Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version 5

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In ONAP4K8s no security (Mutual TLS, Authentication and Authorization) and traffic management (Load balancing, Circuit breaking, Traffic control & rate limiting) are not part of the ONAP4K8s micro-services. Also, log collection, metrics collection and distributed tracing for troubleshooting are all not part of the ONAP4K8s micro-services. CNCF architecture is used for these to improve productivity and reduce the errors.

...

Steps for setting up ONAP4K8s with Istio + Authservice

Keycloak 

Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management. Keycloak is being used here as an example of IAM service to be used with EMCO.

In a kubernetes cluster where Keycloak is going to be installed follow these steps to create keyclock deployment:

...

  • Create a new Realm - ex: enterprise1
  • Add Users
  • Create a new Client under realm  name - ex: emco
  • Under Setting for client
    • Change assess type for client to confidential
    • Under Authentication Flow Overrides - Change Direct grant flow to direct grant
    • Update Valid Redirect URIs.
  • In Roles tab:
    • Add roles (ex. Admin and User)
    • Under Users assign roles from emco client to users ( Admin and User). Verify under Emco Client roles for user are in the role

For complete documentation of Keycloak refer to these links:

...

  • Add Mappers
    • Under Emco Client under mapper tab create a mapper
      •  Mapper type - User Client role
      • Client-ID: emco
      • Token claim name: role
      • Claim JSON Type: string

For complete documentation of Keycloak refer to these links:

https://www.keycloak.org/getting-started/getting-started-kube

...

Now when you try to assess EMCO you'll get 403 error. [https://<Istio Ingress service IP Address:port>/v2/projects]

Authservice Setup in Istio Ingress-gateway

Setup configmap required by Authservice.

...

https://github.com/istio-ecosystem/authservice/tree/master/bookinfo-example#istio-ingress-gateway-integration

Currently, there is not yet a native way to install Authservice into the Istio Ingress-gateway. We are manually modifying the Deployment of istio-ingressgateway to add the Authservice container. Add the contianer below. Note: Change the container section in ingress-gateway deployment to make it possible to add multiple containers.

Code Block
languageyml
titleAuthservice Container
$ kubectl edit  deployments istio-ingressgateway -n istio-system
Under containers section add:
- name: authservice
        image: adrianlzt/authservice:0.3.1-d3cd2d498169
        imagePullPolicy: Always
        ports:
          - containerPort: 10003
        volumeMounts:
          - name: emco-authservice-configmap-volume
            mountPath: /etc/authservice

In the volumes section add:
     - name: emco-authservice-configmap-volume
        configMap:
          name: emco-authservice-configmap

...

Try accessing EMCO URL agian [https://<Istio Ingress service IP Address:port>/v2/projects]. This will take you to the Keycloak login page and from there user can get authenticated before allowed to access EMCO resources.

Setup with multiple OAuth2 Servers.

The following changes are required if different OAuth2 servers are needed for different projects. All other configurations remain the same.

Create virtual service to support multiple servers

...

Code Block
languageyml
titleAuthentication Policy
---
  apiVersion: "authentication.istio.io/v1alpha1"
  kind: "Policy"
  metadata:
    name: "orchestrator-authn-policy"
    namespace: istio-system
  spec:
    origins:
      - jwt:
          issuer: "https://x.x.x.x:31567<url>/auth/realms/enterprise1"
          jwksUri: "http://x.x.x.x:32431<url>/auth/realms/enterprise1/protocol/openid-connect/certs"
      - jwt:
          issuer: "https://x.x.x.x:31567<url>/auth/realms/enterprise2"
          jwksUri: "http://x.x.x.x:32431/<url>/auth/realms/enterprise2/protocol/openid-connect/certs"
    principalBinding: USE_ORIGIN

...

Code Block
languageyml
titleAuthservice configmap
---
kind: ConfigMap
apiVersion: v1
metadata:
name: emco-authservice-configmap
namespace: istio-system
data:
config.json: |
  {
    "listen_address": "127.0.0.1",
    "listen_port": "10003",
    "log_level": "trace",
    "threads": 8,
    "chains": [
      {
        "name": "idp_filter_chain_1",
        "match": {
          "header": ":path",
          "prefix": "/v2/projects/enterprise1"
        },
        "filters": [
        {
          "oidc":
            {
              "authorization_uri": "https://x.x.x.x:<port>/auth/realms/enterprise1/protocol/openid-connect/auth",
              "token_uri": "https://x.x.x.x:<port>/auth/realms/enterprise1/protocol/openid-connect/token",
              "callback_uri": "https://x.x.x.x:<port>/v2/projects/enterprise1/oauth/callback",
              "jwks": "{\"keys\":[{\"kid\":\"xxxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"zzzzzzz\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"z7Qrc2nAlK8EVmkiKtz0bOWxugE\",\"x5t#S256\":\"xxxxxxxxx\"}]}",
              "client_id": "emco",
              "client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
              "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",
              "scopes": [],
              "id_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              },
              "access_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              }
            }
          }
        ]
      },
      {
        "name": "idp_filter_chain_2",
        "match": {
          "header": ":path",
          "prefix": "/v2/projects/enterprise2"
        },
        "filters": [
        {
          "oidc":
            {
              "authorization_uri": "https://x.x.x.x:<port>/auth/realms/enterprise2/protocol/openid-connect/auth",
              "token_uri": "https://x.x.x.x:<port>/auth/realms/enterprise2/protocol/openid-connect/token",
              "callback_uri": "https://x.x.x.x:<port>/v2/projects/enterprise2/oauth/callback",
              "jwks": "{\"keys\":[{\"kid\":\"xxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"xxxx\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"xxxxxxx\",\"x5t#S256\":\"xxxxxxx\"}]}",
              "client_id": "emco",
              "client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
              "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",
              "scopes": [],
              "id_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              },
              "access_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              }
            }
          }
        ]
      }
    ]
  }

Authorization Policies with Istio 

As specified in Keycloak  section Role Mappers are created using Keycloak. These can be used apply authorizations for users. Some examples the can used:

Code Block
languageyml
titleAuthorization Policies
apiVersion: "security.istio.io/v1beta1"
kind: AuthorizationPolicy
metadata:
  name: allow-admin
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: ALLOW
  rules:
  - when:
    - key: request.auth.claims[role]
      values: ["ADMIN"]

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-user
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        paths: ["/v2/projects/enterprise1/*"]
    when:
    - key: request.auth.claims[role]
      values: ["USER"]