= Cars Application

Work in Progress ...

== Pre-requisites

• https://github.com/minishift/minishift#[Minishift] - Kubernetes platform
• Use the https://github.com/minishift/minishift-addons/tree/master/add-ons/istio#[istio addon for minishift]
• https://stedolan.github.io/jq/[jq] - will be used to parse JSON responses

== Download the sources

[source,sh]

git clone https://github.com/kameshsampath/istio-keycloak-demo

We will call this folder as $DEMO_HOME in rest of the document.

== Deploying Keycloak

Since Keycloak will be used as security provider

[source,sh]

oc apply -f $DEMO_HOME/openshift-files/keycloak.yaml

To Open Keycloak WebConsole run the command minishift openshift service keycloak --in-browser

Using Keycloak WebConsole :

• Create a Keycloak realm called istio
• Create a public client called cars-web under realm istio
• Create a role user under realm istio ** Add a user say demo under realm istio and add the user to user role

[NOTE]

• Keycloak is configured with default admin user admin and password admin

• Work in progress do the above steps via Keycloak Admin API automatically

== Building

[IMPORTANT]

• Since we will be doing manual kube-inject of Istio sidecars its required that you login to OpenShift as admin, to have permission to lookup configmaps in other namespaces especially from istio-system

• oc adm policy add-scc-to-user privileged -z default -n

[[cars-api]] === Cars API

[source,sh]

./mvnw -Distio.home=[your istio home folder] clean package fabric8:build <1> oc apply -f $DEMO_HOME/src/istio/istio-cars-api-0.0.1.yml <2>

<1> Build the app, create the kube-injected yaml and the docker image of the application <2> Deploy the application to OpenShift [[cars-api-auth-spec]] === Create Istio Authentication Spec and Binding To configure the JWT-Auth Filter and the required cluster we need to configure Istio [source,sh] ---- oc apply -f $DEMO_HOME/src/istio/car-api-auth_config.yaml ---- The End user auth spec will add JWT-Auth filter to the Mixer config of the cars-api application and add `keycloak` cluster to the CDS. Refer to <> section to know to query and check config [[cars-api-mixer-rule]] === Create Istio mixer rule Since we want to have only protected access to the application api `cars-api` list, we need to add Istio mixer rule that will allow only authorized users to access the API, the following command will help to create the rule, [source,sh] ---- istioctl create -f $DEMO_HOME/cars-api/src/istio/mixer-rule-only-authorized.yaml ---- [[cars-web-app]] === Cars Web Application NOTE: WIP post JWT-Auth change to configure the Keycloak Adapter url in a right way [[testing-app]] == Testing Application [[testing-without-token]] === Without Token [source,sh] ---- curl -vvv $(minishift openshift service cars-api)/cars/list ---- Above command you should see a response like `UNKNOWN:handler.denier.default:Not Authorized` as the API is protected [[testing-with-token]] === With Token [[testing-with-token-gen]] ==== Generate Token [source,sh] --- kubectl run -i --rm --restart=Never tokenizer --image=tutum/curl \ --command \ -- curl -X POST 'http://keycloak.istio-system:8080/auth/realms/istio/protocol/openid-connect/token' \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'username={demo-user}&password={demo-user}&grant_type=password&client_id=cars-web' | jq .access_token --- The above command will output Authorization token from Keycloak, store the value in an environment variable called `$token`. Once we have generated the token fire the command below with the token, [source,sh] ---- curl -vvv -H "Authorization: Bearer $token" $(minishift openshift service cars-api)/cars/list ---- Above command you should see a response like `["BMW","Hyundai Verna","Audi","Ferrari"]` [[query-istio]] == Querying Istio Istio LDS, CDS, SDS could be queried using the script available in https://github.com/istio/istio/blob/master/bin/istio-proxy-cfg [[query-istio-lds]] === Querying LDS To Query https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/lds#[LDS] run the following command [source,sh] ---- oc get pods <1> istio-proxy-cfg lds sidecar <2> minishift ssh <3> ---- <1> find the pod id for cars-api <2> this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot <3> execute the curl command to see the LDS config [[query-istio-cds]] === Querying CDS To Query https://www.envoyproxy.io/docs/envoy/latest/configuration/cluster_manager/cds#[CDS] run the following command [source,sh] ---- oc get pods <1> istio-proxy-cfg cds sidecar <2> minishift ssh <3> ---- <1> find the pod id for cars-api <2> this command will not succeed as the curl cant reach the istio from outside of minishift, by default we did not expose istio-pilot <3> execute the curl command to see the CDS config, you will see an extra cluster added for keycloak based on the <>