configuration.konghq.com
+ names:
+ kind: KongIngress
+ plural: kongingresses
+ shortNames:
+ - ki
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ proxy:
+ properties:
+ connect_timeout:
+ minimum: 0
+ type: integer
+ path:
+ pattern: ^/.*$
+ type: string
+ protocol:
+ enum:
+ - http
+ - https
+ - grpc
+ - grpcs
+ - tcp
+ - tls
+ type: string
+ read_timeout:
+ minimum: 0
+ type: integer
+ retries:
+ minimum: 0
+ type: integer
+ write_timeout:
+ minimum: 0
+ type: integer
+ type: object
+ route:
+ properties:
+ headers:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ type: object
+ https_redirect_status_code:
+ type: integer
+ methods:
+ items:
+ type: string
+ type: array
+ path_handling:
+ enum:
+ - v0
+ - v1
+ type: string
+ preserve_host:
+ type: boolean
+ protocols:
+ items:
+ enum:
+ - http
+ - https
+ - grpc
+ - grpcs
+ - tcp
+ - tls
+ type: string
+ type: array
+ regex_priority:
+ type: integer
+ request_buffering:
+ type: boolean
+ response_buffering:
+ type: boolean
+ snis:
+ items:
+ type: string
+ type: array
+ strip_path:
+ type: boolean
+ upstream:
+ properties:
+ algorithm:
+ enum:
+ - round-robin
+ - consistent-hashing
+ - least-connections
+ type: string
+ hash_fallback:
+ type: string
+ hash_fallback_header:
+ type: string
+ hash_on:
+ type: string
+ hash_on_cookie:
+ type: string
+ hash_on_cookie_path:
+ type: string
+ hash_on_header:
+ type: string
+ healthchecks:
+ properties:
+ active:
+ properties:
+ concurrency:
+ minimum: 1
+ type: integer
+ healthy:
+ properties:
+ http_statuses:
+ items:
+ type: integer
+ type: array
+ interval:
+ minimum: 0
+ type: integer
+ successes:
+ minimum: 0
+ type: integer
+ type: object
+ http_path:
+ pattern: ^/.*$
+ type: string
+ timeout:
+ minimum: 0
+ type: integer
+ unhealthy:
+ properties:
+ http_failures:
+ minimum: 0
+ type: integer
+ http_statuses:
+ items:
+ type: integer
+ type: array
+ interval:
+ minimum: 0
+ type: integer
+ tcp_failures:
+ minimum: 0
+ type: integer
+ timeout:
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ passive:
+ properties:
+ healthy:
+ properties:
+ http_statuses:
+ items:
+ type: integer
+ type: array
+ interval:
+ minimum: 0
+ type: integer
+ successes:
+ minimum: 0
+ type: integer
+ type: object
+ unhealthy:
+ properties:
+ http_failures:
+ minimum: 0
+ type: integer
+ http_statuses:
+ items:
+ type: integer
+ type: array
+ interval:
+ minimum: 0
+ type: integer
+ tcp_failures:
+ minimum: 0
+ type: integer
+ timeout:
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ threshold:
+ type: integer
+ type: object
+ host_header:
+ type: string
+ slots:
+ minimum: 10
+ type: integer
+ type: object
+ version: v1
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: kongplugins.configuration.konghq.com
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .plugin
+ description: Name of the plugin
+ name: Plugin-Type
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: Age
+ name: Age
+ type: date
+ - JSONPath: .disabled
+ description: Indicates if the plugin is disabled
+ name: Disabled
+ priority: 1
+ type: boolean
+ - JSONPath: .config
+ description: Configuration of the plugin
+ name: Config
+ priority: 1
+ type: string
+ group: configuration.konghq.com
+ names:
+ kind: KongPlugin
+ plural: kongplugins
+ shortNames:
+ - kp
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ config:
+ type: object
+ configFrom:
+ properties:
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ - key
+ type: object
+ type: object
+ disabled:
+ type: boolean
+ plugin:
+ type: string
+ protocols:
+ items:
+ enum:
+ - http
+ - https
+ - grpc
+ - grpcs
+ - tcp
+ - tls
+ type: string
+ type: array
+ run_on:
+ enum:
+ - first
+ - second
+ - all
+ type: string
+ required:
+ - plugin
+ version: v1
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: tcpingresses.configuration.konghq.com
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.loadBalancer.ingress[*].ip
+ description: Address of the load balancer
+ name: Address
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: Age
+ name: Age
+ type: date
+ group: configuration.konghq.com
+ names:
+ kind: TCPIngress
+ plural: tcpingresses
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ rules:
+ items:
+ properties:
+ backend:
+ properties:
+ serviceName:
+ type: string
+ servicePort:
+ format: int32
+ type: integer
+ type: object
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ type: array
+ tls:
+ items:
+ properties:
+ hosts:
+ items:
+ type: string
+ type: array
+ secretName:
+ type: string
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kong-serviceaccount
