diff --git a/README.md b/README.md index 13b479f..52da0a9 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,8 @@ oc get storageclasses Install 3scale operator into `3scale` namespace. (Create new namespace) +![3scale operator](support/images/3scale-operator.png) + Set the cluster wildcard domain in `3scale/APIManager_3scale.yaml` Example wildcard domain: `apps.cluster-8glcz.8glcz.sandbox730.opentlc.com` @@ -44,19 +46,31 @@ Example wildcard domain: `apps.cluster-8glcz.8glcz.sandbox730.opentlc.com` oc apply -f 3scale/APIManager_3scale.yaml -n 3scale ``` +You should see a screen like this: + +![3Scale Project Overview](support/images/3scale-project-overview.png) + ## Provision OpenShift Service Mesh 1. Install Elasticsearch operator all namespaces 2. Install Jaeger operator all namespaces 3. Install Kiali operator all namespaces 4. Install OpenShift Service Mesh operator all namespaces + +![3scale operator](support/images/installed-operators.png) + 5. Create a namespace for the service mesh control plane -5. Provision a control plane (see below) +6. Provision a control plane (see below) ``` oc new-project istio-system oc apply -f istio-system/ServiceMeshControlPlane_basic.yaml -n istio-system ``` + +You should see a screen like this: + +![Istio System Project Overview](support/images/istio-system-project-overview.png) + ## Provision BookInfo demo ### Deploy BookInfo @@ -75,12 +89,19 @@ oc apply -f https://raw.githubusercontent.com/maistra/istio/maistra-2.1/samples/ oc apply -f https://raw.githubusercontent.com/maistra/istio/maistra-2.1/samples/bookinfo/networking/bookinfo-gateway.yaml -n bookinfo ``` +You should see a screen like this: + +![Bookinfo Project Overview](support/images/bookinfo-project-overview.png) + + You can now verify that the bookinfo service is responding: ``` curl -v http://istio-ingressgateway-istio-system.{cluster wildcard url}/productpage ``` +You should see `200` as HTTP code. + ### Configure BookInfo 3scale Product Log into 3scale using the route whose hostname begins with `3scale-admin` in the `3scale` namespace. @@ -98,7 +119,19 @@ NOTE: You will find the admin username and password in a secret called `system-s #### Configure 3scale URLs -Find the URLs for the 3scale-admin and backend-3scale routes in the `3scale` namespace. Substitute those URLs into the ServiceEntry resources. +Find the URLs for the 3scale-admin and backend-3scale routes in the `3scale` namespace. Substitute those URLs into the ServiceEntry resources (Line 7). + +``` + - system-provider.3scale.svc.cluster.local +``` + +and + +``` + - backend-listener.3scale.svc.cluster.local +``` + +Apply the configuration: ``` oc apply -f bookinfo/ServiceEntry_system-entry.yaml -f bookinfo/ServiceEntry_backend-entry.yaml -n bookinfo @@ -106,7 +139,7 @@ oc apply -f bookinfo/ServiceEntry_system-entry.yaml -f bookinfo/ServiceEntry_bac #### Configure system token -Copy the `ADMIN_ACCESS_TOKEN` key of the `system-seed` secret in the `3scale` namespace and replace the value of `spec.config.system.token` in `bookinfo/ServiceMeshExtension_bookinfo.yaml` +Copy the `ADMIN_ACCESS_TOKEN` key of the `system-seed` secret in the `3scale` namespace and replace the value of `spec.config.system.token` (Line 16) in `bookinfo/ServiceMeshExtension_bookinfo.yaml` #### Configure service @@ -116,7 +149,9 @@ Use 3scale admin access token along with the 3scale product ID from the 3scale p curl https://3scale-admin.{cluster wildcard url}/admin/api/services/{product id}/proxy/configs/production/latest.json?access_token={access token} | jq '.proxy_config.content.backend_authentication_value' ``` -The output will be the service token. Modify the `id` and `token` of the `spec.config.services` entry in `bookinfo/ServiceMeshExtension_bookinfo.yaml`. The `id` value should be the product ID. +The output will be the service token. Modify the `id` and `token` of the `spec.config.services` (line 33) entry in `bookinfo/ServiceMeshExtension_bookinfo.yaml`. The `id` value should be the product ID. + +![3scale product id](support/images/product-id.png) #### Apply extension @@ -126,14 +161,18 @@ oc apply -f bookinfo/ServiceMeshExtension_bookinfo.yaml -n bookinfo ### Authorize an Application to Consume the API -1. In 3scale, go to Audience -2. Choose an account to authorize (you can use the default Developer account) -3. Follow the Link at the top of the page that says `N Applications` (N being the number of applications the account has) -4. Click Create Application -5. Select the target application plan and provide a name, then create +1. In 3scale, go to the Product overview +2. Select `Applications > Listing` in the side menu +3. Click on `Create Application` in the top right corner + +![3scale create application](support/images/3scale-create-application.png) + +2. Fill the form and create the application You should now have an API key that you can copy and use for authorization +![3scale new application](support/images/3scale-new-application.png) + ### Verify the policy enforcement Access without credentials: @@ -142,7 +181,7 @@ Access without credentials: curl -v http://istio-ingressgateway-istio-system.{cluster wildcard url}/productpage` ``` -You should see an HTTP 401 response. +You should see an HTTP 403 response. Access with credentials (from the previous step): @@ -152,20 +191,27 @@ curl -v http://istio-ingressgateway-istio-system.{cluster wildcard url}/productp You should see an HTTP 200 response. +![Test](support/images/policy-enforcement-test.png) + ## Enable OIDC Authentication Flow ### Provision and configure Red Hat SSO Install the Red Hat SSO operator into the `keycloak` namespace. +![RHSSO operator](support/images/rhsso-operator.png) + Provision an instance of Keycloak. ``` +oc new-project keycloak oc apply -f keycloak/Keycloak_keycloak.yaml -n keycloak ``` Wait for all pods to be in a running state. +![Keycloak project overview](support/images/keycloak-project-overview.png) + NOTE: The URL to the Keycloak admin console can be found by listing the routes in the `keycloak` namespace, and the administrator credentials can be found in the secret called `credential-keycloak` ### Keycloak Realm configuration @@ -188,6 +234,8 @@ To add the permissions in the Red Hat SSO UI: 4. Select `realm-management` from the `Client Roles` dropdown 5. Select `manage-clients` from the `Available Roles` and add it to `Assigned Roles` +![Keycloak Manage Roles](support/images/keycloak-manage-roles.png) + ### Service Mesh OIDC Integration #### Configure BookInfo 3scale Product with OIDC authentication @@ -209,6 +257,20 @@ NOTE: You will find the admin username and password in a secret called `system-s 8. Go to Applications->Application Plans and publish the application plan 9. Go to the Product Overview and take note of the ID given to the API by searching for text `ID for API calls is`(This will be used in later steps) +![3Scale create product](support/images/3scale-create-product.png) + +![3Scale settings OIDC](support/images/3scale-settings-01.png) + +![3Scale settings OIDC](support/images/3scale-settings-02.png) + +![3Scale configuration](support/images/3scale-configuration.png) + +![3Scale application plan](support/images/3scale-application-plan.png) + +![3Scale application plan](support/images/3scale-application-plan-publish.png) + +![3Scale bookinfo oidc overview](support/images/bookinfo-overview-oidc.png) + #### Enable API Policy Management for BookInfo If the `Service Entry` for 3scale system-provider and backend are not created earlier then please perform the below step diff --git a/bookinfo/ServiceMeshExtension_bookinfo.yaml b/bookinfo/ServiceMeshExtension_bookinfo.yaml index ac3df6f..6ae168f 100644 --- a/bookinfo/ServiceMeshExtension_bookinfo.yaml +++ b/bookinfo/ServiceMeshExtension_bookinfo.yaml @@ -3,7 +3,7 @@ kind: ServiceMeshExtension metadata: name: bookinfo spec: - image: 'quay.io/3scale/threescale-wasm-auth@sha256:c26a879dcadbf1ad6f693d62b327685202bacade36cebca24e98e9d0f0a17e1f' + image: 'registry.redhat.io/openshift-service-mesh/3scale-auth-wasm-rhel8:0.0.1' phase: PostAuthZ priority: 100 workloadSelector: @@ -13,7 +13,7 @@ spec: api: v1 system: name: system - token: VDG2U6c9kXwdetUH + token: GjVsCOshW6ZzbkSM upstream: name: >- outbound|3000||system-provider.3scale.svc.cluster.local @@ -30,7 +30,7 @@ spec: url: 'http://backend-listener.3scale.svc.cluster.local' services: - id: '3' - token: cf939c57f946bb3c809508caabeac45db51782f1c671e4a2dd2dad57d29ba394 + token: 1caab709c7ec596b390c1d6b77f37c03c39aabe809e71909e479836cbe058aa2 authorities: - '*' credentials: diff --git a/support/images/3scale-application-overview.png b/support/images/3scale-application-overview.png new file mode 100644 index 0000000..ed7f77f Binary files /dev/null and