Giter Club home page Giter Club logo

istio-keycloak-demo's Introduction

Cars Application

Work in Progress โ€ฆโ€‹

Pre-requisites

Download the sources

git clone https://github.com/kameshsampath/istio-keycloak-demo

We will call this folder as $DEMO_HOME in rest of the document.

Deploying Keycloak

Since Keycloak will be used as security provider

oc apply -f $DEMO_HOME/openshift-files/keycloak.yaml

To Open Keycloak WebConsole run the command minishift openshift service keycloak --in-browser

Using Keycloak WebConsole :

  • Create a Keycloak realm called istio

  • Create a public client called cars-web under realm istio

  • Create a role user under realm istio

    • Add a user say demo under realm istio and add the user to user role

Note

  • Keycloak is configured with default admin user admin and password admin

  • Work in progress do the above steps via Keycloak Admin API automatically

Building

Important

  • Since we will be doing manual kube-inject of Istio sidecars its required that you login to OpenShift as admin, to have permission to lookup configmaps in other namespaces especially from istio-system

  • oc adm policy add-scc-to-user privileged -z default -n <your project>

Cars API

./mvnw -Distio.home=[your istio home folder] clean package fabric8:build (1)
oc apply -f $DEMO_HOME/src/istio/istio-cars-api-0.0.1.yml (2)

  1. Build the app, create the kube-injected yaml and the docker image of the application

  2. Deploy the application to OpenShift

Create Istio Authentication Spec and Binding

To configure the JWT-Auth Filter and the required cluster we need to configure Istio

oc apply -f $DEMO_HOME/src/istio/car-api-auth_config.yaml

The End user auth spec will add JWT-Auth filter to the Mixer config of the cars-api application and add keycloak cluster to the CDS. Refer to Querying Istio section to know to query and check config

Create Istio mixer rule

Since we want to have only protected access to the application api cars-api list, we need to add Istio mixer rule that will allow only authorized users to access the API, the following command will help to create the rule,

istioctl create -f $DEMO_HOME/cars-api/src/istio/mixer-rule-only-authorized.yaml

Cars Web Application

Note
 WIP post JWT-Auth change to configure the Keycloak Adapter url in a right way

Testing Application

Without Token

curl -vvv $(minishift openshift service cars-api)/cars/list

Above command you should see a response like UNKNOWN:handler.denier.default:Not Authorized as the API is protected

With Token

Generate Token

---
kubectl run -i --rm --restart=Never tokenizer --image=tutum/curl \
--command \
-- curl -X POST 'http://keycloak.istio-system:8080/auth/realms/istio/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'username={demo-user}&password={demo-user}&grant_type=password&client_id=cars-web' | jq .access_token
---

The above command will output Authorization token from Keycloak, store the value in an environment variable called $token.

Once we have generated the token fire the command below with the token,

curl -vvv -H "Authorization: Bearer $token" $(minishift openshift service cars-api)/cars/list

Above command you should see a response like ["BMW","Hyundai Verna","Audi","Ferrari"]

Querying Istio

Istio LDS, CDS, SDS could be queried using the script available in https://github.com/istio/istio/blob/master/bin/istio-proxy-cfg

Querying LDS

To Query LDS run the following command

oc get pods (1)

istio-proxy-cfg lds sidecar <your pod id> (2)

minishift ssh <curl url from previous command> (3)

  1. find the pod id for cars-api

  2. this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot

  3. execute the curl command to see the LDS config

Querying CDS

To Query CDS run the following command

oc get pods (1)

istio-proxy-cfg cds sidecar <your pod id> (2)

minishift ssh <curl url from previous command> (3)

  1. find the pod id for cars-api

  2. this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot

  3. execute the curl command to see the CDS config, you will see an extra cluster added for keycloak based on the Create Istio Authentication Spec and Binding

istio-keycloak-demo's People

Contributors

kameshsampath avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.