+ namespace: kong
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: kong-ingress-clusterrole
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+- apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ - extensions
+ - networking.internal.knative.dev
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+- apiGroups:
+ - networking.k8s.io
+ - extensions
+ - networking.internal.knative.dev
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - tcpingresses/status
+ verbs:
+ - update
+- apiGroups:
+ - configuration.konghq.com
+ resources:
+ - kongplugins
+ - kongclusterplugins
+ - kongcredentials
+ - kongconsumers
+ - kongingresses
+ - tcpingresses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - get
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: kong-ingress-clusterrole-nisa-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kong-ingress-clusterrole
+subjects:
+- kind: ServiceAccount
+ name: kong-serviceaccount
+ namespace: kong
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+ service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ name: kong-proxy
+ namespace: kong
+spec:
+ ports:
+ - name: proxy
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ - name: proxy-ssl
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app: ingress-kong
+ type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kong-validation-webhook
+ namespace: kong
+spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: 8080
+ selector:
+ app: ingress-kong
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: ingress-kong
+ name: ingress-kong
+ namespace: kong
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: ingress-kong
+ template:
+ metadata:
+ annotations:
+ kuma.io/gateway: enabled
+ prometheus.io/port: "8100"
+ prometheus.io/scrape: "true"
+ traffic.sidecar.istio.io/includeInboundPorts: ""
+ labels:
+ app: ingress-kong
+ spec:
+ containers:
+ - env:
+ - name: KONG_PROXY_LISTEN
+ value: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2
+ - name: KONG_PORT_MAPS
+ value: 80:8000, 443:8443
+ - name: KONG_ADMIN_LISTEN
+ value: 127.0.0.1:8444 ssl
+ - name: KONG_STATUS_LISTEN
+ value: 0.0.0.0:8100
+ - name: KONG_DATABASE
+ value: "off"
+ - name: KONG_NGINX_WORKER_PROCESSES
+ value: "2"
+ - name: KONG_ADMIN_ACCESS_LOG
+ value: /dev/stdout
+ - name: KONG_ADMIN_ERROR_LOG
+ value: /dev/stderr
+ - name: KONG_PROXY_ERROR_LOG
+ value: /dev/stderr
+ image: registry.baidubce.com/serving_gateway/kong:paddle
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - kong quit
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: 8100
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: proxy
+ ports:
+ - containerPort: 8000
+ name: proxy
+ protocol: TCP
+ - containerPort: 8443
+ name: proxy-ssl
+ protocol: TCP
+ - containerPort: 8100
+ name: metrics
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /status
+ port: 8100
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ - env:
+ - name: CONTROLLER_KONG_ADMIN_URL
+ value: https://127.0.0.1:8444
+ - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+ value: "true"
+ - name: CONTROLLER_PUBLISH_SERVICE
+ value: kong/kong-proxy
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ image: kong/kubernetes-ingress-controller:1.2
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ name: ingress-controller
+ ports:
+ - containerPort: 8080
+ name: webhook
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ serviceAccountName: kong-serviceaccount
diff --git a/tools/auth/serving-demo-k8s.yaml b/tools/auth/serving-demo-k8s.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..173b601aee65c295260b944bf147c9134a24206b
--- /dev/null
+++ b/tools/auth/serving-demo-k8s.yaml
@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: uci
+ name: uci
+spec:
+ ports:
+ - port: 9393
+ name: http
+ protocol: TCP
+ targetPort: 9393
+ selector:
+ app: uci
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: uci
+ name: uci
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: uci
+ strategy: {}
+ template:
+ metadata:
+ creationTimestamp: null
+ labels:
+ app: uci
+ spec:
+ containers:
+ - image: registry.baidubce.com/serving_dev/fit_a_line:security
+ name: uci
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 9393
+ workingDir: /home/fit_a_line/
+ name: uci
+ command: ['/bin/bash', '-c']
+ args: ["python3.6 -m paddle_serving_server.serve --model uci_housing_model --thread 10 --port 9393 --name uci"]
+ env:
+ - name: SERVING_BIN
+ value: "/usr/local/serving_bin/serving"
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ resources: {}