Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In ONAP4K8s no security (Mutual TLS, Authentication and Authorization) and traffic management (Load balancing, Circuit breaking, Traffic control & rate limiting) are not part of the ONAP4K8s micro-services. Also, log collection, metrics collection and distributed tracing for troubleshooting are all not part of the ONAP4K8s micro-services. CNCF architecture is used for these to improve productivity and reduce the errors.

...

Steps for setting up ONAP4K8s with Istio + Authservice

Keycloak 

Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management. Keycloak is being used here as an example of IAM service to be used with EMCO.

In a kubernetes cluster where Keycloak is going to be installed follow these steps to create keyclock deployment:

...

Code Block
languageyml
titleEMCO InstallationGateway
$ kubectl create -n istio-system secret tls emco-credential --key=v2.key --cert=v2.crt

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: emco-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: emco-credential
    hosts:
    - "*"

...

Code Block
languageyml
titleEMCO InstallationVirtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: orchestrator
  namespace: emco
spec:
  hosts:
  - "*"
  gateways:
  - emco-gateway.istio-system.svc.cluster.local
  http:
  - match:
    - uri:
        prefix: /v2/oauth
    - uri:
        prefix: /v2
    route:
    - destination:
        port:
          number: 9015
        host: orchestrator

...

Code Block
languageyml
titleEMCO InstallationAuthentication Policy
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "emco-authn-policy"
  namespace: istio-system
spec:
  origins:
    - jwt:
        issuer: "https://<Keycloak IP Address:port>/auth/realms/enterprise1"
        jwksUri: "http://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/certs"
  principalBinding: USE_ORIGIN

Now when you try to assess EMCO you'll get 403 error. [https://<Istio Ingress service IP Address:port>/v2/projects]

Authservice Setup in Istio Ingress-gateway

Setup configmap required by Authservice.

...

Code Block
languageyml
titleEMCO InstallationAuthservice configmap
kind: ConfigMap
apiVersion: v1
metadata:
  name: emco-authservice-configmap
  namespace: istio-system
data:
  config.json: |
    {
      "listen_address": "127.0.0.1",
      "listen_port": "10003",
      "log_level": "trace",
      "threads": 8,
      "chains": [
        {
          "name": "idp_filter_chain",
          "filters": [
          {
            "oidc":
              {
                "authorization_uri": "https://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/auth",
                "token_uri": "https://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/token",
                "callback_uri": "https://<Istio Ingress service IP Address:port>/v2/oauth/callback",
                "jwks": "{Escaped Json output of the command --> curl http://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/certs}",
                "client_id": "emco",
                "client_secret": "Copy secret from keycloak",
                "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----CA Certificate for the keycloak server in escaped format----END CERTIFICATE-----",
                "scopes": [],
                "id_token": {
                  "preamble": "Bearer",
                  "header": "Authorization"
                },
                "access_token": {
                  "preamble": "Bearer",
                  "header": "Authorization"
                }
              }
            }
          ]
        }
      ]
    }

...

https://github.com/istio-ecosystem/authservice/tree/master/bookinfo-example#istio-ingress-gateway-integration

Currently, there is not yet a native way to install Authservice into the Istio Ingress-gateway. We are manually modifying the Deployment of istio-ingressgateway to add the Authservice container. Add the contianer below. Note: Change the container section in ingress-gateway deployment to make it possible to add multiple containers.

Code Block
languageyml
titleAuthservice Container
$ kubectl edit  deployments istio-ingressgateway -n istio-system
Under containers section add:
- name: authservice
        image: adrianlzt/authservice:0.3.1-d3cd2d498169
        imagePullPolicy: Always
        ports:
          - containerPort: 10003
        volumeMounts:
          - name: emco-authservice-configmap-volume
            mountPath: /etc/authservice

In the volumes section add:
     - name: emco-authservice-configmap-volume
        configMap:
          name: emco-authservice-configmap

...