From 0c39b7ba2ede8d507206f7a65bc90c748fa70547 Mon Sep 17 00:00:00 2001 From: Ruoyu Ying Date: Tue, 20 Aug 2024 10:07:19 +0800 Subject: [PATCH] authN-authZ: change folder and split support * change the folder to a upper level directory * split the support for helm chart and gmc-based deployment Signed-off-by: Ruoyu Ying --- .../authN-authZ => authN-authZ}/README.md | 80 +++++++++++------- .../chatQnA_authN_oauth.yaml | 0 .../chatQnA_authZ_oauth.yaml | 0 .../chatQnA_istio_external_auth.yaml | 0 .../chatQnA_ui_gateway.yaml | 0 .../OPEA auth flow with OIDC provider.png | Bin .../docs/OPEA auth flow with oauth2-proxy.png | Bin .../docs/add_group_scope.png | Bin .../docs/add_mapper.png | Bin .../docs/add_scope.png | Bin .../docs/attach_group_scope.png | Bin .../docs/create_client_1.png | Bin .../docs/create_client_2.png | Bin .../docs/create_client_3.png | Bin .../docs/create_realm.png | Bin .../docs/create_user.png | Bin .../gmc-based}/chatQnA_authN_fakejwt.yaml | 0 .../gmc-based}/chatQnA_authN_keycloak.yaml | 0 .../gmc-based}/chatQnA_authZ_fakejwt.yaml | 0 .../gmc-based}/chatQnA_authZ_keycloak.yaml | 0 .../gmc-based}/chatQnA_router_gateway.yaml | 0 .../chatQnA_router_gateway_oauth.yaml | 0 .../chatQnA_authN_fakejwt.yaml | 14 +++ .../chatQnA_authN_keycloak.yaml | 15 ++++ .../chatQnA_authZ_fakejwt.yaml | 21 +++++ .../chatQnA_authZ_keycloak.yaml | 23 +++++ .../chatQnA_router_gateway.yaml | 34 ++++++++ .../chatQnA_router_gateway_oauth.yaml | 39 +++++++++ .../keycloak_install.yaml | 0 .../oauth2_install.yaml | 0 microservices-connector/usage_guide.md | 2 +- 31 files changed, 195 insertions(+), 33 deletions(-) rename {microservices-connector/config/authN-authZ => authN-authZ}/README.md (85%) rename {microservices-connector/config/authN-authZ => authN-authZ}/chatQnA_authN_oauth.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/chatQnA_authZ_oauth.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/chatQnA_istio_external_auth.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/chatQnA_ui_gateway.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/OPEA auth flow with OIDC provider.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/OPEA auth flow with oauth2-proxy.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/add_group_scope.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/add_mapper.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/add_scope.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/attach_group_scope.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/create_client_1.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/create_client_2.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/create_client_3.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/create_realm.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/docs/create_user.png (100%) rename {microservices-connector/config/authN-authZ => authN-authZ/gmc-based}/chatQnA_authN_fakejwt.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ/gmc-based}/chatQnA_authN_keycloak.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ/gmc-based}/chatQnA_authZ_fakejwt.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ/gmc-based}/chatQnA_authZ_keycloak.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ/gmc-based}/chatQnA_router_gateway.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ/gmc-based}/chatQnA_router_gateway_oauth.yaml (100%) create mode 100644 authN-authZ/helm-chart-based/chatQnA_authN_fakejwt.yaml create mode 100644 authN-authZ/helm-chart-based/chatQnA_authN_keycloak.yaml create mode 100644 authN-authZ/helm-chart-based/chatQnA_authZ_fakejwt.yaml create mode 100644 authN-authZ/helm-chart-based/chatQnA_authZ_keycloak.yaml create mode 100644 authN-authZ/helm-chart-based/chatQnA_router_gateway.yaml create mode 100644 authN-authZ/helm-chart-based/chatQnA_router_gateway_oauth.yaml rename {microservices-connector/config/authN-authZ => authN-authZ}/keycloak_install.yaml (100%) rename {microservices-connector/config/authN-authZ => authN-authZ}/oauth2_install.yaml (100%) diff --git a/microservices-connector/config/authN-authZ/README.md b/authN-authZ/README.md similarity index 85% rename from microservices-connector/config/authN-authZ/README.md rename to authN-authZ/README.md index f2690712..4a943756 100644 --- a/microservices-connector/config/authN-authZ/README.md +++ b/authN-authZ/README.md @@ -1,4 +1,4 @@ -# Use GMC and Istio to compose an OPEA Pipeline with authentication and authorization enabled +# Leveraging Istio to compose an OPEA Pipeline with authentication and authorization enabled In enterprise settings not only do we want to identify who is using a service but also what they are entitled to use. This is where authentication and authorization comes in. In contrast, API tokens provide full access by virtue of possession as long as they are valid/not expired. With that aside, we first provide the solution on AuthN and AuthZ in OPEA using Istio and JWT tokens. Another option is to leverage the oauth2-proxy with various OIDC providers for authentication and authorization. Using oauth2-proxy with Istio ensures secure, scalable access control, centralizes user management, and provides seamless single sign-on capabilities, improving overall security and user experience in complex microservices environments. @@ -6,17 +6,27 @@ Currently we provide three kinds of setups for authentication and authorization: ## Prerequisite -Before composing an OPEA pipeline with authN & authZ using GMC, user need to install Istio to support this feature. Please follow the steps [here](https://istio.io/latest/docs/setup/install/istioctl/) for installation. +Before composing an OPEA pipeline with authN & authZ, user need to install Istio to support this feature. Please follow the steps [here](https://istio.io/latest/docs/setup/install/istioctl/) for Istio installation. -**Deploy chatQnA GMC custom resource and enable Istio sidecar injection** +**Deploy chatQnA pipeline and enable Istio sidecar injection** ```sh -# make sure you are executing under the microservices-connector folder -kubectl create ns chatqa -kubectl apply -f $(pwd)/config/samples/chatQnA_xeon.yaml -# patch the router deployment to enable istio sidecar injection -kubectl patch deployment -n chatqa router-server --patch '{ +# deploy ChatQnA pipeline. You can either leverage GMC or the ChatQnA helm chart. +kubectl create ns chatqa +# here's the command to leverage GMC custom resource for ChatQnA deployment. +kubectl apply -f $(pwd)/../microservices-connector/config/samples/chatQnA_xeon.yaml +# please refer the doc https://github.com/opea-project/GenAIInfra/tree/main/helm-charts/chatqna for deployment with helm chart. +# and install under `chatqa` namespace + +# expose an environment variable to set the deployment method +# which will affect the configuration we use for authentication and authorization +export DEPLOY_METHOD= + +# patch the deployment to enable istio sidecar injection +# for GMC based deployment, set the `deployment-name` to `router-service-deployment` +# for helm chart based deployment, set the `deployment-name` to `chatqna` +kubectl patch deployment -n chatqa --patch '{ "spec": { "template": { "metadata": { @@ -29,9 +39,9 @@ kubectl patch deployment -n chatqa router-server --patch '{ }' ``` -The istio ingress gateway will be used to access the chatQnA service in different setups. Follow the istio guide [here](https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) to determine the ingress IP and ports. +The istio ingress gateway will be used to access the chatQnA service in different setups. Follow the istio guide [here](https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) to determine the ingress IP and ports and expose them as environment variables. -## Perform authentication and authorization via Bearer JWT tokens +## Perform authentication and authorization