New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guide: Securing a WildFly app on k8s with OIDC #2087
base: develop
Are you sure you want to change the base?
Conversation
cd /PATH/TO/ELYTRON/EXAMPLES/simple-webapp-oidc/charts | ||
---- | ||
|
||
. Create a file `values.yml`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @fjuma, do we want to add this file in https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @theashiot, apologies for the delayed response. I haven't gone through this in detail yet but yes, adding a file with the required configuration for k8s to the existing example would make sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @fjuma, i've created a PR to add the file: wildfly-security-incubator/elytron-examples#209
I'll updated the steps shortly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updates the steps. Ready for review!
Please note that I haven't tested the steps for Quay. I have based them on https://www.wildfly.org/news/2023/06/16/deploy-on-kubernetes-with-helm/ . I'm facing some authentication problems with Quay.
I've tested the steps for Docker Hub.
7303027
to
b7060de
Compare
|
||
== Example Application | ||
|
||
We use a simple web application in this guide that consists of a single https://github.com/wildfly-security/elytron-examples/blob/main/simple-webapp-oidc/src/main/java/org/wildfly/security/examples/SecuredServlet.java[servlet]. We show how to secure this servlet using OIDC. We will use the example in the https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc[simple-webapp-oidc] directory in the https://github.com/wildfly-security/elytron-examples[elytron-examples] repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI, the examples repo is under the wildfly-security-incubator account.
https://github.com/wildfly-security-incubator/elytron-examples
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, fixed!
Hi @PrarthonaPaul, I've made some updates. The steps for port-forwarding were missing. I've added them now. The steps work for dockerhub, but when i use quay, i get "ErrImagePull".
oidc-app-5d6f9974fd-srvrg is launched from dockerhub. oidc-app-quay-79d48ff4df-lsb6l is from quay. I'm not able to figure out whats going wrong. best, |
Hello @theashiot |
Thanks, @PrarthonaPaul for the reply! As discussed, i've removed all mentions of quay. I'll add quay-related info in a separate PR when i'm able to get it running. best, |
:toc: macro | ||
:toc-title: | ||
|
||
You can secure your WildFly applications deployed on Kubernetes with OpenID Connect (OIDC). By using OIDC to secure applications, you delegate authentication to OIDC providers. This guide shows how to secure an example application deployed to WildFly on Kubernetes cluster running on your local machine, with OIDC using Keycloak as the OIDC provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/on Kubernetes cluster/on a Kubernetes cluster
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/OIDC provider/OpenID provider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed!
|
||
== Start Keycloak | ||
|
||
We will be using Keycloak as our OIDC identity provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/OIDC identity provider/OpenID provider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
|
||
We will be using Keycloak as our OIDC identity provider. | ||
|
||
Follow the instructions, till "Log in to the Admin Console", provided in the https://www.keycloak.org/getting-started/getting-started-kube[Get started with Keycloak on Kubernetes] guide. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/till/up until
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
+ | ||
[source,subs=+quotes] | ||
---- | ||
docker login __CONTAINER_REGISTRY__ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CONTAINER_REGISTRY seems to render a bit odd. Could we use <CONTAINER_REGISTRY> or something similar instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated all italics to <this_form>
docker tag simple-webapp-oidc __TAGGED_IMAGE__ | ||
---- | ||
+ | ||
Substitute __TAGGED_IMAGE__ as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, renders in a way that's a bit hard to read.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Thanks for the post @theashiot! This looks great! @PrarthonaPaul Would you be able to try out the steps from this post when you get a chance? |
Thanks, @fjuma for the review! I've updated the content. best, |
Depends on updates to the simple-webapp-oidc example:
wildfly-security-incubator/elytron-examples#209
Preview: https://theashiot.github.io/wildfly-elytron/blog/securing-wildfly-apps-oidc-k8s/