kubectl edit svc istio-ingressgateway -n istio-system
更改端口为 80
kubectl edit svc keycloak -nkeycloak
更改为8080
添加域
添加客户端
Keycloak上的Access Type共有三类: ◼ confidential:适用于需要执行浏览器登录的应用,客户端会通过client secret来获取access token , 多用于服务端渲染的web系统场景中; ◼ public:适用于需要执行浏览器登录的应用,多运用于使用vue和react实现的前端项目; ◼ bearer-only:适用于不需要执行浏览器登录的应用,只允许携带bearer token访问,多运用于RESTful API的使用场景;
添加*
多出凭据
root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# cat 01-deploy-oauth2.yaml apiVersion: v1 kind: Namespace metadata: name: oauth2-proxy labels: istio-injection: enabled --- apiVersion: v1 kind: Secret metadata: name: oauth2-proxy namespace: oauth2-proxy stringData: # change this to your Keycloak Realm Client Id OAUTH2_PROXY_CLIENT_ID: ingress-gateway # change this to your Keycloak Client Secret OAUTH2_PROXY_CLIENT_SECRET: QdbO5qR5OPNcHdedX6GFZSxlOmqKDKkm # Generate by command: openssl rand -base64 32 | tr -- '+/' '-_' OAUTH2_PROXY_COOKIE_SECRET: vEBMxbw7NXfaUIJR4klhdvB678GUPxWTd7tR9hq2m8w= --- apiVersion: v1 kind: Service metadata: name: oauth2-proxy namespace: oauth2-proxy spec: selector: app: oauth2-proxy ports: - name: http port: 4180 --- apiVersion: apps/v1 kind: Deployment metadata: name: oauth2-proxy namespace: oauth2-proxy spec: selector: matchLabels: app: oauth2-proxy template: metadata: labels: app: oauth2-proxy spec: containers: - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 args: - --provider=oidc - --oidc-issuer-url=http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio - --profile-url=http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/userinfo - --validate-url=http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/userinfo - --set-authorization-header=true - --http-address=0.0.0.0:4180 - --pass-host-header=true - --reverse-proxy=true - --auth-logging=true - --cookie-httponly=true - --cookie-refresh=4m - --cookie-secure=false - --email-domain="*" - --pass-access-token=true - --pass-authorization-header=true - --request-logging=true - --set-xauthrequest=true - --silence-ping-logging=true - --skip-provider-button=true - --skip-auth-strip-headers=false - --ssl-insecure-skip-verify=true - --standard-logging=true - --upstream="static://200" - --whitelist-domain=".magedu.com,.cluster.local" env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: name: oauth2-proxy key: OAUTH2_PROXY_CLIENT_ID - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: oauth2-proxy key: OAUTH2_PROXY_CLIENT_SECRET - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: oauth2-proxy key: OAUTH2_PROXY_COOKIE_SECRET resources: requests: cpu: 10m memory: 100Mi ports: - containerPort: 4180 protocol: TCP readinessProbe: periodSeconds: 3 httpGet: path: /ping port: 4180
root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# kubectl get deploy -noauth2-proxy NAME READY UP-TO-DATE AVAILABLE AGE oauth2-proxy 1/1 1 1 71s
root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# kubectl get svc -noauth2-proxy NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE oauth2-proxy ClusterIP 10.100.183.155 <none> 4180/TCP 3m7s
root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# cat 02-istio-operator-update.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: profile: demo meshConfig: extensionProviders: - name: oauth2-proxy envoyExtAuthzHttp: service: oauth2-proxy.oauth2-proxy.svc.cluster.local port: 4180 timeout: 1.5s includeHeadersInCheck: ["authorization", "cookie"] headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"] headersToDownstreamOnDeny: ["content-type", "set-cookie"]
root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# istioctl install -f 02-istio-operator-update.yaml
root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# cat 03-ext-auth-ingress-gateway.yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: istio-ingressgateway namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio jwksUri: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/certs #audiences: ["ingress-gateway","istio-ingress-gateway"] # Forward JWT to Envoy Sidecar #forwardOriginalToken: true # - issuer: http://keycloak.magedu.com:8080/auth/realms/istio # jwksUri: http://keycloak.magedu.com:8080/auth/realms/istio/protocol/openid-connect/certs --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ext-authz-oauth2-proxy namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway action: CUSTOM provider: # Extension provider configured when we installed Istio name: oauth2-proxy rules: - to: - operation: hosts: ["kiali.magedu.com"] notPaths: ["/auth/*"]
自动跳转为