From 9646edb410519330a1c89559b505c9da226f0801 Mon Sep 17 00:00:00 2001 From: R-Lawton Date: Mon, 2 Dec 2024 21:57:16 +0000 Subject: [PATCH] Updated SCP to currenrt versions and removed old and unecessary parts Signed-off-by: R-Lawton Updated SCP to currenrt versions and removed old and unecessary parts Signed-off-by: R-Lawton --- .../secure-protect-connect-openshift.md | 750 +++++++----------- 1 file changed, 280 insertions(+), 470 deletions(-) diff --git a/doc/user-guides/full-walkthrough/secure-protect-connect-openshift.md b/doc/user-guides/full-walkthrough/secure-protect-connect-openshift.md index c9c178024..d5602f62c 100644 --- a/doc/user-guides/full-walkthrough/secure-protect-connect-openshift.md +++ b/doc/user-guides/full-walkthrough/secure-protect-connect-openshift.md @@ -1,103 +1,136 @@ -# Secure, protect, and connect APIs with Kuadrant on OpenShift +# Secure, protect, and connect APIs with Kuadrant ## Overview -This guide walks you through using Kuadrant on OpenShift to secure, protect, and connect an API exposed by a Gateway that is based on Kubernetes Gateway API. You can use this walkthrough for a Gateway deployed on a single OpenShift cluster or a Gateway distributed across multiple OpenShift clusters with a shared listener hostname. This guide shows how the platform engineer and application developer user roles can each use Kuadrant to achieve their goals. +This guide walks you through using Kuadrant to secure, protect, and connect an API exposed by a Gateway (Kubernetes Gateway API) from the personas platform engineer and application developer. For more information on the different personas please see the [Gateway API documentation](https://gateway-api.sigs.k8s.io/concepts/roles-and-personas/#key-roles-and-personas) -### What Kuadrant can do for you in a multicluster environment - -You can leverage Kuadrant's capabilities in single or multiple clusters. The following features are designed to work across multiple clusters as well as in a single-cluster environment. - -- **Multicluster ingress:** Kuadrant provides multicluster ingress connectivity using DNS to bring traffic to your Gateways by using a strategy defined in a `DNSPolicy`. -- **Global rate limiting:** Kuadrant can enable global rate limiting use cases when configured to use a shared Redis store for counters based on limits defined by a `RateLimitPolicy`. -- **Global auth:** You can configure a Kuadrant `AuthPolicy` to leverage external auth providers to ensure that different clusters exposing the same API authenticate and authorize in the same way. -- **Integration with federated metrics stores:** Kuadrant has example dashboards and metrics for visualizing your Gateways and observing traffic hitting those Gateways across multiple clusters. +## Prerequisites -### User roles +- Completed the steps in [Install Kuadrant on an OpenShift cluster](../../install/install-openshift.md). +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) command line tool. +- AWS/Azure or GCP with DNS capabilities. -- **Platform engineer**: This guide walks you through deploying a Gateway that provides secure communication and is protected and ready for use by application development teams to deploy an API. It then walks through using this Gateway in clusters in different geographic regions, leveraging Kuadrant to bring specific traffic to your geo-located Gateways to reduce latency and distribute load, while still being protected and secured with global rate limiting and auth. -- **Application developer**: This guide walks through how you can use the Kuadrant OpenAPI Specification (OAS) extensions and `kuadrantctl` CLI to generate an `HTTPRoute` for your API and to add specific auth and rate limiting requirements. +### Set the environment variables -As an optional extra, this guide highlights how both user roles can observe and monitor these Gateways when the OpenShift user workload monitoring and observability stack is deployed. +Set the following environment variables used for convenience in this guide: -### Deployment management tooling +```bash +export KUADRANT_GATEWAY_NS=api-gateway # Namespace for the example Gateway +export KUADRANT_GATEWAY_NAME=external # Name for the example Gateway +export KUADRANT_DEVELOPER_NS=toystore # Namespace for an example toystore app +export KUADRANT_AWS_ACCESS_KEY_ID=xxxx # AWS Key ID with access to manage the DNS Zone ID below +export KUADRANT_AWS_SECRET_ACCESS_KEY=xxxx # AWS Secret Access Key with access to manage the DNS Zone ID below +export KUADRANT_AWS_REGION=us-east-1 # Region to create the DNS resources in AWS +export KUADRANT_AWS_DNS_PUBLIC_ZONE_ID=xxxx # AWS Route 53 Zone ID for the Gateway +export KUADRANT_ZONE_ROOT_DOMAIN=example.com # Root domain associated with the Zone ID above +export KUADRANT_CLUSTER_ISSUER_NAME=lets-encrypt # Name for the ClusterIssuer +export KUADRANT_EMAIL=foo@example.com # Email address to associate with the example LetsEncrypt issuer +``` -While this document uses `kubectl` commands for simplicity, working with multiple clusters is complex, and it is best to use a tool such as Argo CD to manage the deployment of resources to multiple clusters. +### Set up a DNS Provider -## Prerequisites +The DNS provider declares credentials to access the zone(s) that Kuadrant can use to set up DNS configuration. Ensure that this credential only has access to the zones you want Kuadrant to manage via `DNSPolicy` -This guide expects that you have successfully installed Kuadrant on at least one OpenShift cluster: +Create the namespace the Gateway will be deployed in: -- You have completed the steps in [Install Kuadrant on an OpenShift cluster](../../install/install-openshift.md) for one or more clusters. -- For multicluster scenarios, you have installed Kuadrant on at least two different OpenShift clusters, and have a shared accessible Redis store. -- You have the `kubectl` command line installed. -- Optional: User workload monitoring is configured to remote write to a central storage system such as Thanos, as described in [Install Kuadrant on an OpenShift cluster](../../install/install-openshift.md). +```bash +kubectl create ns ${KUADRANT_GATEWAY_NS} +``` -## Platform engineer workflow +Create the secret credentials in the same namespace as the Gateway - these will be used to configure DNS: -NOTE: You must perform the following steps in each cluster individually, unless specifically excluded. +```bash +kubectl -n ${KUADRANT_GATEWAY_NS} create secret generic aws-credentials \ + --type=kuadrant.io/aws \ + --from-literal=AWS_ACCESS_KEY_ID=$KUADRANT_AWS_ACCESS_KEY_ID \ + --from-literal=AWS_SECRET_ACCESS_KEY=$KUADRANT_AWS_SECRET_ACCESS_KEY +``` -### Step 1 - Set your environment variables +Before adding a TLS issuer, create the secret credentials in the cert-manager namespace: -Set the following environment variables used for convenience in this guide: ```bash -export zid=change-this-to-your-zone-id -export rootDomain=example.com -export gatewayNS=api-gateway -export gatewayName=external -export devNS=toystore -export AWS_ACCESS_KEY_ID=xxxx -export AWS_SECRET_ACCESS_KEY=xxxx -export AWS_REGION=us-east-1 -export clusterIssuerName=lets-encrypt -export EMAIL=foo@example.com +kubectl -n cert-manager create secret generic aws-credentials \ + --type=kuadrant.io/aws \ + --from-literal=AWS_ACCESS_KEY_ID=$KUADRANT_AWS_ACCESS_KEY_ID \ + --from-literal=AWS_SECRET_ACCESS_KEY=$KUADRANT_AWS_SECRET_ACCESS_KEY ``` -### Step 2 - Set up a DNS Provider +### Deploy the Toystore app + +Create the namespace for the Toystore application: -The DNS provider declares a credential to access the zone(s) that Kuadrant can use to set up DNS configuration. You should ensure that this credential only has access to the zones you want managed. +```bash -#### Create the DNS Provider Secret resource +kubectl create ns ${KUADRANT_DEVELOPER_NS} +``` -Apply the following `Secret` resource to each cluster. Alternatively, if you are adding an additional cluster, add it to the new cluster: +Deploy the Toystore app to the developer namespace: ```bash -kubectl create ns ${gatewayNS} +kubectl apply -f https://raw.githubusercontent.com/Kuadrant/Kuadrant-operator/main/examples/toystore/toystore.yaml -n ${KUADRANT_DEVELOPER_NS} ``` -Create the secret credentials as follows: +### Setup Toystore application HTTPRoute +```bash + +kubectl apply -f - <. -- You have a realm, client, and users set up. This example assumes a realm in a Keycloak instance called `toystore`. -- Copy the OAS from [sample OAS for rate-limiting and OIDC](../../../examples/oas-oidc.yaml) to a local location. - -#### Set up an OpenID AuthPolicy - -Set the following environment variables: - -```bash -export openIDHost=some.keycloak.com -export oasPath=examples/oas-oidc.yaml -``` - -NOTE: The sample OAS has some placeholders for namespaces and domains. You will inject valid values into these placeholders based on your previous environment variables. - -You can use your OAS and `kuadrantctl` to generate an `AuthPolicy` to replace the default on the Gateway as follows: - -```bash -cat $oasPath | envsubst | kuadrantctl generate kuadrant authpolicy --oas - -``` - -If you are happy with the generated resource, you can apply it to the cluster as follows: - -```bash -cat $oasPath | envsubst | kuadrantctl generate kuadrant authpolicy --oas - | kubectl apply -f - -``` - -You should see in the status of the `AuthPolicy` that it has been accepted and enforced: - -```bash -kubectl get authpolicy -n ${devNS} toystore -o=jsonpath='{.status.conditions}' -``` - -On your `HTTPRoute`, you should also see it now affected by this `AuthPolicy` in the toystore namespace: - -```bash -kubectl get httproute toystore -n ${devNS} -o=jsonpath='{.status.parents[0].conditions[?(@.type=="kuadrant.io/AuthPolicyAffected")].message}' -``` - -#### Test your OpenID AuthPolicy - -You can test your `AuthPolicy` as follows: - -```bash -export ACCESS_TOKEN=$(curl -k -H "Content-Type: application/x-www-form-urlencoded" \ - -d 'grant_type=password' \ - -d 'client_id=toystore' \ - -d 'scope=openid' \ - -d 'username=bob' \ - -d 'password=p' "https://${openIDHost}/auth/realms/toystore/protocol/openid-connect/token" | jq -r '.access_token') -``` - -```bash -curl -k -XPOST --write-out '%{http_code}\n' --silent --output /dev/null "https://$(kubectl get httproute toystore -n ${devNS} -o=jsonpath='{.spec.hostnames[0]}')/v1/toys" -``` - -You should see a `401` response code. Make a request with a valid bearer token as follows: - -```bash -curl -k -XPOST --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $ACCESS_TOKEN" "https://$(kubectl get httproute toystore -n ${devNS} -o=jsonpath='{.spec.hostnames[0]}')/v1/toys" +kubectl apply -f - <. +To learn more about Kuadrant and see more how to guides, visit Kuadrant [documentation](https://docs.kuadrant.io)