via Bearer JWT tokens and curl Authentication and authorization are essential for securing microservices architectures. Using Bearer JWT tokens for these processes ensures that only authenticated users with valid tokens can access specific services, protecting sensitive data. Authentication verifies user identity, while authorization controls their permissions. This layered approach not only prevents unauthorized access but also provides detailed control over service interactions, maintaining system security and compliance. Here we leverage Istio mechanisms together with Bearer JWT tokens to fulfill that. @@ -46,13 +56,14 @@ In this example, we setup rules that only users with JWT token issued by "testin **Apply authentication and authorization policies to the pipeline endpoint based on raw JWT tokens** ```sh +# make sure running under authN-authZ folder # apply the yaml to request authentication using JWT token -kubectl apply -f $(pwd)/config/authN-authZ/chatQnA_authZ_fakejwt.yaml -n chatqa +kubectl apply -f $(pwd)/$(DEPLOY_METHOD)/chatQnA_authZ_fakejwt.yaml -n chatqa # apply the yaml file to request that only JWT token with # issuer & sub == "testing@secure.istio.io" and groups belongs to group1 # can access the endpoint of chatQnA service -kubectl apply -f $(pwd)/config/authN-authZ/chatQnA_authN_fakejwt.yaml -n chatqa +kubectl apply -f $(pwd)/$(DEPLOY_METHOD)/chatQnA_authN_fakejwt.yaml -n chatqa ``` After applying these two yaml files, we have setup the policy that only user with a valid JWT token (with valid issuer and claims) could access the pipeline endpoint. @@ -83,7 +94,12 @@ Deploy one client pod and test the chatQnA application with different tokens kubectl create deployment client-test -n chatqa --image=python:3.8.13 -- sleep infinity export CLIENT_POD=$(kubectl get pod -n chatqa -l app=client-test -o jsonpath={.items..metadata.name}) -export accessUrl=$(kubectl get gmc -n chatqa -o jsonpath="{.items[?(@.metadata.name=='chatqa')].status.accessUrl}") + +# export an accessUrl based on either GMC or helm chart based ChatQnA +if [ "${DEPLOY_METHOD}" = "gmc-based" ]; then + export accessUrl=$(kubectl get gmc -n chatqa -o jsonpath="{.items[?(@.metadata.name=='chatqa')].status.accessUrl}") +else + export accessUrl="http://chatqna.chatqa.svc.cluster.local:8888" # try without token. Shall get response: "RBAC: access denied 403" kubectl exec -it -n chatqa $CLIENT_POD -- curl -X POST $accessUrl -d '{"text":"What is the revenue of Nike in 2023?","parameters":{"max_new_tokens":17, "do_sample": true}}' -sS -H 'Content-Type: application/json' -w " %{http_code}\n" @@ -106,8 +122,9 @@ In this sample, we are going to test with the scenario that only privileged user Install Keycloak in the kubernetes cluster for user management. **Note:** Replace the admin password as your own in the keycloak_install.yaml file. ```bash +# make sure running under authN-authZ folder cd $(pwd) -kubectl apply -f $(pwd)/config/authN-authZ/keycloak_install.yaml +kubectl apply -f $(pwd)/keycloak_install.yaml # get the ip and port to access keycloak. export HOST_IP=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | cut -d '/' -f3 | cut -d ':' -f1) @@ -135,14 +152,14 @@ Use the commands to apply the authentication and authorization rules. ```bash # export the router service through istio ingress gateway -kubectl apply -f $(pwd)/config/authN-authZ/chatQnA_router_gateway.yaml +kubectl apply -f $(pwd)/$(DEPLOY_METHOD)/chatQnA_router_gateway.yaml # 'envsubst' is used to substitute envs in yaml. # use 'sudo apt-get install gettext-base' to install envsubst if it does not exist on your machine # apply the authentication and authorization rule # these files will restrict user access with valid token (with valid issuer, username and realm role) -envsubst < $(pwd)/config/authN-authZ/chatQnA_authN_keycloak.yaml | kubectl -n chatqa apply -f - -envsubst < $(pwd)/config/authN-authZ/chatQnA_authZ_keycloak.yaml | kubectl -n chatqa apply -f - +envsubst < $(pwd)/$(DEPLOY_METHOD)/chatQnA_authN_keycloak.yaml | kubectl -n chatqa apply -f - +envsubst < $(pwd)/$(DEPLOY_METHOD)/chatQnA_authZ_keycloak.yaml | kubectl -n chatqa apply -f - ``` User could customize the chatQnA_authZ_keycloak.yaml to reflect roles, groups or any other claims they defined in the OIDC provider for the user. @@ -175,9 +192,9 @@ curl -X POST $accessUrl -d '{"text":"What is the revenue of Nike in 2023?","para curl -X POST $accessUrl -d '{"text":"What is the revenue of Nike in 2023?","parameters":{"max_new_tokens":17, "do_sample": true}}' -sS -H "Authorization: Bearer $TOKENA" -H 'Content-Type: application/json' -w " %{http_code}\n" ``` -## Perform authentication and authorization via oauth2-proxy and OIDC provider +## Perform authentication and authorization via oauth2-proxy and OIDC provider and UI -Another choice we have is using oauth2-proxy and OIDC providers. These two streamline authentication and authorization by handling user identity and access management. oauth2-Proxy acts as a gateway, integrating with OIDC providers to authenticate users and issue tokens. This setup ensures secure access to applications by validating user credentials and managing permissions, simplifying the implementation of robust security protocols across services. +Another choice we have is using oauth2-proxy and OIDC providers. These two streamline authentication and authorization by handling user identity and access management. oauth2-proxy acts as a gateway, integrating with OIDC providers to authenticate users and issue tokens. This setup ensures secure access to applications by validating user credentials and managing permissions, simplifying the implementation of robust security protocols across services. @@ -188,8 +205,9 @@ We are using a similar scenario here that only privileged users can access our c Here we take Keycloak as the sample OIDC Provider to use in the example. Follow the steps to install and configure Keycloak. ```bash +# make sure running under authN-authZ folder cd $(pwd) -kubectl apply -f $(pwd)/config/authN-authZ/keycloak_install.yaml +kubectl apply -f $(pwd)/keycloak_install.yaml # get the ip and port to access keycloak. export HOST_IP=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | cut -d '/' -f3 | cut -d ':' -f1) @@ -245,7 +263,7 @@ export CLIENT_SECRET= # Using bash here. More methods found here: # https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#generating-a-cookie-secret export COOKIE_SECRET=$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_' ; echo) -envsubst < $(pwd)/config/authN-authZ/oauth2_install.yaml | kubectl apply -f - +envsubst < $(pwd)/oauth2_install.yaml | kubectl apply -f - ``` **Expose the pipeline endpoint through Istio Ingressgateway and install chatQnA UI** @@ -254,21 +272,19 @@ Here we expose the chatQnA endpoint through the ingress gateway and then install ```bash # expose chatqna endpoint -kubectl apply -f $(pwd)/config/authN-authZ/chatQnA_router_gateway_oauth.yaml -# build chatqna UI image +kubectl apply -f $(pwd)/$(DEPLOY_METHOD)/chatQnA_router_gateway_oauth.yaml +# build chatqna UI image if not exist on your machine git clone https://github.com/opea-project/GenAIExamples.git cd GenAIExamples/ChatQnA/docker/ui/ -export BACKEND_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/" -export DATAPREP_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/dataprep" -docker build --no-cache -t opea/chatqna-conversation-ui:latest --build-arg https_proxy=$https_proxy --build-arg http_proxy=$http_proxy --build-arg BACKEND_SERVICE_ENDPOINT=$BACKEND_SERVICE_ENDPOINT --build-arg DATAPREP_SERVICE_ENDPOINT=$DATAPREP_SERVICE_ENDPOINT -f ./docker/Dockerfile.react . +docker build --no-cache -t opea/chatqna-conversation-ui:latest --build-arg https_proxy=$https_proxy --build-arg http_proxy=$http_proxy -f ./docker/Dockerfile.react . # inject image to containerd