Add more details in guideline for Auth Istio&Apisix #485
Conversation
|
@ckhened Please help to have a review~ |
authN-authZ/auth-istio/README.md
Outdated
| First export the router service through istio ingress gateway. | ||
|
|
||
| ```bash | ||
| kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_router_gateway.yaml |
There was a problem hiding this comment.
This file is only used for option: via JWT token generated by OIDC providers with curl
Why it is defined in the prerequisite section?
There was a problem hiding this comment.
I think this has no relationship with the token generation way. It is just from istio gateway, and should be added for all megaservices if you want to do authentication.
There was a problem hiding this comment.
Well, understand. But for authentication with the oauth service, another gateway configuration needs to get applied since there are some extra configuration. Applying both of them might introduce conflicts or complexity. So if you want to set the gateway anyway, please put the steps in each section, instead of putting the step in the Prerequisite section.
There was a problem hiding this comment.
Thanks for your suggestion. Putting the steps in each section will be duplicated. Thus I add "Optional" to this part and add a suggestion for this, do you think it's work?
There was a problem hiding this comment.
Thanks for your suggestion. Putting the steps in each section will be duplicated. Thus I add "Optional" to this part and add a suggestion for this, do you think it's work?
Well. I think it is a must for all options to find the ingress port and ip address, but for the step kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_router_gateway.yaml, it is ONLY used for the first two options of authentication, and NOT needed(instead of optional) for the third option, as it shall only use kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_router_gateway_oauth.yaml instead.
There was a problem hiding this comment.
Thanks for your explanation!! I have just move this part to "Perform authentication and authorization via JWT tokens generated by OIDC provider" section as your original sequence, please have a check~
authN-authZ/auth-istio/README.md
Outdated
| First export the router service through istio ingress gateway. | ||
|
|
||
| ```bash | ||
| kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_router_gateway.yaml |
There was a problem hiding this comment.
Well, understand. But for authentication with the oauth service, another gateway configuration needs to get applied since there are some extra configuration. Applying both of them might introduce conflicts or complexity. So if you want to set the gateway anyway, please put the steps in each section, instead of putting the step in the Prerequisite section.
Signed-off-by: Xinyao Wang <xinyao.wang@intel.com>
for more information, see https://pre-commit.ci
Signed-off-by: Xinyao Wang <xinyao.wang@intel.com>
Signed-off-by: Xinyao Wang <xinyao.wang@intel.com>
Signed-off-by: Xinyao Wang <xinyao.wang@intel.com>
Signed-off-by: Xinyao Wang <xinyao.wang@intel.com>
for more information, see https://pre-commit.ci
Signed-off-by: Xinyao Wang <xinyao.wang@intel.com>
Signed-off-by: Xinyao Wang <xinyao.wang@intel.com>
for more information, see https://pre-commit.ci
| @@ -0,0 +1,33 @@ | |||
| # Copyright (C) 2024 Intel Corporation | |||
There was a problem hiding this comment.
Instead of adding this file, could you re use the one in templates and add a new values file like values_megaservice.yaml and update the values accordingly so that the implementation will be consistent with helm charts
There was a problem hiding this comment.
Please consistently write apisix in text as APISIX, that is how it is on their site. @chickenrae comment -- may want to talk to @yongfengdu - what/how. Please number the steps for installing/configuring keycloak, it helps people. Please add a statement to the effect that envsubst is needed only on the machine from which one is launching the kubectl commands, it is not needed on any of the kubernetes cluster machines.
| export USER='mary' | ||
| export PASSWORD=<password> | ||
| export KEYCLOAK_REALM='apisix' | ||
| export KEYCLOAK_CLIENT_ID='apisix' |
There was a problem hiding this comment.
realm and client_id have to be same? or any reason you choose same?
|
|
||
| 2. Run keycloak, setup a realm with OIDC based authentication and add users with passwords for each user. | ||
| ## Start Keycloak and configuration |
There was a problem hiding this comment.
| ## Start Keycloak and configuration | |
| ## Starting and Configuring Keycloak |
|
|
||
| In this case, we add a realm called `apisix` and add a user called `mary` with password. In the authentication step, only the user from `apisix` realm can access the chatQnA pipeline. | ||
|
|
||
| Steps to start keycloak. |
There was a problem hiding this comment.
you cannot start something before installing it.