b/support/images/3scale-application-overview.png differ diff --git a/support/images/3scale-application-plan-publish.png b/support/images/3scale-application-plan-publish.png new file mode 100644 index 0000000..ea844fc Binary files /dev/null and b/support/images/3scale-application-plan-publish.png differ diff --git a/support/images/3scale-application-plan.png b/support/images/3scale-application-plan.png new file mode 100644 index 0000000..a97e5bc Binary files /dev/null and b/support/images/3scale-application-plan.png differ diff --git a/support/images/3scale-configuration.png b/support/images/3scale-configuration.png new file mode 100644 index 0000000..cb2948e Binary files /dev/null and b/support/images/3scale-configuration.png differ diff --git a/support/images/3scale-create-application.png b/support/images/3scale-create-application.png new file mode 100644 index 0000000..e28fd06 Binary files /dev/null and b/support/images/3scale-create-application.png differ diff --git a/support/images/3scale-create-product.png b/support/images/3scale-create-product.png new file mode 100644 index 0000000..897d95e Binary files /dev/null and b/support/images/3scale-create-product.png differ diff --git a/support/images/3scale-new-application.png b/support/images/3scale-new-application.png new file mode 100644 index 0000000..b20d065 Binary files /dev/null and b/support/images/3scale-new-application.png differ diff --git a/support/images/3scale-operator.png b/support/images/3scale-operator.png new file mode 100644 index 0000000..c747287 Binary files /dev/null and b/support/images/3scale-operator.png differ diff --git a/support/images/3scale-project-overview.png b/support/images/3scale-project-overview.png new file mode 100644 index 0000000..14fea91 Binary files /dev/null and b/support/images/3scale-project-overview.png differ diff --git a/support/images/3scale-settings-01.png b/support/images/3scale-settings-01.png new file mode 100644 index 0000000..b86ed5f Binary files /dev/null and b/support/images/3scale-settings-01.png differ diff --git a/support/images/3scale-settings-02.png b/support/images/3scale-settings-02.png new file mode 100644 index 0000000..717189b Binary files /dev/null and b/support/images/3scale-settings-02.png differ diff --git a/support/images/application id.png b/support/images/application id.png new file mode 100644 index 0000000..18ba035 Binary files /dev/null and b/support/images/application id.png differ diff --git a/support/images/bookinfo-overview-oidc.png b/support/images/bookinfo-overview-oidc.png new file mode 100644 index 0000000..50a59ec Binary files /dev/null and b/support/images/bookinfo-overview-oidc.png differ diff --git a/support/images/bookinfo-project-overview.png b/support/images/bookinfo-project-overview.png new file mode 100644 index 0000000..829a9e6 Binary files /dev/null and b/support/images/bookinfo-project-overview.png differ diff --git a/support/images/installed-operators.png b/support/images/installed-operators.png new file mode 100644 index 0000000..7ffb4fb Binary files /dev/null and b/support/images/installed-operators.png differ diff --git a/support/images/istio-system-project-overview.png b/support/images/istio-system-project-overview.png new file mode 100644 index 0000000..93e2573 Binary files /dev/null and b/support/images/istio-system-project-overview.png differ diff --git a/support/images/keycloak-manage-roles.png b/support/images/keycloak-manage-roles.png new file mode 100644 index 0000000..913d6ea Binary files /dev/null and b/support/images/keycloak-manage-roles.png differ diff --git a/support/images/keycloak-project-overview.png b/support/images/keycloak-project-overview.png new file mode 100644 index 0000000..e3da727 Binary files /dev/null and b/support/images/keycloak-project-overview.png differ diff --git a/support/images/policy-enforcement-test.png b/support/images/policy-enforcement-test.png new file mode 100644 index 0000000..39c0e3c Binary files /dev/null and b/support/images/policy-enforcement-test.png differ diff --git a/support/images/product-id.png b/support/images/product-id.png new file mode 100644 index 0000000..18ba035 Binary files /dev/null and b/support/images/product-id.png differ diff --git a/support/images/rhsso-operator.png b/support/images/rhsso-operator.png new file mode 100644 index 0000000..f876901 Binary files /dev/null and b/support/images/rhsso-operator.png differ