Get started with security for your Java Microservi
  • Introduction
  • Setup the IBM Cloud Environment
    • Overview
    • Access the Cluster
    • Access IBM Cloud Shell and get the code
  • Setup the IBM Cloud application environment
    • Overview
    • Exercise 1: Setup Istio
    • Exercise 2: Expose Istio Ingress gateway
    • Exercise 3: Expose the gateway via DNS with TLS enabled
    • Exercise 4: Setup Keycloak
  • Platform security with mTLS
    • Exercise 1: Deploy microservices to Kubernetes
    • Exercise 2: Secure microservices using Authentication with mTLS
    • (Optional) Exercise 3: Authorization with Istio
  • Authentication and Authorization with Keycloak and Quarkus
    • (Optional) Exercise 1: Setup the web-application and Microservices locally
    • Exercise 2: Authentication in Vue.js fronted application
    • Exercise 3: Authorization in Quarkus application
  • Additional Resources
    • Known issues
    • Blog posts related to security
    • Cloud-Native-Starter project
    • Cloud-Native-Starter project security
    • Cloud-Native-Starter project reactive
Powered by GitBook
On this page
  • Step 1: Deploy Keycloak
  • Step 2: Wait until the Keycloak Pod is started
  • Step 3: Access Keycloak
  • Step 4: Try to logon to Keycloak
  • Step 5: Create realm
  • Step 6: Verify the newly created realm
  • Optional steps to verify the configuration
  • STEP 1: Verify the name quarkusof the imported realm
  • STEP 2: Verify the imported realm settings
  • STEP 3: Press view all users
  • STEP 4: Verify the role mapping

Was this helpful?

  1. Setup the IBM Cloud application environment

Exercise 4: Setup Keycloak

These setup instractions are based on Keycloak - Guide - Keycloak on Kubernetes.

The instructions go into installing an Ingress for Keycloak. But we have Istio installed and we will be using the Istio Ingress to access Keycloak externally. The original keycloak.yaml is modified and the NodePort has been removed.

Note: This is a "ephemeral" installation of Keycloak, there is no database used for persistance. Sufficient for a workshop but not suitable for production use!

Step 1: Deploy Keycloak

cd $ROOT_FOLDER/IKS
kubectl apply -f keycloak.yaml

Step 2: Wait until the Keycloak Pod is started

kubectl get pods

Step 3: Access Keycloak

Get the Keycloak URL and open the URL in your browser:

echo "https://"$INGRESSURL"/auth"

Note: This will work because we created a VirtualService in the previous exercise that maps the /auth URI to the Keycloak service.

Step 4: Try to logon to Keycloak

  • Click on Administration Console.

  • Login In with username admin and password admin.

Step 5: Create realm

For the workshop we need our pre-configured realm, we will create the realm using a bash script.

  • Verify your existing environment varibles

cd $ROOT_FOLDER/IKS
echo $MYCLUSTER
echo $INGRESSURL
echo $INGRESSSECRET

  • Execute the bash script

bash keycloak-create-realm.sh

Example output:

------------------------------------------------------------------------
The realm is created.
Open following link in your browser:
https://harald-uebele-k8s-fra05-********************-0001/auth/admin/master/console/#/realms/quarkus
------------------------------------------------------------------------

Step 6: Verify the newly created realm

Try to create an access token, this requires the $INGRESSURL environment variable to be set:

curl -d "username=alice" -d "password=alice" -d "grant_type=password" -d "client_id=frontend" https://$INGRESSURL/auth/realms/quarkus/protocol/openid-connect/token  | sed -n 's|.*"access_token":"\([^"]*\)".*|\1|p'

Note: The image shows you in Kiali that we access Keycloak throuh our istio-ingressgateway. This is not a part of your hands-on tasks.

Congratulations, you have successfully completed the Setup Application environment. Awesome :star:

Optional steps to verify the configuration

STEP 1: Verify the name quarkusof the imported realm

STEP 2: Verify the imported realm settings

STEP 3: Press view all users

You should see following users: admin, alice, jdoe

STEP 4: Verify the role mapping

PreviousExercise 3: Expose the gateway via DNS with TLS enabledNextExercise 1: Deploy microservices to Kubernetes

Last updated 4 years ago

Was this helpful?