Cars Application
Work in Progress …
Pre-requisites
-
Minishift - Kubernetes platform
-
Use the istio addon for minishift
-
jq - will be used to parse JSON responses
Download the sources
git clone https://github.com/kameshsampath/istio-keycloak-demo
We will call this folder as $DEMO_HOME
in rest of the document.
Deploying Keycloak
Since Keycloak will be used as security provider
oc apply -f $DEMO_HOME/openshift-files/keycloak.yaml
To Open Keycloak WebConsole run the command minishift openshift service keycloak --in-browser
Using Keycloak WebConsole :
-
Create a Keycloak realm called
istio
-
Create a public client called
cars-web
under realmistio
-
Create a role
user
under realmistio
-
Add a user say
demo
under realmistio
and add the user touser
role
-
Note
|
|
Building
Important
|
|
Cars API
./mvnw -Distio.home=[your istio home folder] clean package fabric8:build (1)
oc apply -f $DEMO_HOME/src/istio/istio-cars-api-0.0.1.yml (2)
-
Build the app, create the kube-injected yaml and the docker image of the application
-
Deploy the application to OpenShift
Create Istio Authentication Spec and Binding
To configure the JWT-Auth Filter and the required cluster we need to configure Istio
oc apply -f $DEMO_HOME/src/istio/car-api-auth_config.yaml
The End user auth spec will add JWT-Auth filter to the Mixer config of the cars-api application
and add keycloak
cluster to the CDS. Refer to Querying Istio section to know to query and check config
Create Istio mixer rule
Since we want to have only protected access to the application api cars-api
list, we need to add Istio mixer rule that will allow
only authorized users to access the API, the following command will help to create the rule,
istioctl create -f $DEMO_HOME/cars-api/src/istio/mixer-rule-only-authorized.yaml
Cars Web Application
Note
|
WIP post JWT-Auth change to configure the Keycloak Adapter url in a right way |
Testing Application
Without Token
curl -vvv $(minishift openshift service cars-api)/cars/list
Above command you should see a response like UNKNOWN:handler.denier.default:Not Authorized
as the API
is protected
With Token
Generate Token
---
kubectl run -i --rm --restart=Never tokenizer --image=tutum/curl \
--command \
-- curl -X POST 'http://keycloak.istio-system:8080/auth/realms/istio/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'username={demo-user}&password={demo-user}&grant_type=password&client_id=cars-web' | jq .access_token
---
The above command will output Authorization token from Keycloak, store the value in an environment variable called $token
.
Once we have generated the token fire the command below with the token,
curl -vvv -H "Authorization: Bearer $token" $(minishift openshift service cars-api)/cars/list
Above command you should see a response like ["BMW","Hyundai Verna","Audi","Ferrari"]
Querying Istio
Istio LDS, CDS, SDS could be queried using the script available in https://github.com/istio/istio/blob/master/bin/istio-proxy-cfg
Querying LDS
To Query LDS run the following command
oc get pods (1)
istio-proxy-cfg lds sidecar <your pod id> (2)
minishift ssh <curl url from previous command> (3)
-
find the pod id for cars-api
-
this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot
-
execute the curl command to see the LDS config
Querying CDS
To Query CDS run the following command
oc get pods (1)
istio-proxy-cfg cds sidecar <your pod id> (2)
minishift ssh <curl url from previous command> (3)
-
find the pod id for cars-api
-
this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot
-
execute the curl command to see the CDS config, you will see an extra cluster added for keycloak based on the Create Istio Authentication Spec and Binding