From 4c5b3090430d0af9529a72d3f37e822594bbfef2 Mon Sep 17 00:00:00 2001 From: Alex Zgabur Date: Tue, 7 May 2024 17:12:56 +0200 Subject: [PATCH 1/7] Fix openapi yaml examples --- doc/generate-kuadrant-auth-policy.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/doc/generate-kuadrant-auth-policy.md b/doc/generate-kuadrant-auth-policy.md index 22fe43d..b99a3e1 100644 --- a/doc/generate-kuadrant-auth-policy.md +++ b/doc/generate-kuadrant-auth-policy.md @@ -25,6 +25,10 @@ OpenAPI [Security Scheme Object](https://spec.openapis.org/oas/latest.html#secur The following OAS example has one protected endpoint `GET /dog` with `openIdConnect` security scheme type. ```yaml +openapi: "3.1.0" +info: + title: "Pet Store API" + version: "1.0.0" paths: /dog: get: @@ -41,10 +45,10 @@ components: openIdConnectUrl: https://example.com/.well-known/openid-configuration ``` -Running the command +Take this example and save it as `example.yaml` and than run the command: -``` -kuadrantctl generate kuadrant authpolicy --oas ./petstore-openapi.yaml | yq -P +```bash +kuadrantctl generate kuadrant authpolicy --oas example.yaml ``` The generated authpolicy (only relevan fields shown here): @@ -52,10 +56,6 @@ The generated authpolicy (only relevan fields shown here): ```yaml kind: AuthPolicy apiVersion: kuadrant.io/v1beta2 -metadata: - name: petstore - namespace: petstore - creationTimestamp: null spec: routeSelectors: - matches: @@ -82,6 +82,10 @@ spec: The following OAS example has one protected endpoint `GET /dog` with `apiKey` security scheme type. ```yaml +openapi: "3.1.0" +info: + title: "Pet Store API" + version: "1.0.0" paths: /dog: get: @@ -99,10 +103,10 @@ components: in: query ``` -Running the command +Take this example and save it as `example.yaml` and than run the command: -``` -kuadrantctl generate kuadrant authpolicy --oas ./petstore-openapi.yaml | yq -P +```bash +kuadrantctl generate kuadrant authpolicy --oas example.yaml ``` The generated authpolicy (only relevan fields shown here): @@ -110,10 +114,6 @@ The generated authpolicy (only relevan fields shown here): ```yaml kind: AuthPolicy apiVersion: kuadrant.io/v1beta2 -metadata: - name: petstore - namespace: petstore - creationTimestamp: null spec: routeSelectors: - matches: From 06350109c6b7d15cf627e2a1753eb474a4da2b45 Mon Sep 17 00:00:00 2001 From: Alex Zgabur Date: Tue, 7 May 2024 17:14:13 +0200 Subject: [PATCH 2/7] Fix spacing --- doc/generate-kuadrant-auth-policy.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/generate-kuadrant-auth-policy.md b/doc/generate-kuadrant-auth-policy.md index b99a3e1..6385b0c 100644 --- a/doc/generate-kuadrant-auth-policy.md +++ b/doc/generate-kuadrant-auth-policy.md @@ -318,6 +318,7 @@ EOF > Replace `${KEYCLOAK_PUBLIC_DOMAIN}` with your SSO instance domain * Create an API key only valid for `POST /api/v1/cat` endpoint + ```yaml kubectl apply -f -< **Note**: the label's value of `kuadrant.io/apikeys-by: cat_api_key` is the name of the sec scheme of the OpenAPI spec. * Create an API key only valid for `GET /api/v1/snake` endpoint From 2efa953196af640783868c100a7c115f4e8d2b46 Mon Sep 17 00:00:00 2001 From: Alex Zgabur Date: Tue, 7 May 2024 17:16:08 +0200 Subject: [PATCH 3/7] Add missing gateway to guide and sso url refactor --- doc/generate-kuadrant-auth-policy.md | 66 +++++++++++++++++++++------- 1 file changed, 49 insertions(+), 17 deletions(-) diff --git a/doc/generate-kuadrant-auth-policy.md