repo docker save -o ui.tar opea/chatqna-conversation-ui:latest sudo ctr -n k8s.io image import ui.tar # install chatqna conversation UI -cd && cd GenAIInfra/microservices-connector -helm install chatqna-ui ../helm-charts/common/chatqna-ui +cd && cd GenAIInfra +helm install chatqna-ui $(pwd)/helm-charts/common/chatqna-ui # expose ui service outside -kubectl apply -f $(pwd)/config/authN-authZ/chatQnA_ui_gateway.yaml +kubectl apply -f $(pwd)/chatQnA_ui_gateway.yaml ``` **Add authentication and authorization rules to the pipeline through Istio Ingress Gateway** @@ -277,13 +293,13 @@ Here we apply the authentication and authorization rules. ```bash # Before applying the authorization rule, need to add the oauth2-proxy as the external authorization provider -kubectl apply -f $(pwd)/config/authN-authZ/chatQnA_istio_external_auth.yaml +kubectl apply -f $(pwd)/chatQnA_istio_external_auth.yaml # 'envsubst' is used to substitute envs in yaml. # use 'sudo apt-get install gettext-base' to install envsubst if it does not exist on your machine # apply the authentication and authorization rule # these files will restrict user access with valid token (with valid group and role) -envsubst < $(pwd)/config/authN-authZ/chatQnA_authN_oauth.yaml | kubectl apply -f - -envsubst < $(pwd)/config/authN-authZ/chatQnA_authZ_oauth.yaml | kubectl apply -f - +envsubst < $(pwd)/chatQnA_authN_oauth.yaml | kubectl apply -f - +envsubst < $(pwd)/chatQnA_authZ_oauth.yaml | kubectl apply -f - ``` **Validate authentication and authorization with UI service** diff --git a/microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml b/authN-authZ/chatQnA_authN_oauth.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml rename to authN-authZ/chatQnA_authN_oauth.yaml diff --git a/microservices-connector/config/authN-authZ/chatQnA_authZ_oauth.yaml b/authN-authZ/chatQnA_authZ_oauth.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_authZ_oauth.yaml rename to authN-authZ/chatQnA_authZ_oauth.yaml diff --git a/microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml b/authN-authZ/chatQnA_istio_external_auth.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml rename to authN-authZ/chatQnA_istio_external_auth.yaml diff --git a/microservices-connector/config/authN-authZ/chatQnA_ui_gateway.yaml b/authN-authZ/chatQnA_ui_gateway.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_ui_gateway.yaml rename to authN-authZ/chatQnA_ui_gateway.yaml diff --git a/microservices-connector/config/authN-authZ/docs/OPEA auth flow with OIDC provider.png b/authN-authZ/docs/OPEA auth flow with OIDC provider.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/OPEA auth flow with OIDC provider.png rename to authN-authZ/docs/OPEA auth flow with OIDC provider.png diff --git a/microservices-connector/config/authN-authZ/docs/OPEA auth flow with oauth2-proxy.png b/authN-authZ/docs/OPEA auth flow with oauth2-proxy.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/OPEA auth flow with oauth2-proxy.png rename to authN-authZ/docs/OPEA auth flow with oauth2-proxy.png diff --git a/microservices-connector/config/authN-authZ/docs/add_group_scope.png b/authN-authZ/docs/add_group_scope.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/add_group_scope.png rename to authN-authZ/docs/add_group_scope.png diff --git a/microservices-connector/config/authN-authZ/docs/add_mapper.png b/authN-authZ/docs/add_mapper.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/add_mapper.png rename to authN-authZ/docs/add_mapper.png diff --git a/microservices-connector/config/authN-authZ/docs/add_scope.png b/authN-authZ/docs/add_scope.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/add_scope.png rename to authN-authZ/docs/add_scope.png diff --git a/microservices-connector/config/authN-authZ/docs/attach_group_scope.png b/authN-authZ/docs/attach_group_scope.