Work in Progress …
-
Minishift - Kubernetes platform
-
Use the istio addon for minishift
-
jq - will be used to parse JSON responses
git clone https://github.com/kameshsampath/istio-keycloak-demoWe will call this folder as $DEMO_HOME in rest of the document.
Since Keycloak will be used as security provider
oc apply -f $DEMO_HOME/openshift-files/keycloak.yamlTo Open Keycloak WebConsole run the command minishift openshift service keycloak --in-browser
Using Keycloak WebConsole :
-
Create a Keycloak realm called
istio -
Create a public client called
cars-webunder realmistio -
Create a role
userunder realmistio-
Add a user say
demounder realmistioand add the user touserrole
-
|
Note
|
|
|
Important
|
|
./mvnw -Distio.home=[your istio home folder] clean package fabric8:build (1)
oc apply -f $DEMO_HOME/src/istio/istio-cars-api-0.0.1.yml (2)-
Build the app, create the kube-injected yaml and the docker image of the application
-
Deploy the application to OpenShift
To configure the JWT-Auth Filter and the required cluster we need to configure Istio
oc apply -f $DEMO_HOME/src/istio/car-api-auth_config.yamlThe End user auth spec will add JWT-Auth filter to the Mixer config of the cars-api application
and add keycloak cluster to the CDS. Refer to Querying Istio section to know to query and check config
Since we want to have only protected access to the application api cars-api list, we need to add Istio mixer rule that will allow
only authorized users to access the API, the following command will help to create the rule,
istioctl create -f $DEMO_HOME/cars-api/src/istio/mixer-rule-only-authorized.yamlcurl -vvv $(minishift openshift service cars-api)/cars/listAbove command you should see a response like UNKNOWN:handler.denier.default:Not Authorized as the API
is protected
---
kubectl run -i --rm --restart=Never tokenizer --image=tutum/curl \
--command \
-- curl -X POST 'http://keycloak.istio-system:8080/auth/realms/istio/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'username={demo-user}&password={demo-user}&grant_type=password&client_id=cars-web' | jq .access_token
---The above command will output Authorization token from Keycloak, store the value in an environment variable called $token.
Once we have generated the token fire the command below with the token,
curl -vvv -H "Authorization: Bearer $token" $(minishift openshift service cars-api)/cars/listAbove command you should see a response like ["BMW","Hyundai Verna","Audi","Ferrari"]
Istio LDS, CDS, SDS could be queried using the script available in https://github.com/istio/istio/blob/master/bin/istio-proxy-cfg
To Query LDS run the following command
oc get pods (1)
istio-proxy-cfg lds sidecar <your pod id> (2)
minishift ssh <curl url from previous command> (3)-
find the pod id for cars-api
-
this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot
-
execute the curl command to see the LDS config
To Query CDS run the following command
oc get pods (1)
istio-proxy-cfg cds sidecar <your pod id> (2)
minishift ssh <curl url from previous command> (3)-
find the pod id for cars-api
-
this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot
-
execute the curl command to see the CDS config, you will see an extra cluster added for keycloak based on the Create Istio Authentication Spec and Binding