Guide: Securing a WildFly app on k8s with OIDC

[theashiot]

Depends on updates to the simple-webapp-oidc example:
wildfly-security-incubator/elytron-examples#209

Preview: https://theashiot.github.io/wildfly-elytron/blog/securing-wildfly-apps-oidc-k8s/

[theashiot]

Hi @fjuma, do we want to add this file in https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc ?

[fjuma]

Hi @theashiot, apologies for the delayed response. I haven't gone through this in detail yet but yes, adding a file with the required configuration for k8s to the existing example would make sense.

[theashiot]

Thanks, @fjuma, i've created a PR to add the file: wildfly-security-incubator/elytron-examples#209

I'll updated the steps shortly.

[theashiot]

I've updates the steps. Ready for review!

Please note that I haven't tested the steps for Quay. I have based them on https://www.wildfly.org/news/2023/06/16/deploy-on-kubernetes-with-helm/ . I'm facing some authentication problems with Quay.

I've tested the steps for Docker Hub.

[PrarthonaPaul]

FYI, the examples repo is under the wildfly-security-incubator account.
https://github.com/wildfly-security-incubator/elytron-examples

[theashiot]

thanks, fixed!

[theashiot]

Hi @PrarthonaPaul,

I've made some updates. The steps for port-forwarding were missing. I've added them now. The steps work for dockerhub, but when i use quay, i get "ErrImagePull".

kubectl get pod
NAME                             READY   STATUS         RESTARTS      AGE
keycloak-65766c8d6b-tdnhn        1/1     Running        1 (42m ago)   75m
oidc-app-5d6f9974fd-srvrg        1/1     Running        0             26m
oidc-app-quay-79d48ff4df-lsb6l   0/1     ErrImagePull   0             68s

oidc-app-5d6f9974fd-srvrg is launched from dockerhub. oidc-app-quay-79d48ff4df-lsb6l is from quay.

I'm not able to figure out whats going wrong.

best,
ashwin

[PrarthonaPaul]

Hi @PrarthonaPaul,

I've made some updates. The steps for port-forwarding were missing. I've added them now. The steps work for dockerhub, but when i use quay, i get "ErrImagePull".

kubectl get pod
NAME                             READY   STATUS         RESTARTS      AGE
keycloak-65766c8d6b-tdnhn        1/1     Running        1 (42m ago)   75m
oidc-app-5d6f9974fd-srvrg        1/1     Running        0             26m
oidc-app-quay-79d48ff4df-lsb6l   0/1     ErrImagePull   0             68s

oidc-app-5d6f9974fd-srvrg is launched from dockerhub. oidc-app-quay-79d48ff4df-lsb6l is from quay.

I'm not able to figure out whats going wrong.

best, ashwin

Hello @theashiot
It could be because you don't have your quay secret uploaded to k8.
Here are the steps to doing that for OpenShift: https://wildfly-security.github.io/wildfly-elytron/blog/in-progress-wildfly-feature-on-openshift/#configure-image-pull-secret

[theashiot]

Thanks, @PrarthonaPaul for the reply! As discussed, i've removed all mentions of quay. I'll add quay-related info in a separate PR when i'm able to get it running.

best,
ashwin

[fjuma]

s/on Kubernetes cluster/on a Kubernetes cluster

[fjuma]

s/OIDC provider/OpenID provider

[theashiot]

Fixed!

[fjuma]

s/OIDC identity provider/OpenID provider

[theashiot]

fixed

[fjuma]

s/till/up until

[theashiot]

updated

[fjuma]

CONTAINER_REGISTRY seems to render a bit odd. Could we use <CONTAINER_REGISTRY> or something similar instead?

[theashiot]

updated all italics to <this_form>

[fjuma]

Same here, renders in a way that's a bit hard to read.

[theashiot]

done

[fjuma]

Thanks for the post @theashiot! This looks great!

@PrarthonaPaul Would you be able to try out the steps from this post when you get a chance?

[theashiot]

Thanks, @fjuma for the review! I've updated the content.

best,
ashwin