Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In ONAP4K8s no security (Mutual TLS, Authentication and Authorization) and traffic management (Load balancing, Circuit breaking, Traffic control & rate limiting) are not part of the ONAP4K8s micro-services. Also, log collection, metrics collection and distributed tracing for troubleshooting are all not part of the ONAP4K8s micro-services. CNCF architecture is used for these to improve productivity and reduce the errors.

To achieve the above goals ISTIO is used by ONAP4K8s for providing following:

  • Mutual TLS among the internal micro-services.
  • Terminate connections coming from external entities (Ingress)
  • Traffic Management - Load balancing & Circuit breaking.
  • Observability along with Kiali.

Table of Contents

Authentication with Emco

EMCO uses Istio and other open source solutions to provide Multi-tenancy solution leveraging Istio Authorization and Authentication frameworks. This is achieved without adding any logic in EMCO microservices. Authentication for the EMCO users are done at the Isito Gateway, where all the traffic enters the cluster. Istio along with autherservice (istio ecosystem project) enables request-level authentication with JSON Web Token (JWT) validation. This can be achieved using a custom authentication provider or any OpenID Connect providers like KeyCloak, Auth0 etc. 

Authservice is an entity that works along side with Envoy proxy. It is used to work with external IAM systems (OAUTH2). Many Enterprises have their own OAUTH2 server for authenticating users and provide roles. ONAP4K8s uses Authservice from ISTIO-ingress proxy to talk to along with Istio-ingress and Authservice use single or multiple OAUTH2 servers, one belonging to each project (Enterprise).







Drawio

Image Removed

Steps for setting up ONAP4K8s with Istio + Authservice

Keycloak 

Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management. Keycloak is being used here as an example of IAM service to be used with EMCO.

In a kubernetes cluster where Keycloak is going to be installed follow these steps to create keyclock deployment:

Keyloak deployment file for Kubernetes is available: https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml

Code Block
languageyml
titleKeycloak Installation
kubectl create ns keycloak
kubectl create -n keycloak secret tls ca-keycloak-certs --key keycloak.key --cert keycloak.crt
kubectl apply -f keycloak.yaml -n keycloak

Create a realm, add users and roles to Keycloak

  • Create a new Realm - ex: enterprise1
  • Add Users
  • Create a new Client under realm  name - ex: emco
  • Under Setting for client
    • Change assess type for client to confidential
    • Under Authentication Flow Overrides - Change Direct grant flow to direct grant
    • Update Valid Redirect URIs.
  • In Roles tab:
    • Add roles (ex. Admin and User)
    • Under Users assign roles from emco client to users ( Admin and User). Verify under Emco Client roles for user are in the role

For complete documentation of Keycloak refer to these links:

https://www.keycloak.org/getting-started/getting-started-kube

https://developers.redhat.com/blog/2020/01/29/api-login-and-jwt-token-generation-using-keycloak/

Emco Setup with Istio

In a kubernetes cluster where EMCO is going to be run install Istio Demo Profile: 

https://istio.io/latest/docs/setup/install/standalone-operator/

Istio version to use is 1.5.3

Install Emco with side car injection

bordertrue
diagramNamev2 API Authentication
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth719
revision3





Drawio
bordertrue
diagramNamev2 API Authentication with multiple external OAUTH2 servers
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth731
revision3


Authentication Flow with OIDC, Istio Ingress Gateway and Authservice

Authorization with Emco

Emco uses Istio's AuthorizationPolicy resource to manage authorizations. See at the end of this post for example of Authorization policies.

Steps for setting up ONAP4K8s with Istio + Authservice

Keycloak 

Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management. Keycloak is being used here as an example of IAM service to be used with EMCO.

