Work in Progress …
-
Minishift - Kubernetes platform
-
Use the istio addon for minishift
-
jq - will be used to parse JSON responses
git clone https://github.com/kameshsampath/istio-keycloak-demo
We will call this folder as $DEMO_HOME
in rest of the document.
Since Keycloak will be used as security provider
oc apply -f $DEMO_HOME/openshift-files/keycloak.yaml
To Open Keycloak WebConsole run the command minishift openshift service keycloak --in-browser
Using Keycloak WebConsole :
-
Create a Keycloak realm called
istio
-
Create a public client called
cars-web
under realmistio
-
Create a role
user
under realmistio
-
Add a user say
demo
under realmistio
and add the user touser
role
-
Note
|
|
Important
|
|
./mvnw -Distio.home=[your istio home folder] clean package fabric8:build (1)
oc apply -f $DEMO_HOME/src/istio/istio-cars-api-0.0.1.yml (2)
-
Build the app, create the kube-injected yaml and the docker image of the application
-
Deploy the application to OpenShift
To configure the JWT-Auth Filter and the required cluster we need to configure Istio
oc apply -f $DEMO_HOME/src/istio/car-api-auth_config.yaml
The End user auth spec will add JWT-Auth filter to the Mixer config of the cars-api application
and add keycloak
cluster to the CDS. Refer to Querying Istio section to know to query and check config
Since we want to have only protected access to the application api cars-api
list, we need to add Istio mixer rule that will allow
only authorized users to access the API, the following command will help to create the rule,
istioctl create -f $DEMO_HOME/cars-api/src/istio/mixer-rule-only-authorized.yaml
curl -vvv $(minishift openshift service cars-api)/cars/list
Above command you should see a response like UNKNOWN:handler.denier.default:Not Authorized
as the API
is protected
---
kubectl run -i --rm --restart=Never tokenizer --image=tutum/curl \
--command \
-- curl -X POST 'http://keycloak.istio-system:8080/auth/realms/istio/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'username={demo-user}&password={demo-user}&grant_type=password&client_id=cars-web' | jq .access_token
---
The above command will output Authorization token from Keycloak, store the value in an environment variable called $token
.
Once we have generated the token fire the command below with the token,
curl -vvv -H "Authorization: Bearer $token" $(minishift openshift service cars-api)/cars/list
Above command you should see a response like ["BMW","Hyundai Verna","Audi","Ferrari"]
Istio LDS, CDS, SDS could be queried using the script available in https://github.com/istio/istio/blob/master/bin/istio-proxy-cfg
To Query LDS run the following command
oc get pods (1)
istio-proxy-cfg lds sidecar <your pod id> (2)
minishift ssh <curl url from previous command> (3)
-
find the pod id for cars-api
-
this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot
-
execute the curl command to see the LDS config
To Query CDS run the following command
oc get pods (1)
istio-proxy-cfg cds sidecar <your pod id> (2)
minishift ssh <curl url from previous command> (3)
-
find the pod id for cars-api
-
this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot
-
execute the curl command to see the CDS config, you will see an extra cluster added for keycloak based on the Create Istio Authentication Spec and Binding