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/attach_group_scope.png rename to authN-authZ/docs/attach_group_scope.png diff --git a/microservices-connector/config/authN-authZ/docs/create_client_1.png b/authN-authZ/docs/create_client_1.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/create_client_1.png rename to authN-authZ/docs/create_client_1.png diff --git a/microservices-connector/config/authN-authZ/docs/create_client_2.png b/authN-authZ/docs/create_client_2.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/create_client_2.png rename to authN-authZ/docs/create_client_2.png diff --git a/microservices-connector/config/authN-authZ/docs/create_client_3.png b/authN-authZ/docs/create_client_3.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/create_client_3.png rename to authN-authZ/docs/create_client_3.png diff --git a/microservices-connector/config/authN-authZ/docs/create_realm.png b/authN-authZ/docs/create_realm.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/create_realm.png rename to authN-authZ/docs/create_realm.png diff --git a/microservices-connector/config/authN-authZ/docs/create_user.png b/authN-authZ/docs/create_user.png similarity index 100% rename from microservices-connector/config/authN-authZ/docs/create_user.png rename to authN-authZ/docs/create_user.png diff --git a/microservices-connector/config/authN-authZ/chatQnA_authN_fakejwt.yaml b/authN-authZ/gmc-based/chatQnA_authN_fakejwt.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_authN_fakejwt.yaml rename to authN-authZ/gmc-based/chatQnA_authN_fakejwt.yaml diff --git a/microservices-connector/config/authN-authZ/chatQnA_authN_keycloak.yaml b/authN-authZ/gmc-based/chatQnA_authN_keycloak.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_authN_keycloak.yaml rename to authN-authZ/gmc-based/chatQnA_authN_keycloak.yaml diff --git a/microservices-connector/config/authN-authZ/chatQnA_authZ_fakejwt.yaml b/authN-authZ/gmc-based/chatQnA_authZ_fakejwt.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_authZ_fakejwt.yaml rename to authN-authZ/gmc-based/chatQnA_authZ_fakejwt.yaml diff --git a/microservices-connector/config/authN-authZ/chatQnA_authZ_keycloak.yaml b/authN-authZ/gmc-based/chatQnA_authZ_keycloak.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_authZ_keycloak.yaml rename to authN-authZ/gmc-based/chatQnA_authZ_keycloak.yaml diff --git a/microservices-connector/config/authN-authZ/chatQnA_router_gateway.yaml b/authN-authZ/gmc-based/chatQnA_router_gateway.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_router_gateway.yaml rename to authN-authZ/gmc-based/chatQnA_router_gateway.yaml diff --git a/microservices-connector/config/authN-authZ/chatQnA_router_gateway_oauth.yaml b/authN-authZ/gmc-based/chatQnA_router_gateway_oauth.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/chatQnA_router_gateway_oauth.yaml rename to authN-authZ/gmc-based/chatQnA_router_gateway_oauth.yaml diff --git a/authN-authZ/helm-chart-based/chatQnA_authN_fakejwt.yaml b/authN-authZ/helm-chart-based/chatQnA_authN_fakejwt.yaml new file mode 100644 index 00000000..83e19006 --- /dev/null +++ b/authN-authZ/helm-chart-based/chatQnA_authN_fakejwt.yaml @@ -0,0 +1,14 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: fake-jwt-example +spec: + jwtRules: + - issuer: testing@secure.istio.io + jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.22/security/tools/jwt/samples/jwks.json + selector: + matchLabels: + app: chatqna diff --git a/authN-authZ/helm-chart-based/chatQnA_authN_keycloak.yaml b/authN-authZ/helm-chart-based/chatQnA_authN_keycloak.yaml new file mode 100644 index 00000000..5a274c0c --- /dev/null +++ b/authN-authZ/helm-chart-based/chatQnA_authN_keycloak.yaml @@ -0,0 +1,15 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: jwt-keycloak +spec: + jwtRules: + - issuer: http://${KEYCLOAK_ADDR}/realms/${REALM} + jwksUri: http://${KEYCLOAK_ADDR}/realms/${REALM}/protocol/openid-connect/certs + outputPayloadToHeader: jwt-parsed + selector: + matchLabels: + app: chatqna diff --git a/authN-authZ/helm-chart-based/chatQnA_authZ_fakejwt.yaml b/authN-authZ/helm-chart-based/chatQnA_authZ_fakejwt.yaml new file mode 100644 index 00000000..ae1a7e6e --- /dev/null +++ b/authN-authZ/helm-chart-based/chatQnA_authZ_fakejwt.yaml @@ -0,0 +1,21 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: fake-jwt-example +spec: + action: ALLOW + rules: + - from: + - source: + requestPrincipals: + - testing@secure.istio.io/testing@secure.istio.io + when: + - key: request.auth.claims[groups] + values: + - group1 + selector: + matchLabels: + app: chatqna diff --git a/authN-authZ/helm-chart-based/chatQnA_authZ_keycloak.yaml b/authN-authZ/helm-chart-based/chatQnA_authZ_keycloak.yaml new file mode 100644 index 00000000..308de0cc --- /dev/null +++ b/authN-authZ/helm-chart-based/chatQnA_authZ_keycloak.yaml @@ -0,0 +1,23 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: router +spec: + action: ALLOW + rules: + - when: + - key: request.auth.claims[iss] + values: + - 'http://${KEYCLOAK_ADDR}/realms/istio' + - key: request.auth.claims[preferred_username] + values: + - 'mary' + - key: request.auth.claims[realm_access][roles] + values: + - 'user' + selector: + matchLabels: + app: chatqna diff --git a/authN-authZ/helm-chart-based/chatQnA_router_gateway.yaml b/authN-authZ/helm-chart-based/chatQnA_router_gateway.yaml new file mode 100644 index 00000000..a5bb7570 --- /dev/null +++ b/authN-authZ/helm-chart-based/chatQnA_router_gateway.yaml @@ -0,0 +1,34 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: router-gateway +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - '*' + port: + name: http + number: 80 + protocol: HTTP +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: chatqna-router + namespace: chatqa +spec: + gateways: + - default/router-gateway + hosts: + - '*' + http: + - route: + - destination: + host: chatqna + port: + number: 8888 diff --git a/authN-authZ/helm-chart-based/chatQnA_router_gateway_oauth.yaml b/authN-authZ/helm-chart-based/chatQnA_router_gateway_oauth.yaml new file mode 100644 index 00000000..44ec18e3 --- /dev/null +++ b/authN-authZ/helm-chart-based/chatQnA_router_gateway_oauth.yaml @@ -0,0 +1,39 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: chatqna-gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - chatqna-service.com + port: + name: http + number: 80 + protocol: HTTP +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: chatqna-virtual-service + namespace: istio-system +spec: + gateways: + - istio-system/chatqna-gateway + hosts: + - chatqna-service.com + http: + - match: + - uri: + prefix: / + route: + - destination: + host: chatqna.chatqa.svc.cluster.local + port: + number: 8888 diff --git a/microservices-connector/config/authN-authZ/keycloak_install.yaml b/authN-authZ/keycloak_install.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/keycloak_install.yaml rename to authN-authZ/keycloak_install.yaml diff --git a/microservices-connector/config/authN-authZ/oauth2_install.yaml b/authN-authZ/oauth2_install.yaml similarity index 100% rename from microservices-connector/config/authN-authZ/oauth2_install.yaml rename to authN-authZ/oauth2_install.yaml diff --git a/microservices-connector/usage_guide.md b/microservices-connector/usage_guide.md index 94725d18..fc9aa41e 100644 --- a/microservices-connector/usage_guide.md +++ b/microservices-connector/usage_guide.md @@ -276,4 +276,4 @@ No resources found in chatqa namespace. ## Use GMC and Istio to compose an OPEA Pipeline with authentication and authorization enabled -The critical steps of authentication and authorization are vital to maintaining the integrity and safety of our GenAI workload. Please check the [readme](config/authN-authZ/README.md) file for more details. +The critical steps of authentication and authorization are vital to maintaining the integrity and safety of our GenAI workload. Please check the [readme](../authN-authZ/README.md) file for more details.