In a kubernetes cluster where Keycloak is going to be installed follow these steps to create keyclock deployment:

Keyloak deployment file for Kubernetes is available: https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml

Code Block
languageyml
titleEMCO Keycloak Installation
stioctlkubectl kube-inject -f ovn4k8sdb.yaml | kubectl apply -f -
istioctl kube-inject -f ovn4k8s.yaml | kubectl apply -f -

kubectl create -n istio-system secret tls emco-credential --key=v2.key --cert=v2.crt

Create Gateway

create ns keycloak
kubectl create -n keycloak secret tls ca-keycloak-certs --key keycloak.key --cert keycloak.crt
kubectl apply -f keycloak.yaml -n keycloak


Code Block
languageyml
titleGatewayKeycloak Yaml
$apiVersion: kubectlv1
createkind: -n istio-system secret tls emco-credential --key=v2.key --cert=v2.crt

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: emco-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: emco-credential
    hosts:
    - "*"


Create virtual service

Code Block
languageyml
titleVirtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: orchestrator
  namespace: emco
spec:
  hosts:
  - "*"
  gateways:
  - emco-gateway.istio-system.svc.cluster.local
  http:
  - match:
    - uri:
        prefix: /v2/oauth
    - uri:
        prefix: /v2
    route:
    - destination:
        port:
          number: 9015
        host: orchestrator

Make sure the EMCO service is accessible through istio ingress gateway at this point.  [https://<Istio Ingress service IP Address:port>/v2/projects]

Create Policy

Code Block
languageyml
titleAuthentication Policy
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
Service
metadata:
name: keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
selector:
app: keycloak
type: LoadBalancer
---

apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:9.0.2
volumeMounts:
- name: keycloak-certs
mountPath: /etc/x509/https
readOnly: false
env:
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "admin"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
readinessProbe:
httpGet:
path: /auth/realms/master
port: 8080
volumes:
- name: keycloak-certs
secret:
secretName: keycloak-certs
defaultMode: 420
optional: true

Create a realm, add users and roles to Keycloak

  • Create a new Realm - ex: enterprise1
  • Add Users
  • Create a new Client under realm  name - ex: emco
  • Under Setting for client
    • Change assess type for client to confidential
    • Under Authentication Flow Overrides - Change Direct grant flow to direct grant
    • Update Valid Redirect URIs.
  • In Roles tab:
    • Add roles (ex. Admin and User)
    • Under Users assign roles from emco client to users ( Admin and User). Verify under Emco Client roles for user are in the role
  • Add Mappers
    • Under Emco Client under mapper tab create a mapper
      •  Mapper type - User Client role
      • Client-ID: emco
      • Token claim name: role
      • Claim JSON Type: string

For complete documentation of Keycloak refer to these links:

https://www.keycloak.org/getting-started/getting-started-kube

https://developers.redhat.com/blog/2020/01/29/api-login-and-jwt-token-generation-using-keycloak/

Emco Setup with Istio

In a kubernetes cluster where EMCO is going to be run install Istio Demo Profile: 

https://istio.io/latest/docs/setup/install/standalone-operator/

Istio version to use is 1.5.3

Install Emco with side car injection

Code Block
languageyml
titleEMCO Installation
stioctl kube-inject -f ovn4k8sdb.yaml | kubectl apply -f -
istioctl kube-inject -f ovn4k8s.yaml | kubectl apply -f -

kubectl create -n istio-system secret tls emco-credential --key=v2.key --cert=v2.crt

Gateway

Code Block
languageyml
titleGateway
$ kubectl create -n istio-system secret tls emco-credential --key=v2.key --cert=v2.crt

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: "emco-authn-policy"gateway
  namespace: istio-system
spec:
  originsselector:
    - jwtistio: ingressgateway # use Istio default gateway implementation
 issuer: "httpsservers://<Keycloak
IP Address:port>/auth/realms/enterprise1"
  - port:
       jwksUrinumber: 80
      name: "http://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/certshttp
      protocol: HTTP
    hosts:
    - "*"
  principalBinding: USE_ORIGIN

Now when you try to assess EMCO you'll get 403 error. [https://<Istio Ingress service IP Address:port>/v2/projects]

Authservice Setup in Istio Ingress-gateway

Setup configmap required by Authservice.

The following example shows how to setup authservice with keycloak.

