-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guide: Securing a WildFly app on k8s with OIDC #2087
base: develop
Are you sure you want to change the base?
Conversation
cd /PATH/TO/ELYTRON/EXAMPLES/simple-webapp-oidc/charts | ||
---- | ||
|
||
. Create a file `values.yml`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @fjuma, do we want to add this file in https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @theashiot, apologies for the delayed response. I haven't gone through this in detail yet but yes, adding a file with the required configuration for k8s to the existing example would make sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @fjuma, i've created a PR to add the file: wildfly-security-incubator/elytron-examples#209
I'll updated the steps shortly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updates the steps. Ready for review!
Please note that I haven't tested the steps for Quay. I have based them on https://www.wildfly.org/news/2023/06/16/deploy-on-kubernetes-with-helm/ . I'm facing some authentication problems with Quay.
I've tested the steps for Docker Hub.
7303027
to
b7060de
Compare
|
||
== Example Application | ||
|
||
We use a simple web application in this guide that consists of a single https://github.com/wildfly-security/elytron-examples/blob/main/simple-webapp-oidc/src/main/java/org/wildfly/security/examples/SecuredServlet.java[servlet]. We show how to secure this servlet using OIDC. We will use the example in the https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc[simple-webapp-oidc] directory in the https://github.com/wildfly-security/elytron-examples[elytron-examples] repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI, the examples repo is under the wildfly-security-incubator account.
https://github.com/wildfly-security-incubator/elytron-examples
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, fixed!
Hi @PrarthonaPaul, I've made some updates. The steps for port-forwarding were missing. I've added them now. The steps work for dockerhub, but when i use quay, i get "ErrImagePull".
oidc-app-5d6f9974fd-srvrg is launched from dockerhub. oidc-app-quay-79d48ff4df-lsb6l is from quay. I'm not able to figure out whats going wrong. best, |
Hello @theashiot |
Thanks, @PrarthonaPaul for the reply! As discussed, i've removed all mentions of quay. I'll add quay-related info in a separate PR when i'm able to get it running. best, |
:toc: macro | ||
:toc-title: | ||
|
||
You can secure your WildFly applications deployed on Kubernetes with OpenID Connect (OIDC). By using OIDC to secure applications, you delegate authentication to OIDC providers. This guide shows how to secure an example application deployed to WildFly on Kubernetes cluster running on your local machine, with OIDC using Keycloak as the OIDC provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/on Kubernetes cluster/on a Kubernetes cluster
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/OIDC provider/OpenID provider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed!
|
||
== Start Keycloak | ||
|
||
We will be using Keycloak as our OIDC identity provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/OIDC identity provider/OpenID provider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
|
||
We will be using Keycloak as our OIDC identity provider. | ||
|
||
Follow the instructions, till "Log in to the Admin Console", provided in the https://www.keycloak.org/getting-started/getting-started-kube[Get started with Keycloak on Kubernetes] guide. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/till/up until
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
+ | ||
[source,subs=+quotes] | ||
---- | ||
docker login __CONTAINER_REGISTRY__ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CONTAINER_REGISTRY seems to render a bit odd. Could we use <CONTAINER_REGISTRY> or something similar instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated all italics to <this_form>
docker tag simple-webapp-oidc __TAGGED_IMAGE__ | ||
---- | ||
+ | ||
Substitute __TAGGED_IMAGE__ as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, renders in a way that's a bit hard to read.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Thanks for the post @theashiot! This looks great! @PrarthonaPaul Would you be able to try out the steps from this post when you get a chance? |
Thanks, @fjuma for the review! I've updated the content. best, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @theashiot
I have added some minor comments here.
|
||
You can secure your WildFly applications deployed on Kubernetes with OpenID Connect (OIDC). By using OIDC to secure applications, you delegate authentication to OpenID providers. This guide shows how to secure an example application deployed to WildFly on a Kubernetes cluster running on your local machine, with OIDC using Keycloak as the OpenID provider. | ||
|
||
//toc::[] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please uncomment this to have the table of contents appear at the top of the guide.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
== Example Application | ||
|
||
We use a simple web application in this guide that consists of a single https://github.com/wildfly-security/elytron-examples/blob/main/simple-webapp-oidc/src/main/java/org/wildfly/security/examples/SecuredServlet.java[servlet]. We show how to secure this servlet using OIDC. We will use the example in the https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc[simple-webapp-oidc] directory in the https://github.com/wildfly-security-incubator/elytron-examples[elytron-examples] repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update the first link to https://github.com/wildfly-security-incubator/elytron-examples/blob/main/simple-webapp-oidc/src/main/java/org/wildfly/security/examples/SecuredServlet.java
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
* *Login settings*: Leave the fields blank for now. | ||
|
||
+ | ||
For more information, see the Keycloak documentation on how to https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc_clients[Managing OpenID Connect clients]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be reworded to "... documentation on how to Manage OpenID Connect clients" or "... documentation on Managing OpenID Connect clients"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
used the latter, thanks
|
||
To build a Docker image from your application so that you can push it to a container repository, such as Docker Hub, follow these steps: | ||
|
||
. Navigate to the application's directory. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be clearer to say "Navigate to the simple-webapp-oidc
directory."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed, updated
|
||
While our application is building, let's take a closer look at our application. | ||
|
||
* Examine the https://github.com/wildfly-security/elytron-examples/blob/main/simple-webapp-oidc/pom.xml[pom.xml] file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/wildfly-security/wildfly-security-incubator
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
== Resources | ||
|
||
* https://www.wildfly.org/news/2023/06/16/deploy-on-kubernetes-with-helm/[Deploy on Kubernetes with Helm] | ||
* https://docs.wildfly.org/30/Getting_Started_on_OpenShift.html#helm-charts[WildFly Helm Chart] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can update the version number to 33 to keep it up to date
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Thanks @PrarthonaPaul for the review! I've made the suggested changed. Mind having another look? best, |
Depends on updates to the simple-webapp-oidc example:
wildfly-security-incubator/elytron-examples#209
Preview: https://theashiot.github.io/wildfly-elytron/blog/securing-wildfly-apps-oidc-k8s/