= Cars Application
Work in Progress ...
== Pre-requisites
== Download the sources
[source,sh]
We will call this folder as $DEMO_HOME
in rest of the document.
== Deploying Keycloak
Since Keycloak will be used as security provider
[source,sh]
oc apply -f $DEMO_HOME/openshift-files/keycloak.yaml
To Open Keycloak WebConsole run the command minishift openshift service keycloak --in-browser
Using Keycloak WebConsole :
- Create a Keycloak realm called
istio
- Create a public client called
cars-web
under realm istio
- Create a role
user
under realm istio
** Add a user say demo
under realm istio
and add the user to user
role
[NOTE]
- Keycloak is configured with default admin user
admin
and password admin
-
Work in progress do the above steps via Keycloak Admin API automatically
== Building
[IMPORTANT]
- Since we will be doing manual kube-inject of Istio sidecars its required that you login to OpenShift as
admin
, to have permission
to lookup configmaps in other namespaces especially from istio-system
-
oc adm policy add-scc-to-user privileged -z default -n
[[cars-api]]
=== Cars API
[source,sh]
./mvnw -Distio.home=[your istio home folder] clean package fabric8:build <1>
oc apply -f $DEMO_HOME/src/istio/istio-cars-api-0.0.1.yml <2>
<1> Build the app, create the kube-injected yaml and the docker image of the application
<2> Deploy the application to OpenShift
[[cars-api-auth-spec]]
=== Create Istio Authentication Spec and Binding
To configure the JWT-Auth Filter and the required cluster we need to configure Istio
[source,sh]
----
oc apply -f $DEMO_HOME/src/istio/car-api-auth_config.yaml
----
The End user auth spec will add JWT-Auth filter to the Mixer config of the cars-api application
and add `keycloak` cluster to the CDS. Refer to <
> section to know to query and check config
[[cars-api-mixer-rule]]
=== Create Istio mixer rule
Since we want to have only protected access to the application api `cars-api` list, we need to add Istio mixer rule that will allow
only authorized users to access the API, the following command will help to create the rule,
[source,sh]
----
istioctl create -f $DEMO_HOME/cars-api/src/istio/mixer-rule-only-authorized.yaml
----
[[cars-web-app]]
=== Cars Web Application
NOTE: WIP post JWT-Auth change to configure the Keycloak Adapter url in a right way
[[testing-app]]
== Testing Application
[[testing-without-token]]
=== Without Token
[source,sh]
----
curl -vvv $(minishift openshift service cars-api)/cars/list
----
Above command you should see a response like `UNKNOWN:handler.denier.default:Not Authorized` as the API
is protected
[[testing-with-token]]
=== With Token
[[testing-with-token-gen]]
==== Generate Token
[source,sh]
---
kubectl run -i --rm --restart=Never tokenizer --image=tutum/curl \
--command \
-- curl -X POST 'http://keycloak.istio-system:8080/auth/realms/istio/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'username={demo-user}&password={demo-user}&grant_type=password&client_id=cars-web' | jq .access_token
---
The above command will output Authorization token from Keycloak, store the value in an environment variable called `$token`.
Once we have generated the token fire the command below with the token,
[source,sh]
----
curl -vvv -H "Authorization: Bearer $token" $(minishift openshift service cars-api)/cars/list
----
Above command you should see a response like `["BMW","Hyundai Verna","Audi","Ferrari"]`
[[query-istio]]
== Querying Istio
Istio LDS, CDS, SDS could be queried using the script available in https://github.com/istio/istio/blob/master/bin/istio-proxy-cfg
[[query-istio-lds]]
=== Querying LDS
To Query https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/lds#[LDS] run the following command
[source,sh]
----
oc get pods <1>
istio-proxy-cfg lds sidecar <2>
minishift ssh <3>
----
<1> find the pod id for cars-api
<2> this command will not succeed as the curl cant reach the istio from outside of minishift,
by default we did not expose istio-pilot
<3> execute the curl command to see the LDS config
[[query-istio-cds]]
=== Querying CDS
To Query https://www.envoyproxy.io/docs/envoy/latest/configuration/cluster_manager/cds#[CDS] run the following command
[source,sh]
----
oc get pods <1>
istio-proxy-cfg cds sidecar <2>
minishift ssh <3>
----
<1> find the pod id for cars-api
<2> this command will not succeed as the curl cant reach the istio from outside of minishift,
by default we did not expose istio-pilot
<3> execute the curl command to see the CDS config, you will see an extra cluster added
for keycloak based on the <>