Code Block
languageyml
titleAuthservice configmap
kind: ConfigMap
apiVersion: v1
metadata:- port:
      number: 443
      name: emco-authservice-configmaphttps
  namespace: istio-system data:   config.jsonprotocol: |HTTPS
    {
      "listen_address": "127.0.0.1",tls:
      "listen_port"mode: "10003",SIMPLE
      "log_level"credentialName: "trace",emco-credential
      "threads"hosts:
8,      - "chains*": [


      {
          "name": "idp_filter_chain",
          "filters": [
  

Virtual service

Code Block
languageyml
titleVirtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: orchestrator
  namespace: emco
spec:
  hosts:
  - "*"
  gateways:
  - emco-gateway.istio-system.svc.cluster.local
  http:
  - match:
    - uri:
 {       prefix: /v2/oauth
    "oidc"- uri:
        prefix: /v2
    {route:
    - destination:
        port:
 "authorization_uri": "https://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/auth",      number: 9015
         "token_uri"host: "https://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/token",
                "callback_uri"orchestrator

Make sure the EMCO service is accessible through istio ingress gateway at this point.  [https://<Istio Ingress service IP Address:port>/v2/projects]

Istio Policy

Code Block
languageyml
titleAuthentication Policy
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "emco-authn-policy"
  namespace: istio-system
spec:
  origins:
    - jwt:
        issuer: "https://<Istio Ingress service<Keycloak IP Address:port>/v2auth/oauthrealms/callbackenterprise1",
                "jwks"jwksUri: "{Escaped Json output of the command --> curl http://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/certs}",
  principalBinding:              "client_id": "emco",
    USE_ORIGIN

Now when you try to assess EMCO you'll get 403 error. [https://<Istio Ingress service IP Address:port>/v2/projects]

Authservice Setup in Istio Ingress-gateway

Authservice Configmap 

The following example shows how to setup authservice with keycloak.

Code Block
languageyml
titleAuthservice configmap
kind: ConfigMap
apiVersion: v1
metadata:
  name: emco-authservice-configmap
  namespace: istio-system
data:
  config.json: |
    {
      "clientlisten_secretaddress": "Copy secret from keycloak127.0.0.1",
        "listen_port": "10003",
       "trustedlog_certificate_authoritylevel": "-----BEGIN CERTIFICATE-----CA Certificate for the keycloak server in escaped format----END CERTIFICATE-----""trace",
      "threads": 8,
                "scopes"chains": [],
        {
          "id_tokenname": {"idp_filter_chain",
          "filters": [
      "preamble": "Bearer",      {
            "headeroidc":
"Authorization"               {
 },                 "accessauthorization_tokenuri": {
 "https://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/auth",
                "preambletoken_uri": "Bearer",
 https://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/token",
                "headercallback_uri": "Authorization"
     https://<Istio Ingress service IP Address:port>/v2/oauth/callback",
          }      "jwks": "{Escaped Json output of the command --> curl http://<Keycloak IP Address:port>/auth/realms/enterprise1/protocol/openid-connect/certs}",
            }    "client_id": "emco",
      ]         } "client_secret": "Copy secret from keycloak",
 ]     }   

Install Authservice  with the Isito-Ingress gateway

In this setup Authservice is getting setup at the Isito-Ingress gateway level. Refer this link for details:

https://github.com/istio-ecosystem/authservice/tree/master/bookinfo-example#istio-ingress-gateway-integration

Currently, there is not yet a native way to install Authservice into the Istio Ingress-gateway. We are manually modifying the Deployment of istio-ingressgateway to add the Authservice container. Add the contianer below. Note: Change the container section in ingress-gateway deployment to make it possible to add multiple containers.

Code Block
languageyml
titleAuthservice Container
$ kubectl edit  deployments istio-ingressgateway -n istio-system
Under containers section add:
- name: authservice
        image: adrianlzt/authservice:0.3.1-d3cd2d498169       "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----CA Certificate for the keycloak server in escaped format----END CERTIFICATE-----",
                "scopes": [],
              imagePullPolicy: Always "id_token": {
      ports:           - containerPort"preamble": 10003"Bearer",
        volumeMounts:           - name: emco-authservice-configmap-volume"header": "Authorization"
            mountPath: /etc/authservice  In the},
volumes section add:      - name: emco-authservice-configmap-volume      "access_token": {
 configMap:           name: emco-authservice-configmap  

Create EnvoyFilter Resource for authservice

Code Block
languageyml
titleEnvoy Filter
# # Add the ext_authz filter to the istio-ingressgateway  Envoy filter chain.
# Configure the ext_authz filter to ask the authservice about every incoming request
# via GRPC. For every incoming request, the authservice will decide to either allow
# the request and add tokens as headers, or will cause the response to redirect for
# authentication.
#

