Support authentication via OIDC
kmandal-volvo opened this issue · 14 comments
Helm chart deployment workes fine with persistency. Now I need to connect Apicurio CLI and API using OIDC ( Curity ) need helm chart configuration for that implementation.
This feature is on the roadmap. There are 2 alternatives at the moment
- intertnal keycloak integration ,hat might now work with other oidc providers
- Adoption of OAuth2Proxy that has a wider range of supported providers
I consider 2nd option is more preferable since it can bring a better integration with different OIDC providers.
So, contribution are welcome.
internal keycloak integration,that might now work with other OIDC providers - There is not value option is available in the helm chart in https://github.com/eshepelyuk/apicurio-registry-helm
registry: - registry: Additional property extraEnv is not allowed after adding
image:
registry: "quay.io"
repository: "apicurio/apicurio-registry"
tag: "2.0.0.Final"
# list of name, value pairs of extra environment vars
extraEnv:
auth_enabled: true
keycloak_url:
keycloak_realm:
keycloak_api_client_id: apicurio-registry
keycloak_ui_client_id: registry-api
- you're using incorrect names for the env vars. you must follow the manual
- then, please use following name / value pattern to declare in helm values
extraEnv:
- name: MY_VAR1
value: MY_VAL1
- name: MY_VAR2
value: MY_VAL2
You are correct it's my bad after you close the case I check in my other configuration found the declared pattern. Please close the issue.
Hello @kmandal-volvo
Does it work for you ? Please let me know, so I would add it to the documentation.
Added property extraEnv like below now deployment is successful but while launching console or apis it is not asking OIDC authentication. All the property key value-added in the small letter as camel case it is giving issue while deployment though in the documentation it gives Camel case.
image:
registry: "quay.io"
repository: "apicurio/apicurio-registry"
tag: "2.0.1.Final"
# list of name, value pairs of extra environment vars
extraEnv:
- name: "auth_enabled"
value: "true"
- name: "keycloak_url"
value: "https://sso.api.xxxx/auth/realms/xxxxx/protocol/openid-connect/token"
- name: "keycloak_realm"
value: "xxxxxxxx"
- name: "keycloak_api_client_id"
value: "apicurio-registry"
- name: "keycloak_ui_client_id"
value: "registry-api"
Yes first I followed the same way that is defined in the manual but the registry pod is crashing with an issue given below
2021-07-26 10:34:25,296 INFO [org.apa.kaf.con.jso.JsonConverterConfig] (main) JsonConverterConfig values:
converter.type = key
decimal.format = BASE64
schemas.cache.size = 0
schemas.enable = true
2021-07-26 10:34:26,560 ERROR [io.qua.run.Application] (main) Failed to start application (with profile prod): io.vertx.core.impl.NoStackTraceThrowable: Not Found
extraEnv:
- name: "AUTH_ENABLED"
value: "true"
- name: "KEYCLOAK_URL"
value: "https://sso.api.xxxx/auth/realms/xxxxx/protocol/openid-connect/token"
- name: "KEYCLOAK_REALM"
value: "xxxxx"
- name: "KEYCLOAK_API_CLIENT_ID"
value: "apicurio-registry"
- name: "KEYCLOAK_UI_CLIENT_ID"
value: "registry-api"
@kmandal-volvo you are ignoring apicurio manual regarding keyclock parameters values and reporting bugs to my project expecting me to fix the bugs for you, that I dont have a time for.
Since there is no issues with helm chart - I am closing the issue.
I never claim and open this as a bug in your helm chart, even I asked last time to close the issue. It reopened from your end and asked me the feedback then I in reply said the same key mention in apicurio doc in the upper case corresponding value which I configure in our Keyclock that also following by the document getting that error while deployment. As it is Error not found the route cause so share the same.
Not sure which configuration mention here which is against apicurio documentation.
registry:
enabled: true
## uncomment and adjust for kafka persistence
# kafka:
# bootstrapServers: kafka1:9092,kafka2:9092
## uncomment and adjust for sql persistence
sql:
url: jdbc:postgresql://host:port/Apicurio_schema?sslmode=require
username: XXXXXXXX
password: XXXXXXX
image:
registry: "quay.io"
repository: "apicurio/apicurio-registry"
tag: "2.0.1.Final"
# list of name, value pairs of extra environment vars
extraEnv:
- name: "AUTH_ENABLED"
value: "true"
- name: "KEYCLOAK_URL"
value: "https://sso.api.XXXXX/auth/realms/xxxxxxxxx/protocol/openid-connect/token"
- name: "KEYCLOAK_REALM"
value: "registry"
- name: "KEYCLOAK_API_CLIENT_ID"
value: "apicurio-registry"
- name: "KEYCLOAK_UI_CLIENT_ID"
value: "registry-api"
resources: {}
# limits:
# cpu: 1000m
# memory: 1300Mi
# requests:
# cpu: 200m
# memory: 600Mi
sync:
enabled: true
image:
registry: "quay.io"
repository: "apicurio/apicurio-registry-kube-sync"
tag: "latest-snapshot"
# registryUrl:
resources: {}
# limits:
# cpu: 500m
# memory: 800Mi
# requests:
# cpu: 200m
# memory: 600Mi
KEYCLOAK_URL value is absolutely not aligned with the documentation.
I just skim read the docs and immediately noticed that.
thanks