diff --git a/repo.toml b/repo.toml index 09b6c0093..c202d176f 100644 --- a/repo.toml +++ b/repo.toml @@ -60,6 +60,7 @@ project_build_order = [ "kubernetes", "partner-validated", "container-toolkit", + "secure-services-istio-keycloak", "review", ] @@ -229,3 +230,14 @@ docs_root = "${root}/review" name = "Technical Review" version = "0.1.0" copyright_start = 2023 + +[repo_docs.projects.secure-services-istio-keycloak] +docs_root = "${root}/secure-services-istio-keycloak" +project = "secure-services-istio-keycloak" +name = "Securing NVIDIA Services with Istio and Keycloak" +version = "0.1.0" +copyright_start = 2024 + +[repo_docs.projects.secure-services-istio-keycloak.builds.linkcheck] +build_by_default = false +output_format = "linkcheck" \ No newline at end of file diff --git a/secure-services-istio-keycloak/configure.md b/secure-services-istio-keycloak/configure.md new file mode 100755 index 000000000..fc92916f0 --- /dev/null +++ b/secure-services-istio-keycloak/configure.md @@ -0,0 +1,140 @@ + + +# Configure RBAC + +````{only} not publish_bsp +```{contents} +:depth: 2 +:backlinks: none +:local: true +``` +```` + +## Inject Istio + +1. Label the namespace to enable Istio injection. + + ```console + kubectl label namespace istio-injection=enabled --overwrite + ``` + + Replace the `` with your target namespace. + +2. Delete the existing pods to recreate them with Istio sidecar containers. + + ```console + kubectl delete pod $(kubectl get pods -n | awk '{print $1}') -n + ```` + +## Deploy Manifests + +1. The following sample manifest deploys a gateway and ingress virtual service. + + - Update the target namespace for the virtual service resource. + - The sample manifest applies to NVIDIA NIM for LLMs. For other NVIDIA microservices, update the `match` and `route` for the microservice endpoints. + - For information about the microservice endpoints, refer to the following documents: + - [NIM Inference API Inference](https://docs.nvidia.com/nim/large-language-models/latest/api-reference.html) + - [NIM Embedding API Reference](https://docs.nvidia.com/nim/nemo-retriever/text-embedding/latest/reference.html) + - [NIM ReRanking API Reference](https://docs.nvidia.com/nim/nemo-retriever/text-reranking/latest/reference.html) + + ```{literalinclude} ./manifests/istio-sample-manifest.yaml + :language: yaml + ``` + +2. Apply the manifest. + + ```console + kubectl apply -f istio-sample-manifest.yaml + ```` + +3. Determine the Istio ingress gateway node port. + + ```console + kubectl get svc -n istio-system | grep ingress + ``` + + *Example Output* + + ```output + istio-ingressgateway LoadBalancer 10.102.8.149 10.28.234.101 15021:32658/TCP,80:30611/TCP,443:31874/TCP,31400:30160/TCP,15443:32430/TCP 22h + ``` + +4. List the worker IP addresses. + + ```console + for node in `kubectl get nodes | awk '{print $1}' | grep -v NAME`; do echo $node ' ' | tr -d '\n'; kubectl describe node $node | grep -i 'internalIP:' | awk '{print $2}'; done + ``` + + *Example Output* + + ```console + nim-test-cluster-03-worker-nbhk9-56b4b888dd-8lpqd 10.120.199.16 + nim-test-cluster-03-worker-nbhk9-56b4b888dd-hnrxr 10.120.199.23 + ``` + +5. The following manifest creates request authentication resources. + + - Update the target namespace. + - Modify the issuer in the manifest with one of the preceding IP addresses and preceeding ingress Istio gateway node ports, mapped to port 80. + + ```{literalinclude} ./manifests/requestAuthentication.yaml + :language: yaml + ``` + +6. Apply the manifest. + + ```console + kubectl apply -f requestAuthentication.yaml + ``` + +7. The following manifest creates an authorization policy resource. + + - Update the target namespace. + - Update the rules that apply to the target microservices. + + ```{literalinclude} ./manifests/authorizationPolicy.yaml + :language: yaml + ``` + +8. Apply the manifest. + + ```console + kubectl apply -f authorizationPolicy.yaml + ``` + +9. Create a token for Keycloak authentication. + Update the node IP address and ingress gateway node port. + + ```console + TOKEN=`curl -X POST -d "client_id=nvidia-nim" -d "username=nim" -d "password=nvidia123" -d "grant_type=password" "http://10.217.19.114:30611/realms/nvidia-nim-llm/protocol/openid-connect/token"| jq .access_token| tr -d '"' ` + ``` + +10. Verify access to the microservice from Keycloak through the Istio gateway. + + ```console + curl -v -X POST http://10.217.19.114:30611/v1/completions -H "Authorization: Bearer $TOKEN" -H 'accept: application/json' -H 'Content-Type: application/json' -d '{ "model": "llama-2-13b-chat","prompt": "What is Kubernetes?","max_tokens": 16,"temperature": 1, "n": 1, "stream": false, "stop": "string", "frequency_penalty": 0.0 }' + ``` + + Update the node IP address and ingress gateway port. + Update the model name if it is not `llama-2-13b-chat`. + +11. Generate some more data so it can be visualized in the next step on the Kiali dashboard. + + ```console + for i in $(seq 1 100); do curl -X POST http://10.217.19.114:30611/v1/chat/completions -H 'accept: application/json' -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d '{"model": "llama-2-13b-chat","messages": [{"role": "system","content": "You are a helpful assistant."},{"role": "user", "content": "Hello!"}]}' -s -o /dev/null; done + ``` + +12. Access the Istio Dashboard, specifying your client system IP address. + + ```console + istioctl dashboard kiali --address + ``` + +Access in browser with `system-ip` and port `20001`. + +## Conclusion + +This architecture offers a robust solution for deploying NVIDIA NeMo MicroServices in a secure, scalable, and efficient manner. Integrating advanced service mesh capabilities with OIDC authentication sets a new standard for building sophisticated AI-driven applications. \ No newline at end of file diff --git a/secure-services-istio-keycloak/images/keycloak-1.png b/secure-services-istio-keycloak/images/keycloak-1.png new file mode 100644 index 000000000..b861869f5 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-1.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-10.png b/secure-services-istio-keycloak/images/keycloak-10.png new file mode 100644 index 000000000..fbd304041 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-10.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-11.png b/secure-services-istio-keycloak/images/keycloak-11.png new file mode 100644 index 000000000..5347a2613 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-11.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-12.png b/secure-services-istio-keycloak/images/keycloak-12.png new file mode 100644 index 000000000..93a550160 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-12.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-13.png b/secure-services-istio-keycloak/images/keycloak-13.png new file mode 100644 index 000000000..304cf0010 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-13.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-14.png b/secure-services-istio-keycloak/images/keycloak-14.png new file mode 100644 index 000000000..434143722 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-14.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-15.png b/secure-services-istio-keycloak/images/keycloak-15.png new file mode 100644 index 000000000..cef6013ce Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-15.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-16.png b/secure-services-istio-keycloak/images/keycloak-16.png new file mode 100644 index 000000000..2e69c9022 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-16.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-2.png b/secure-services-istio-keycloak/images/keycloak-2.png new file mode 100644 index 000000000..9bbebf988 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-2.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-3.png b/secure-services-istio-keycloak/images/keycloak-3.png new file mode 100644 index 000000000..2fee36142 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-3.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-4.png b/secure-services-istio-keycloak/images/keycloak-4.png new file mode 100644 index 000000000..a7acb9674 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-4.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-5.png b/secure-services-istio-keycloak/images/keycloak-5.png new file mode 100644 index 000000000..4d5ba1739 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-5.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-6.png b/secure-services-istio-keycloak/images/keycloak-6.png new file mode 100644 index 000000000..a701b6449 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-6.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-7.png b/secure-services-istio-keycloak/images/keycloak-7.png new file mode 100644 index 000000000..a1d57813a Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-7.