b/doc/generate-kuadrant-auth-policy.md index 6385b0c..f79b8ca 100644 --- a/doc/generate-kuadrant-auth-policy.md +++ b/doc/generate-kuadrant-auth-policy.md @@ -305,7 +305,7 @@ components: in: header oidc: type: openIdConnect - openIdConnectUrl: https://${KEYCLOAK_PUBLIC_DOMAIN}/auth/realms/petstore + openIdConnectUrl: ${KEYCLOAK_ISSUER} snakes_api_key: type: apiKey name: snake_token @@ -315,7 +315,36 @@ EOF -> Replace `${KEYCLOAK_PUBLIC_DOMAIN}` with your SSO instance domain +> Replace `${KEYCLOAK_ISSUER}` with your SSO instance issuer endpoint for your `petstore` realm. +> Otherwise remove the oidc from `components.securitySchemas` and `/dog`, `/snake` paths + +* Create `istio-ingressgateway` Gateway object + +```yaml +kubectl apply -f -< It's a public endpoint, hence should return 200 Ok ```bash -curl -H "Host: example.com" -i "http://127.0.0.1:9080/api/v1/cat" +curl -H "Host: example.com" -i "http://${INGRESS_IP}/api/v1/cat" ``` - `POST /api/v1/cat` -> It's a protected endpoint with apikey @@ -382,7 +411,7 @@ curl -H "Host: example.com" -i "http://127.0.0.1:9080/api/v1/cat" Without any credentials, it should return `401 Unauthorized` ```bash -curl -H "Host: example.com" -X POST -i "http://127.0.0.1:9080/api/v1/cat" +curl -H "Host: example.com" -X POST -i "http://${INGRESS_IP}/api/v1/cat" ``` ``` @@ -405,7 +434,7 @@ What if we try a wrong token? one token assigned to other endpoint, i.e. `I_LIKE_SNAKES` instead of the valid one `I_LIKE_CATS`. It should return `401 Unauthorized`. ```bash -curl -H "Host: example.com" -H "api_key: I_LIKE_SNAKES" -X POST -i "http://127.0.0.1:9080/api/v1/cat" +curl -H "Host: example.com" -H "api_key: I_LIKE_SNAKES" -X POST -i "http://${INGRESS_IP}/api/v1/cat" ``` ``` @@ -424,8 +453,8 @@ The *reason* headers tell that `the API Key provided is invalid`. Using valid token (from the secret `cat-api-key-1` assigned to `POST /api/v1/cats`) in the `api_key` header should return 200 Ok -``` -curl -H "Host: example.com" -H "api_key: I_LIKE_CATS" -X POST -i "http://127.0.0.1:9080/api/v1/cat" +```bash +curl -H "Host: example.com" -H "api_key: I_LIKE_CATS" -X POST -i "http://${INGRESS_IP}/api/v1/cat" ``` - `GET /api/v1/dog` -> It's a protected endpoint with oidc (assigned to our keycloak instance and `petstore` realm) @@ -433,31 +462,34 @@ curl -H "Host: example.com" -H "api_key: I_LIKE_CATS" -X POST -i "http://127.0. without credentials, it should return `401 Unauthorized` ```bash -curl -H "Host: example.com" -i "http://127.0.0.1:9080/api/v1/dog" +curl -H "Host: example.com" -i "http://${INGRESS_IP}/api/v1/dog" ``` +#### [Optional] SSO example + To get the authentication token, this example is using Direct Access Grants oauth2 grant type -(also known as Client Credentials grant type). When configuring the Keycloak (OIDC provider) client +(also known as Resource Owner Password Credentials Grant grant type). When configuring the Keycloak (OIDC provider) client settings, we enabled Direct Access Grants to enable this procedure. We will be authenticating as `bob` user with `p` password. We previously created `bob` user in Keycloak in the `petstore` realm. +We will use Command-line JSON processor `jq` to extract the access token into `ACCESS_TOKEN` variable: -``` +```bash export ACCESS_TOKEN=$(curl -k -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=password' \ -d 'client_id=petstore' \ -d 'scope=openid' \ -d 'username=bob' \ - -d 'password=p' "https://${KEYCLOAK_PUBLIC_DOMAIN}/auth/realms/petstore/protocol/openid-connect/token" | jq -r '.access_token') + -d 'password=p' \ + "${KEYCLOAK_TOKEN_ENDPOINT}" | jq -r '.access_token') ``` -> Replace `${KEYCLOAK_PUBLIC_DOMAIN}` with your SSO instance domain - +> Replace `${KEYCLOAK_TOKEN_ENDPOINT}` with your SSO instance token endpoint for your `petstore` realm. With the access token in place, let's try to get those puppies ```bash -curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: example.com' http://127.0.0.1:9080/api/v1/dog -i +curl -H "Authorization: Bearer ${ACCESS_TOKEN}" -H 'Host: example.com' "http://${INGRESS_IP}/api/v1/dog" -i ``` it should return 200 OK @@ -470,13 +502,13 @@ for an OpenAPI operation. Without credentials, it should return `401 Unauthorized` ```bash -curl -H "Host: example.com" -i "http://127.0.0.1:9080/api/v1/snake" +curl -H "Host: example.com" -i "http://${INGRESS_IP}/api/v1/snake" ``` With the access token in place, it should return 200 OK (unless the token has expired). ```bash -curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: example.com' http://127.0.0.1:9080/api/v1/snake -i +curl -H "Authorization: Bearer ${ACCESS_TOKEN}" -H 'Host: example.com' "http://${INGRESS_IP}/api/v1/snake" -i ``` With apiKey it should also work. According to the OpenAPI spec security scheme, @@ -484,6 +516,6 @@ it should be a query string named `snake_token` and the token needs to be valid (from the secret `snake-api-key-1` assigned to `GET /api/v1/snake`) ```bash -curl -H 'Host: example.com' -i "http://127.0.0.1:9080/api/v1/snake?snake_token=I_LIKE_SNAKES" +curl -H 'Host: example.com' -i "http://${INGRESS_IP}/api/v1/snake?snake_token=I_LIKE_SNAKES" ``` From a9db0d01de625302a56b2b64eb2ef28054268e99 Mon Sep 17 00:00:00 2001 From: Alex Zgabur Date: Thu, 9 May 2024 18:07:42 +0200 Subject: [PATCH 4/7] Fix oidc url example and typos --- doc/generate-kuadrant-auth-policy.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/generate-kuadrant-auth-policy.md b/doc/generate-kuadrant-auth-policy.md index f79b8ca..96030f9 100644 --- a/doc/generate-kuadrant-auth-policy.md +++ b/doc/generate-kuadrant-auth-policy.md @@ -42,7 +42,7 @@ components: securitySchemes: securedDog: type: openIdConnect - openIdConnectUrl: https://example.com/.well-known/openid-configuration + openIdConnectUrl: https://sso.example.com/auth/realms/petstore ``` Take this example and save it as `example.yaml` and than run the command: @@ -51,7 +51,7 @@ Take this example and save it as `example.yaml` and than run the command: kuadrantctl generate kuadrant authpolicy --oas example.yaml ``` -The generated authpolicy (only relevan fields shown here): +The generated authpolicy (only relevant fields shown here): ```yaml kind: AuthPolicy @@ -68,7 +68,7 @@ spec: getDog_securedDog: credentials: {} jwt: - issuerUrl: https://example.com/.well-known/openid-configuration + issuerUrl: https://sso.example.com/auth/realms/petstore routeSelectors: - matches: - path: @@ -109,7 +109,7 @@ Take this example and save it as `example.yaml` and than run the command: kuadrantctl generate kuadrant authpolicy --oas example.yaml ``` -The generated authpolicy (only relevan fields shown here): +The generated authpolicy (only relevant fields shown here): ```yaml kind: AuthPolicy From e7956c8224db1267096d328e015d340758b75596 Mon Sep 17 00:00:00 2001 From: Alex Zgabur Date: Wed, 22 May 2024 13:49:54 +0200 Subject: [PATCH 5/7] Move notes to better place --- doc/generate-kuadrant-auth-policy.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/doc/generate-kuadrant-auth-policy.md b/doc/generate-kuadrant-auth-policy.md index 96030f9..e910da7 100644 --- a/doc/generate-kuadrant-auth-policy.md +++ b/doc/generate-kuadrant-auth-policy.md @@ -232,6 +232,9 @@ kubectl apply -n petstore -f examples/petstore/petstore.yaml