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: sidecar-token-service-filter-for-ingress
  namespace: istio-system
spec:
  workloadSelector:
    labels:"preamble": "Bearer",
                  "header": "Authorization"
                }
              }
            }
          ]
        }
istio: ingressgateway     ]
 app: istio-ingressgateway  }
configPatches:

 - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.jwt_authn"
    patch:
      operation: INSERT_BEFORE
      value:

Install Authservice  with the Isito-Ingress gateway

In this setup Authservice is getting setup at the Isito-Ingress gateway level. Refer this link for details:

https://github.com/istio-ecosystem/authservice/tree/master/bookinfo-example#istio-ingress-gateway-integration

Currently, there is not yet a native way to install Authservice into the Istio Ingress-gateway. We are manually modifying the Deployment of istio-ingressgateway to add the Authservice container. Add the contianer below. Note: Change the container section in ingress-gateway deployment to make it possible to add multiple containers.

Code Block
languageyml
titleAuthservice Container
$ kubectl edit  deployments istio-ingressgateway -n istio-system
Under containers section add:
- name: authservice
        image: adrianlzt/authservice:0.3.1-d3cd2d498169
       name imagePullPolicy: Always
envoy.ext_authz        configports:
         stat_prefix  - containerPort: ext_authz10003
         grpc_servicevolumeMounts:
          - envoy_grpcname: emco-authservice-configmap-volume
            cluster_namemountPath: ext_authz/etc/authservice

In the volumes section add:
     timeout:- 10s # Timeout for the entire request (including authcode for token exchange with the IDP)
  - applyTo: CLUSTER
    match:
      context: ANY
      cluster: {} # this line is required starting in istio 1.4.0
    patch:
      operation: ADD
      value:
        name: ext_authz
        connect_timeout: 5s # This timeout controls the initial TCP handshake timeout - not the timeout for the entire request
 name: emco-authservice-configmap-volume
        configMap:
          name: emco-authservice-configmap

EnvoyFilter Resource for authservice

Code Block
languageyml
titleEnvoy Filter
#
# Add the ext_authz filter to the istio-ingressgateway  Envoy filter chain.
# Configure the ext_authz filter to ask the authservice about every incoming request
# via GRPC. For every incoming request, the authservice will decide to either allow
# the request and add tokens as headers, or will cause the response to redirect for
# authentication.
#

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: sidecar-token-service-filter-for-ingress
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      typeistio: LOGICAL_DNSingressgateway
        lb_policyapp: ROUND_ROBINistio-ingressgateway
  configPatches:
  - applyTo:  http2_protocol_options: {}HTTP_FILTER
    match:
    load_assignment:   context: GATEWAY
      cluster_name: ext_authzlistener:
          endpointsfilterChain:
          filter:
 - lb_endpoints:          name: "envoy.http_connection_manager"
     - endpoint:      subFilter:
              addressname: "envoy.filters.http.jwt_authn"
    patch:
      operation: INSERT_BEFORE
        socket_addressvalue:
       name: envoy.ext_authz
       config:
       address: 127.0.0.1
   stat_prefix: ext_authz
         grpc_service:
           envoy_grpc:
          port_value: 10003

Try accessing EMCO URL agian [https://<Istio Ingress service IP Address:port>/v2/projects]. This will take you to the Keycloak login page and from there user can get authenticated before allowed to access EMCO resources.

Setup with multiple OAuth2 Servers.

The following changes are required if different OAuth2 servers are needed for different projects. All other configurations remain the same.