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-8.png b/secure-services-istio-keycloak/images/keycloak-8.png new file mode 100644 index 000000000..7bbd5cca1 Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-8.png differ diff --git a/secure-services-istio-keycloak/images/keycloak-9.png b/secure-services-istio-keycloak/images/keycloak-9.png new file mode 100644 index 000000000..59925469c Binary files /dev/null and b/secure-services-istio-keycloak/images/keycloak-9.png differ diff --git a/secure-services-istio-keycloak/images/reference-arch-01.png b/secure-services-istio-keycloak/images/reference-arch-01.png new file mode 100644 index 000000000..53565cca5 Binary files /dev/null and b/secure-services-istio-keycloak/images/reference-arch-01.png differ diff --git a/secure-services-istio-keycloak/implementation.md b/secure-services-istio-keycloak/implementation.md new file mode 100755 index 000000000..b31da2adb --- /dev/null +++ b/secure-services-istio-keycloak/implementation.md @@ -0,0 +1,201 @@ + + +# Sample Implementation Details + +The service mesh uses an Istio-based service mesh for creating a secure, observable, and highly configurable communication layer. +OIDC is provided by tools like Keycloak, DEX, or other commercial solutions as an OIDC provider. NVIDIA developed and tested this document using the following installations methods. + +```{contents} +:depth: 2 +:backlinks: none +:local: true +``` + +## Prerequisites + +- A Kubernetes cluster and the cluster-admin role. + Refer to [](platform-support.md) for information about supported operating systems and Kubernetes platforms. + +- A Linux VM or WSL on Windows. + +## Service Mesh Installation Using Istio + +1. Run the following command to download Istio. + + ```console + curl https://raw.githubusercontent.com/istio/istio/release-1.23/release/downloadIstioCandidate.sh | sh - + ``` + + The download creates a directory with name such as ``istio-1.2x.x``. + +2. Change directory into the Istio directory. + + ```console + cd istio-1.23.2 + ``` + +3. Add `istioctl` to `PATH`. + + ```console + export PATH=$PWD/bin:$PATH + ``` + +4. Optional: For VMware Tanzu Kubernetes or Red Hat OpenShift, create a namespace and label the namespace to run privileged pods. + + ```console + kubectl create ns istio-system + ``` + + ```console + kubectl label --overwrite ns istio-system pod-security.kubernetes.io/warn=privileged pod-security.kubernetes.io/enforce=privileged + ``` + +5. Install Istio with the demonstration profile. + + ```console + istioctl install --set profile=demo -y + ``` + +6. Determine the storage classes on the cluster. + Grafana Loki uses persistent storage and you must specify a storage class. + + ```console + kubectl get storageclass + ``` + +7. Update the storage class for Loki. + + ```console + sed -i '/accessModes:/i\ storageClassName: ' samples/addons/loki.yaml + ``` + +8. Run the below command to install the add-ons like Prometheus, Grafana and Jaeger. + + ```console + kubectl rollout status deployment/kiali -n istio-system + ``` + + ```console + kubectl rollout status deployment/kiali -n istio-system + ``` + +## Install OIDC Keycloak + +1. Label the default namespace to run the privileged pods. + + ```console + kubectl label --overwrite ns default pod-security.kubernetes.io/warn=privileged pod-security.kubernetes.io/enforce=privileged + ``` + +2. Install KeyCloak. + + ```console + kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes/keycloak.yaml + ``` + +### Configure KeyCloak + +1. Determine the node port of the Keycloak service. + + ```console + kubectl get svc + ``` + + *Example Output* + + ```console + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + keycloak LoadBalancer 10.108.216.157 10.28.234.100 8080:30111/TCP 21h + ``` + +2. List the worker IP addresses and then use any one of them with the service node port. + + ```console + for node in `kubectl get nodes | awk '{print $1}' | grep -v NAME`; do echo $node ' ' | tr -d '\n'; kubectl describe node $node | grep -i 'internalIP:' | awk '{print $2}'; done + ``` + + *Example Output* + + ```console + test-cluster-03-worker-nbhk9-56b4b888dd-8lpqd 10.120.199.16 + test-cluster-03-worker-nbhk9-56b4b888dd-hnrxr 10.120.199.23 + ``` + + +3. Use any of the worker IP addresses to access the Keycloak administration interface. + + ```console + 10.120.199.15:30111 + ``` + +4. After you access the application, you can see the page like the following. + Click on **Administration