+> Replace `${KEYCLOAK_ISSUER}` with your SSO instance issuer endpoint for your `petstore` realm. +> Otherwise remove the oidc from `components.securitySchemas` and `/dog`, `/snake` paths + ```yaml cat <petstore-openapi.yaml --- @@ -315,9 +318,6 @@ EOF
-> Replace `${KEYCLOAK_ISSUER}` with your SSO instance issuer endpoint for your `petstore` realm. -> Otherwise remove the oidc from `components.securitySchemas` and `/dog`, `/snake` paths - * Create `istio-ingressgateway` Gateway object ```yaml @@ -474,6 +474,9 @@ We will be authenticating as `bob` user with `p` password. We previously created `bob` user in Keycloak in the `petstore` realm. We will use Command-line JSON processor `jq` to extract the access token into `ACCESS_TOKEN` variable: + +> Replace `${KEYCLOAK_TOKEN_ENDPOINT}` with your SSO instance token endpoint for your `petstore` realm. + ```bash export ACCESS_TOKEN=$(curl -k -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=password' \ @@ -484,8 +487,6 @@ export ACCESS_TOKEN=$(curl -k -H "Content-Type: application/x-www-form-urlencode "${KEYCLOAK_TOKEN_ENDPOINT}" | jq -r '.access_token') ``` -> Replace `${KEYCLOAK_TOKEN_ENDPOINT}` with your SSO instance token endpoint for your `petstore` realm. - With the access token in place, let's try to get those puppies ```bash From 2c9bdd1f0c0c769b3508c32e1a45d162bb338ad0 Mon Sep 17 00:00:00 2001 From: Alex Zgabur Date: Thu, 13 Jun 2024 16:33:14 +0200 Subject: [PATCH 6/7] Minor text fix --- doc/generate-kuadrant-auth-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/generate-kuadrant-auth-policy.md b/doc/generate-kuadrant-auth-policy.md index e910da7..b300af5 100644 --- a/doc/generate-kuadrant-auth-policy.md +++ b/doc/generate-kuadrant-auth-policy.md @@ -339,7 +339,7 @@ spec: protocol: HTTP EOF ``` -* Get the IP +* Get the IP of the Gateway: ```bash export INGRESS_IP=$(kubectl get -n istio-system Service/istio-ingressgateway-istio -o=jsonpath='{.status.loadBalancer.ingress[0].ip}') From dba0c3af4755bb27e8ceeb878ddcd6aac3a0910d Mon Sep 17 00:00:00 2001 From: Alex Zgabur Date: Mon, 24 Jun 2024 11:22:04 +0200 Subject: [PATCH 7/7] Fix word then --- doc/generate-kuadrant-auth-policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/generate-kuadrant-auth-policy.md b/doc/generate-kuadrant-auth-policy.md index b300af5..83273e6 100644 --- a/doc/generate-kuadrant-auth-policy.md +++ b/doc/generate-kuadrant-auth-policy.md @@ -45,7 +45,7 @@ components: openIdConnectUrl: https://sso.example.com/auth/realms/petstore ``` -Take this example and save it as `example.yaml` and than run the command: +Take this example and save it as `example.yaml` and then run the command: ```bash kuadrantctl generate kuadrant authpolicy --oas example.yaml @@ -103,7 +103,7 @@ components: in: query ``` -Take this example and save it as `example.yaml` and than run the command: +Take this example and save it as `example.yaml` and then run the command: ```bash kuadrantctl generate kuadrant authpolicy --oas example.yaml