/istio-keycloak-demo

Istio Keycloak Demo

Primary LanguageShellApache License 2.0Apache-2.0

Cars Application

Work in Progress …​

Pre-requisites

Download the sources

git clone https://github.com/kameshsampath/istio-keycloak-demo

We will call this folder as $DEMO_HOME in rest of the document.

Deploying Keycloak

Since Keycloak will be used as security provider

oc apply -f $DEMO_HOME/openshift-files/keycloak.yaml

To Open Keycloak WebConsole run the command minishift openshift service keycloak --in-browser

Using Keycloak WebConsole :

  • Create a Keycloak realm called istio

  • Create a public client called cars-web under realm istio

  • Create a role user under realm istio

    • Add a user say demo under realm istio and add the user to user role

Note
  • Keycloak is configured with default admin user admin and password admin

  • Work in progress do the above steps via Keycloak Admin API automatically

Building

Important
  • Since we will be doing manual kube-inject of Istio sidecars its required that you login to OpenShift as admin, to have permission to lookup configmaps in other namespaces especially from istio-system

  • oc adm policy add-scc-to-user privileged -z default -n <your project>

Cars API

./mvnw -Distio.home=[your istio home folder] clean package fabric8:build (1)
oc apply -f $DEMO_HOME/src/istio/istio-cars-api-0.0.1.yml (2)
  1. Build the app, create the kube-injected yaml and the docker image of the application

  2. Deploy the application to OpenShift

Create Istio Authentication Spec and Binding

To configure the JWT-Auth Filter and the required cluster we need to configure Istio

oc apply -f $DEMO_HOME/src/istio/car-api-auth_config.yaml

The End user auth spec will add JWT-Auth filter to the Mixer config of the cars-api application and add keycloak cluster to the CDS. Refer to Querying Istio section to know to query and check config

Create Istio mixer rule

Since we want to have only protected access to the application api cars-api list, we need to add Istio mixer rule that will allow only authorized users to access the API, the following command will help to create the rule,

istioctl create -f $DEMO_HOME/cars-api/src/istio/mixer-rule-only-authorized.yaml

Cars Web Application

Note
WIP post JWT-Auth change to configure the Keycloak Adapter url in a right way

Testing Application

Without Token

curl -vvv $(minishift openshift service cars-api)/cars/list

Above command you should see a response like UNKNOWN:handler.denier.default:Not Authorized as the API is protected

With Token

Generate Token

---
kubectl run -i --rm --restart=Never tokenizer --image=tutum/curl \
--command \
-- curl -X POST 'http://keycloak.istio-system:8080/auth/realms/istio/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'username={demo-user}&password={demo-user}&grant_type=password&client_id=cars-web' | jq .access_token
---

The above command will output Authorization token from Keycloak, store the value in an environment variable called $token.

Once we have generated the token fire the command below with the token,

curl -vvv -H "Authorization: Bearer $token" $(minishift openshift service cars-api)/cars/list

Above command you should see a response like ["BMW","Hyundai Verna","Audi","Ferrari"]

Querying Istio

Istio LDS, CDS, SDS could be queried using the script available in https://github.com/istio/istio/blob/master/bin/istio-proxy-cfg

Querying LDS

To Query LDS run the following command

oc get pods (1)

istio-proxy-cfg lds sidecar <your pod id> (2)

minishift ssh <curl url from previous command> (3)
  1. find the pod id for cars-api

  2. this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot

  3. execute the curl command to see the LDS config

Querying CDS

To Query CDS run the following command

oc get pods (1)

istio-proxy-cfg cds sidecar <your pod id> (2)

minishift ssh <curl url from previous command> (3)
  1. find the pod id for cars-api

  2. this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot

  3. execute the curl command to see the CDS config, you will see an extra cluster added for keycloak based on the Create Istio Authentication Spec and Binding