...
Try accessing EMCO URL agian [https://<Istio Ingress service IP Address:port>/v2/projects]. This will take you to the Keycloak login page and from there user can get authenticated before allowed to access EMCO resources.
Setup with multiple OAuth2 Servers.
The following changes are required if different OAuth2 servers are needed for different projects. All other configurations remain the same.
Create virtual service to support multiple servers
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: orchestrator
namespace: test
spec:
hosts:
- "*"
gateways:
- orchestrator-gateway
http:
- match:
- uri:
prefix: /v2/oauth
- uri:
prefix: /v2
- uri:
prefix: /v2/projects/enterprise1/oauth
-uri:
prefix: /v2/projects/enterprise2/oauth
route:
- destination:
port:
number: 9015
host: orchestrator
|
Create Authentication Policy with multiple servers
| Code Block | ||||
|---|---|---|---|---|
| ||||
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "orchestrator-authn-policy"
namespace: istio-system
spec:
origins:
- jwt:
issuer: "https://x.x.x.x:31567/auth/realms/enterprise1"
jwksUri: "http://x.x.x.x:32431/auth/realms/enterprise1/protocol/openid-connect/certs"
- jwt:
issuer: "https://x.x.x.x:31567/auth/realms/enterprise2"
jwksUri: "http://x.x.x.x:32431/auth/realms/enterprise2/protocol/openid-connect/certs"
principalBinding: USE_ORIGIN
|
Setup configmap required by Authservice.
The following example shows how to setup authservice with keycloak.
| Code Block | ||||
|---|---|---|---|---|
| ||||
---
kind: ConfigMap
apiVersion: v1
metadata:
name: emco-authservice-configmap
namespace: istio-system
data:
config.json: |
{
"listen_address": "127.0.0.1",
"listen_port": "10003",
"log_level": "trace",
"threads": 8,
"chains": [
{
"name": "idp_filter_chain_1",
"match": {
"header": ":path",
"prefix": "/v2/projects/enterprise1"
},
"filters": [
{
"oidc":
{
"authorization_uri": "https://x.x.x.x:31567/auth/realms/enterprise1/protocol/openid-connect/auth",
"token_uri": "https://x.x.x.x:31567/auth/realms/enterprise1/protocol/openid-connect/token",
"callback_uri": "https://x.x.x.x:31063/v2/projects/enterprise1/oauth/callback",
"jwks": "{\"keys\":[{\"kid\":\"xxxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"zzzzzzz\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"z7Qrc2nAlK8EVmkiKtz0bOWxugE\",\"x5t#S256\":\"xxxxxxxxx\"}]}",
"client_id": "emco",
"client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",
"scopes": [],
"id_token": {
"preamble": "Bearer",
"header": "Authorization"
},
"access_token": {
"preamble": "Bearer",
"header": "Authorization"
}
}
}
]
},
{
"name": "idp_filter_chain_2",
"match": {
"header": ":path",
"prefix": "/v2/projects/enterprise2"
},
"filters": [
{
"oidc":
{
"authorization_uri": "https://x.x.x.x:31567/auth/realms/enterprise2/protocol/openid-connect/auth",
"token_uri": "https://x.x.x.x:31567/auth/realms/enterprise2/protocol/openid-connect/token",
"callback_uri": "https://x.x.x.x:31063/v2/projects/enterprise2/oauth/callback",
"jwks": "{\"keys\":[{\"kid\":\"xxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"xxxx\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"xxxxxxx\",\"x5t#S256\":\"xxxxxxx\"}]}",
"client_id": "emco",
"client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",
"scopes": [],
"id_token": {
"preamble": "Bearer",
"header": "Authorization"
},
"access_token": {
"preamble": "Bearer",
"header": "Authorization"
}
}
}
]
}
]
} |