Add missing gateway to guide and sso url refactor

Kuadrant · May 7, 2024 · 2efa953 · 2efa953
1 parent 0635010
commit 2efa953
Showing 1 changed file with 49 additions and 17 deletions.
diff --git a/doc/generate-kuadrant-auth-policy.md b/doc/generate-kuadrant-auth-policy.md
@@ -305,7 +305,7 @@ components:
       in: header
     oidc:
       type: openIdConnect
-      openIdConnectUrl: https://${KEYCLOAK_PUBLIC_DOMAIN}/auth/realms/petstore
+      openIdConnectUrl: ${KEYCLOAK_ISSUER}
     snakes_api_key:
       type: apiKey
       name: snake_token
@@ -315,7 +315,36 @@ EOF
 
 </details>
 
-> Replace `${KEYCLOAK_PUBLIC_DOMAIN}` with your SSO instance domain
+> Replace `${KEYCLOAK_ISSUER}` with your SSO instance issuer endpoint for your `petstore` realm. 
+> Otherwise remove the oidc from `components.securitySchemas` and `/dog`, `/snake` paths
+
+* Create `istio-ingressgateway` Gateway object
+
+```yaml
+kubectl apply -f -<<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: istio-ingressgateway
+  namespace: istio-system
+spec:
+  gatewayClassName: istio
+  listeners:
+    - allowedRoutes:
+        namespaces:
+          from: All
+      hostname: 'example.com'
+      name: api
+      port: 80
+      protocol: HTTP
+EOF
+```
+* Get the IP 
+
+```bash
+export INGRESS_IP=$(kubectl get -n istio-system Service/istio-ingressgateway-istio -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
+```
+
 
 * Create an API key only valid for `POST /api/v1/cat` endpoint
 
@@ -374,15 +403,15 @@ Now, we are ready to test OpenAPI endpoints :exclamation:
 - `GET /api/v1/cat` -> It's a public endpoint, hence should return 200 Ok
 
 ```bash
-curl  -H "Host: example.com" -i "http://127.0.0.1:9080/api/v1/cat"
+curl  -H "Host: example.com" -i "http://${INGRESS_IP}/api/v1/cat"
 ```
 
 - `POST /api/v1/cat` -> It's a protected endpoint with apikey
 
 Without any credentials, it should return `401 Unauthorized`
 
 ```bash
-curl  -H "Host: example.com" -X POST -i "http://127.0.0.1:9080/api/v1/cat"
+curl  -H "Host: example.com" -X POST -i "http://${INGRESS_IP}/api/v1/cat"
 ```
 
 ```
@@ -405,7 +434,7 @@ What if we try a wrong token? one token assigned to other endpoint,
 i.e. `I_LIKE_SNAKES` instead of the valid one `I_LIKE_CATS`. It should return `401 Unauthorized`.
 
 ```bash
-curl  -H "Host: example.com" -H "api_key: I_LIKE_SNAKES" -X POST -i "http://127.0.0.1:9080/api/v1/cat"
+curl  -H "Host: example.com" -H "api_key: I_LIKE_SNAKES" -X POST -i "http://${INGRESS_IP}/api/v1/cat"
 ```
 
 ```
@@ -424,40 +453,43 @@ The *reason* headers tell that `the API Key provided is invalid`.
 Using valid token (from the secret `cat-api-key-1` assigned to `POST /api/v1/cats`)
 in the `api_key` header should return 200 Ok
 
-```
-curl  -H "Host: example.com" -H "api_key: I_LIKE_CATS" -X POST -i "http://127.0.0.1:9080/api/v1/cat"
+```bash
+curl  -H "Host: example.com" -H "api_key: I_LIKE_CATS" -X POST -i "http://${INGRESS_IP}/api/v1/cat"
 ```
 
 - `GET /api/v1/dog` -> It's a protected endpoint with oidc (assigned to our keycloak instance and `petstore` realm)
 
 without credentials, it should return `401 Unauthorized`
 
 ```bash
-curl -H "Host: example.com" -i "http://127.0.0.1:9080/api/v1/dog"
+curl -H "Host: example.com" -i "http://${INGRESS_IP}/api/v1/dog"
 ```
 
+#### [Optional] SSO example
+
 To get the authentication token, this example is using Direct Access Grants oauth2 grant type
-(also known as Client Credentials grant type). When configuring the Keycloak (OIDC provider) client
+(also known as Resource Owner Password Credentials Grant grant type). When configuring the Keycloak (OIDC provider) client
 settings, we enabled Direct Access Grants to enable this procedure.
 We will be authenticating as `bob` user with `p` password.
 We previously created `bob` user in Keycloak in the `petstore` realm.
+We will use Command-line JSON processor `jq` to extract the access token into `ACCESS_TOKEN` variable:
 
-```
+```bash
 export ACCESS_TOKEN=$(curl -k -H "Content-Type: application/x-www-form-urlencoded" \
         -d 'grant_type=password' \
         -d 'client_id=petstore' \
         -d 'scope=openid' \
         -d 'username=bob' \
-        -d 'password=p' "https://${KEYCLOAK_PUBLIC_DOMAIN}/auth/realms/petstore/protocol/openid-connect/token" | jq -r '.access_token')
+        -d 'password=p' \
+        "${KEYCLOAK_TOKEN_ENDPOINT}" | jq -r '.access_token')
 ```
 
-> Replace `${KEYCLOAK_PUBLIC_DOMAIN}` with your SSO instance domain
-
+> Replace `${KEYCLOAK_TOKEN_ENDPOINT}` with your SSO instance token endpoint for your `petstore` realm.
 
 With the access token in place, let's try to get those puppies
 
 ```bash
-curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: example.com' http://127.0.0.1:9080/api/v1/dog -i
+curl -H "Authorization: Bearer ${ACCESS_TOKEN}" -H 'Host: example.com' "http://${INGRESS_IP}/api/v1/dog" -i
 ```
 
 it should return 200 OK
@@ -470,20 +502,20 @@ for an OpenAPI operation.
 Without credentials, it should return `401 Unauthorized`
 
 ```bash
-curl -H "Host: example.com" -i "http://127.0.0.1:9080/api/v1/snake"
+curl -H "Host: example.com" -i "http://${INGRESS_IP}/api/v1/snake"
 ```
 
 With the access token in place, it should return 200 OK (unless the token has expired).
 
 ```bash
-curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: example.com' http://127.0.0.1:9080/api/v1/snake -i
+curl -H "Authorization: Bearer ${ACCESS_TOKEN}" -H 'Host: example.com' "http://${INGRESS_IP}/api/v1/snake" -i
 ```
 
 With apiKey it should also work. According to the OpenAPI spec security scheme,
 it should be a query string named `snake_token` and the token needs to be valid token
 (from the secret `snake-api-key-1` assigned to `GET /api/v1/snake`)
 
 ```bash
-curl -H 'Host: example.com' -i "http://127.0.0.1:9080/api/v1/snake?snake_token=I_LIKE_SNAKES"
+curl -H 'Host: example.com' -i "http://${INGRESS_IP}/api/v1/snake?snake_token=I_LIKE_SNAKES"
 ```