Description and step don't match.
If you have numbered steps, let step 1 be "Create a persistent volume for keycloak"
|
|
||
| # install keycloak with helm by setting | ||
| Then install keycloak. |
There was a problem hiding this comment.
make this (2) for your step 2. Install keycloak
| kubectl apply -f ./keycloak_install.yaml | ||
| ``` | ||
|
|
||
| Get the ip and port to access keycloak. |
There was a problem hiding this comment.
step 3 3) Determine keycloak service ip and port.
| @@ -151,18 +174,63 @@ The user management is done via Keycloak and the configuration steps look like t | |||
|
|
|||
| 4. Create a new user name as `mary` and another user as `bob`. Set passwords for both users (set 'Temporary' to 'Off'). Select Role mapping on the top, assign the `user` role to `mary` and assign the `viewer` role to `bob`. | |||
|
|
|||
| **Apply authentication and authorization policies to the pipeline endpoint based on OIDC provider** | |||
| 5. Turn off the all the 'Required actions' under the 'Authentication' section in Keycloak | |||
There was a problem hiding this comment.
| 5. Turn off the all the 'Required actions' under the 'Authentication' section in Keycloak | |
| 5. Turn off the 'Required actions' under the 'Authentication' section in Keycloak |
There was a problem hiding this comment.
grammar is wrong with "the all the" but wondering if there is an "all" somewhere in the console ..
| ./kcadm.sh update realms/master -s sslRequired=NONE --server ${KEYCLOAK_ADDR} | ||
| ``` | ||
|
|
||
| Then after open the console and create `istio` realm, go to "Realm setting", set "Require SSL" to "None" |
There was a problem hiding this comment.
| Then after open the console and create `istio` realm, go to "Realm setting", set "Require SSL" to "None" | |
| Then after opening the console, create the `istio` realm. Next go to "Realm setting", and set "Require SSL" to "None" |
|
|
||
| **Export the router service through istio ingress gateway** | ||
|
|
||
| For authentication safegard, we should add a gateway for the service. Here we the istio ingress gateway will be used to access the chatQnA service in different setups. |
There was a problem hiding this comment.
| For authentication safegard, we should add a gateway for the service. Here we the istio ingress gateway will be used to access the chatQnA service in different setups. | |
| For authentication safegard, we should add a gateway for the service. Here we show how to set up the istio ingress gateway to control access to the chatQnA service. |
| # set the INGRESS_PORT to the istio-ingressgateway svc port | ||
| export INGRESS_PORT=${gateway_svc_port} | ||
|
|
||
| #Case2: If your environment support external load balancers |
There was a problem hiding this comment.
| #Case2: If your environment support external load balancers | |
| #Case2: If your environment supports external load balancers |
| @@ -330,3 +398,15 @@ sudo sed -i '1i\127.0.0.1 chatqna-ui.com' /etc/hosts | |||
| Open browser with address `"chatqna-ui.com:${INGRESS_PORT}"` if using GMC based deployment. Otherwise, open the browser with address `"chatqna-service.com:${INGRESS_PORT}"`. | |||
There was a problem hiding this comment.
we never told folks how to find the address of chatqna-ui.com. the way it is written it feels like a fully qualified domain name like google.com!
|
Looks like we need more time to adapt all the changes, so this will not make v1.2 release. |
Description
Add more details in guideline for Auth Istio&Apisix
Issues
List the issue or RFC link this PR is working on. If there is no such link, please mark it as
n/a.Type of change
List the type of change like below. Please delete options that are not relevant.
Dependencies
List the newly introduced 3rd party dependency if exists.
Tests
Describe the tests that you ran to verify your changes.