Create virtual service to support multiple servers

Code Block
languageyml
titleVirtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: orchestrator
  namespace: test
spec:
  hosts:
  - "*"
  gateways:
  - orchestrator-gateway
  http:
  - match:
    - uri:
        prefix: /v2/oauth
    - uri:
        prefix: /v2
    - uri:   cluster_name: ext_authz
           timeout: 10s # Timeout for the entire request (including authcode for token exchange with the IDP)
  - applyTo: CLUSTER
    match:
      context: ANY
      cluster: {} # this line is required starting in istio 1.4.0
    patch:
      operation: ADD
      value:
        name: ext_authz
        connect_timeout: 5s # This timeout controls the initial TCP handshake timeout - not the timeout for the entire request
        type: LOGICAL_DNS
        lb_policy: ROUND_ROBIN
        http2_protocol_options: {}
        load_assignment:
          cluster_name: ext_authz
          endpoints:
            - lb_endpoints:
                - endpoint:
                    address:
                      socket_address:
                        address: 127.0.0.1
                        port_value: 10003


Try accessing EMCO URL agian [https://<Istio Ingress service IP Address:port>/v2/projects]. This will take you to the Keycloak login page and from there user can get authenticated before allowed to access EMCO resources.

Setup with multiple OAuth2 Servers.

The following changes are required if different OAuth2 servers are needed for different projects. All other configurations remain the same.

Virtual service to support multiple servers

Code Block
languageyml
titleVirtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: orchestrator
  namespace: test
spec:
  hosts:
  - "*"
  gateways:
  - orchestrator-gateway
  http:
  - match:
    - uri:
        prefix: /v2/oauth
    - uri:
        prefix: /v2
    - uri:
        prefix: /v2/projects/enterprise1/oauth
    -uri:
        prefix: /v2/projects/enterprise2/oauth
    route:
    - destination:
        port:
          number: 9015
        host: orchestrator



Authentication Policy with multiple servers

Code Block
languageyml
titleAuthentication Policy
---
  apiVersion: "authentication.istio.io/v1alpha1"
  kind: "Policy"
  metadata:
    name: "orchestrator-authn-policy"
    namespace: istio-system
  spec:
    origins:
      - jwt:
         prefix issuer: /v2/projects/enterprise1/oauth"https://<url>/auth/realms/enterprise1"
    -uri:       jwksUri:  prefix: /v2/projects/enterprise2/oauth
    route:"http://<url>/auth/realms/enterprise1/protocol/openid-connect/certs"
       - destinationjwt:
        port:  issuer: "https://<url>/auth/realms/enterprise2"
       number: 9015  jwksUri: "http://<url>/auth/realms/enterprise2/protocol/openid-connect/certs"
     hostprincipalBinding: orchestrator



...

USE_ORIGIN


Configmap for multiple servers.

The following example shows how to setup authservice with multiple OAUTH2 keycloak servers.

Code Block
languageyml
titleAuthentication PolicyAuthservice configmap
---
kind: ConfigMap
apiVersion: "authentication.istio.io/v1alpha1"
  kind: "Policy"
  metadata:v1
metadata:
name: emco-authservice-configmap
namespace: istio-system
data:
config.json: |
  {
    name"listen_address": "orchestrator-authn-policy"127.0.0.1",
    namespace: istio-system
  spec:"listen_port": "10003",
    origins"log_level": "trace",
     - jwt"threads": 8,
    "chains": [
   issuer: "https://x.x.x.x:31567/auth/realms/enterprise1"  {
        jwksUri: "http://x.x.x.x:32431/auth/realms/enterprise1/protocol/openid-connect/certs""name": "idp_filter_chain_1",
      -  jwt"match": {
          issuer"header": "https://x.x.x.x:31567/auth/realms/enterprise2":path",
          jwksUri"prefix": "http://x.x.x.x:32431/auth/realms/enterprise2/protocol/openid-connect/certs"v2/projects/enterprise1"
        },
     principalBinding: USE_ORIGIN 

Setup configmap for multiple servers.

The following example shows how to setup authservice with multiple OAUTH2 keycloak servers.

