eshepelyuk/apicurio-registry-helm

Support authentication via OIDC

kmandal-volvo opened this issue · 14 comments

Helm chart deployment workes fine with persistency. Now I need to connect Apicurio CLI and API using OIDC ( Curity ) need helm chart configuration for that implementation.

This feature is on the roadmap. There are 2 alternatives at the moment

  • intertnal keycloak integration ,hat might now work with other oidc providers
  • Adoption of OAuth2Proxy that has a wider range of supported providers

I consider 2nd option is more preferable since it can bring a better integration with different OIDC providers.

So, contribution are welcome.

internal keycloak integration,that might now work with other OIDC providers - There is not value option is available in the helm chart in https://github.com/eshepelyuk/apicurio-registry-helm

registry: - registry: Additional property extraEnv is not allowed after adding

  image:
    registry: "quay.io"
    repository: "apicurio/apicurio-registry"
    tag: "2.0.0.Final"
 # list of name, value pairs of extra environment vars
  extraEnv: 
    auth_enabled: true
    keycloak_url: 
    keycloak_realm: 
    keycloak_api_client_id: apicurio-registry
    keycloak_ui_client_id: registry-api

@kmandal-volvo

  1. you're using incorrect names for the env vars. you must follow the manual
  2. then, please use following name / value pattern to declare in helm values
extraEnv: 
  - name: MY_VAR1
    value: MY_VAL1
  - name: MY_VAR2
    value: MY_VAL2

You are correct it's my bad after you close the case I check in my other configuration found the declared pattern. Please close the issue.

Hello @kmandal-volvo
Does it work for you ? Please let me know, so I would add it to the documentation.

Added property extraEnv like below now deployment is successful but while launching console or apis it is not asking OIDC authentication. All the property key value-added in the small letter as camel case it is giving issue while deployment though in the documentation it gives Camel case.

  image:
    registry: "quay.io"
    repository: "apicurio/apicurio-registry"
    tag: "2.0.1.Final"
 # list of name, value pairs of extra environment vars
  extraEnv:
       - name: "auth_enabled"
         value:  "true"        
       - name: "keycloak_url"
         value: "https://sso.api.xxxx/auth/realms/xxxxx/protocol/openid-connect/token"     
       - name: "keycloak_realm"
         value: "xxxxxxxx"     
       - name: "keycloak_api_client_id"
         value: "apicurio-registry"     
       - name: "keycloak_ui_client_id"
         value: "registry-api"          

@kmandal-volvo

why do you still not follow THE MANUAL why naming env variables ?|

image

Yes first I followed the same way that is defined in the manual but the registry pod is crashing with an issue given below

2021-07-26 10:34:25,296 INFO [org.apa.kaf.con.jso.JsonConverterConfig] (main) JsonConverterConfig values:
converter.type = key
decimal.format = BASE64
schemas.cache.size = 0
schemas.enable = true

2021-07-26 10:34:26,560 ERROR [io.qua.run.Application] (main) Failed to start application (with profile prod): io.vertx.core.impl.NoStackTraceThrowable: Not Found

  extraEnv:
       - name: "AUTH_ENABLED"
         value:  "true"        
       - name: "KEYCLOAK_URL"
         value: "https://sso.api.xxxx/auth/realms/xxxxx/protocol/openid-connect/token"     
       - name: "KEYCLOAK_REALM"
         value: "xxxxx"     
       - name: "KEYCLOAK_API_CLIENT_ID"
         value: "apicurio-registry"     
       - name: "KEYCLOAK_UI_CLIENT_ID"
         value: "registry-api"      

@kmandal-volvo you are ignoring apicurio manual regarding keyclock parameters values and reporting bugs to my project expecting me to fix the bugs for you, that I dont have a time for.
Since there is no issues with helm chart - I am closing the issue.

I never claim and open this as a bug in your helm chart, even I asked last time to close the issue. It reopened from your end and asked me the feedback then I in reply said the same key mention in apicurio doc in the upper case corresponding value which I configure in our Keyclock that also following by the document getting that error while deployment. As it is Error not found the route cause so share the same.

Not sure which configuration mention here which is against apicurio documentation.

registry:
  enabled: true

  ## uncomment and adjust for kafka persistence
  # kafka:
  #   bootstrapServers: kafka1:9092,kafka2:9092

  ## uncomment and adjust for sql persistence
  sql:
    url: jdbc:postgresql://host:port/Apicurio_schema?sslmode=require
    username: XXXXXXXX
    password: XXXXXXX

  image:
    registry: "quay.io"
    repository: "apicurio/apicurio-registry"
    tag: "2.0.1.Final"
 # list of name, value pairs of extra environment vars
  extraEnv:
       - name: "AUTH_ENABLED"
         value:  "true"        
       - name: "KEYCLOAK_URL"
         value: "https://sso.api.XXXXX/auth/realms/xxxxxxxxx/protocol/openid-connect/token"     
       - name: "KEYCLOAK_REALM"
         value: "registry"     
       - name: "KEYCLOAK_API_CLIENT_ID"
         value: "apicurio-registry"     
       - name: "KEYCLOAK_UI_CLIENT_ID"
         value: "registry-api"           
  resources: {}
    # limits:
    #   cpu: 1000m
    #   memory: 1300Mi
    # requests:
    #   cpu: 200m
    #   memory: 600Mi

sync:
  enabled: true
  image:
    registry: "quay.io"
    repository: "apicurio/apicurio-registry-kube-sync"
    tag: "latest-snapshot"
  # registryUrl:
  resources: {}
    # limits:
    #   cpu: 500m
    #   memory: 800Mi
    # requests:
    #   cpu: 200m
    #   memory: 600Mi

KEYCLOAK_URL value is absolutely not aligned with the documentation.
I just skim read the docs and immediately noticed that.

thanks