Code Block
languageyml
titleAuthservice configmap
---
kind: ConfigMap
apiVersion: v1
metadata:
name: emco-authservice-configmap
namespace: istio-system
data:
config.json: |
  { "filters": [
        {
          "listen_addressoidc":
"127.0.0.1",         "listen_port": "10003",  {
  "log_level": "trace",     "threads": 8,     "chainsauthorization_uri": [
"https://x.x.x.x:<port>/auth/realms/enterprise1/protocol/openid-connect/auth",
     {         "nametoken_uri": "idp_filter_chain_1https://x.x.x.x:<port>/auth/realms/enterprise1/protocol/openid-connect/token",
        "match": {
          "headercallback_uri": ":path",
          "prefix": "https://x.x.x.x:<port>/v2/projects/enterprise1/oauth/callback",
        },         "filters"jwks": "{\"keys\": [
        {
          "oidc":
            {
              "authorization_uri": "https://x.x.x.x:<port>/auth/realms/enterprise1/protocol/openid-connect/auth",
              "token_uri": "https://x.x.x.x:<port>/auth/realms/enterprise1/protocol/openid-connect/token{\"kid\":\"xxxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"zzzzzzz\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"z7Qrc2nAlK8EVmkiKtz0bOWxugE\",\"x5t#S256\":\"xxxxxxxxx\"}]}",
              "callbackclient_uriid": "https://x.x.x.x:<port>/v2/projects/enterprise1/oauth/callbackemco",
              "jwks": "{\"keys\":[{\"kid\":\"xxxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"zzzzzzz\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"z7Qrc2nAlK8EVmkiKtz0bOWxugE\",\"x5t#S256\":\"xxxxxxxxx\"}]}"client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
              "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",
              "scopes": [],
              "id_token": {
                "preamble": "Bearer",
                "client_idheader": "emcoAuthorization",
              "client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},
              "trustedaccess_certificate_authoritytoken": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",{
                "scopespreamble": []"Bearer",
                "id_tokenheader": { "Authorization"
              }
    "preamble": "Bearer",       }
         "header": "Authorization" }
        ]
      },
      {
        "name": "access_tokenidp_filter_chain_2",
        "match": {
          "header": ":path",
            "preambleprefix": "Bearer",/v2/projects/enterprise2"
        },
        "headerfilters": "Authorization"[
        {
     }     "oidc":
       }     {
     }         ]
      }"authorization_uri": "https://x.x.x.x:<port>/auth/realms/enterprise2/protocol/openid-connect/auth",
      {         "nametoken_uri": "idp_filter_chain_2https://x.x.x.x:<port>/auth/realms/enterprise2/protocol/openid-connect/token",
        "match": {
          "headercallback_uri": ":path",https://x.x.x.x:<port>/v2/projects/enterprise2/oauth/callback",
              "prefixjwks": "/v2/projects/enterprise2"
        },
        "filters": [
        {
          "oidc":
            {
              "authorization_uri": "https://x.x.x.x:<port>/auth/realms/enterprise2/protocol/openid-connect/auth",
              "token_uri": "https://x.x.x.x:<port>/auth/realms/enterprise2/protocol/openid-connect/token{\"keys\":[{\"kid\":\"xxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"xxxx\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"xxxxxxx\",\"x5t#S256\":\"xxxxxxx\"}]}",
              "callbackclient_uriid": "https://x.x.x.x:<port>/v2/projects/enterprise2/oauth/callbackemco",
              "jwks": "{\"keys\":[{\"kid\":\"xxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"xxxx\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"xxxxxxx\",\"x5t#S256\":\"xxxxxxx\"}]}"client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
              "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",
              "scopes": [],
              "id_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              },
              "client_idaccess_token": {
                "preamble": "emcoBearer",
                "client_secretheader": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",Authorization"
              "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",}
                "scopes": [],}
          }
     "id_token": {  ]
      }
    ]
  "preamble": "Bearer",
                "header": "Authorization"
   }

Authorization Policies with Istio 

As specified in Keycloak  section Role Mappers are created using Keycloak. These can be used apply authorizations for users. Some examples the can used:

Code Block
languageyml
titleAuthorization Policies
apiVersion: "security.istio.io/v1beta1"
kind: AuthorizationPolicy
metadata:
  name: allow-admin
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  },action: ALLOW
  rules:
  - when:
      "access_token": {- key: request.auth.claims[role]
      values: ["ADMIN"]

---
apiVersion: security.istio.io/v1beta1
kind:    "preamble": "Bearer",AuthorizationPolicy
metadata:
  name: allow-user
  namespace: istio-system
spec:
  selector:
    "header"matchLabels:
"Authorization"      app: istio-ingressgateway
  action: ALLOW
  rules:
}  - to:
    - operation:
   }     paths: ["/v2/projects/enterprise1/*"]
    }when:
    - key: request.auth.claims[role]
 ]     values: ["USER"] }     ]

 }