Console**. + + ![](images/keycloak-1.png) + +5. Enter the default credentials as `admin` and `admin` and then sign in. + + ![](images/keycloak-2.png) + +6. Create a new **Realm**. + + ![](images/keycloak-3.png) + +7. Enter the **Realm Name** as `nvidia-nim` and click **Create**. + + ![](images/keycloak-4.png) + +8. Click **Clients** on the navigation bar and then click **Create client**. + + ![](images/keycloak-5.png) + +9. Provide **Client ID** as `nvidia-nim` and click **Next** with default values for steps 2 and 3. + + ![](images/keycloak-6.png) + +10. Navigate to **Realm roles** on the left side pane and click **Create** to create a role. + + ![](images/keycloak-7.png) + +11. Create role with name `chat` and save. + + ![](images/keycloak-8.png) + +12. Create another role with name `completions` and save. + + ![](images/keycloak-9.png) + +13. Navigate to **Users** on left side pane and click **Add user**. + + ![](images/keycloak-10.png) + +14. Create a user with name `nim` and click **Create**. + + ![](images/keycloak-11.png) + + Keycloak displays the `nim` User details page. + +15. On the `nim` User details page, click **Credentials** and then click **Set password** to create a password. + + ![](images/keycloak-12.png) + +16. Enter the password `nvidia`, set the **Temporary** switch to **Off**, and click **Save**. + + ![](images/keycloak-13.png) + + ![](images/keycloak-14.png) + +17. Navigate to the **Role Mapping0** tab for `nimuser` and click **Assign Role**. + + ![](images/keycloak-15.png) + +18. Enable **chat** and **completion** roles for `nimuser` and click **Assign**. + + ![](images/keycloak-16.png) + +## Next Steps + +- Refer to [](./configure.md) to create and validate ingress resources. diff --git a/secure-services-istio-keycloak/index.md b/secure-services-istio-keycloak/index.md new file mode 100755 index 000000000..f64dd7b8e --- /dev/null +++ b/secure-services-istio-keycloak/index.md @@ -0,0 +1,113 @@ + + +```{toctree} + :caption: Securing NVIDIA MicroServices + :titlesonly: + :hidden: + + About the Architecture + Platform Support + Implementation + Configure +``` + +# Securing NVIDIA Services with Istio and Keycloak + +```{contents} +:depth: 2 +:backlinks: none +:local: true +``` + +## Introduction + +In the evolving landscape of AI and machine learning, Retrieval Augmented Generation (RAG) stands out for its ability to dynamically retrieve and integrate external knowledge for real-time response generation. However, implementing RAG in a distributed environment poses significant challenges, particularly in secure service communication. This document proposes a reference architecture that leverages a service mesh framework to ensure secure, efficient communication within a RAG system while integrating with an external OpenID Connect (OIDC) provider for robust authentication and authorization. + +## NVIDIA NIM Overview + +NVIDIA NIM microservices are a set of easy-to-use microservices for accelerating the deployment of foundation models on any cloud or data center and helps keep your data secure. NIM microservices have production-grade runtimes including on-going security updates. Run your business applications with stable APIs backed by enterprise-grade support. For more information refer [NVIDIA NIM](https://docs.nvidia.com/nim/index.html) + +## Service Mesh in NIM + +A service mesh is a configurable infrastructure layer designed to handle service-to-service communication in a microservices architecture, ensuring reliable data transfer, service discovery, load balancing, and more. In a NIM MicroServices, where multiple services (like retrieval microservices, encoding microservices, and language models) need to communicate efficiently, a service mesh serves as a backbone for managing these interactions. + +## Secure Communication Through Service Mesh + +- Encryption + + Ensuring that data in transit is encrypted and secure from external threats to ensure data privacy and compliance. + +- Authentication + + Verifying the identity of services within the mesh. + +- Authorization + + Controlling which services can communicate with each other and what resources they can access. + +- Integration with OIDC Provider + + OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0 in this RAG architecture. + + - Role of OIDC + + It provides a standardized way for services to authenticate using tokens, ensuring that only authorized services and users can access the RAG system's components. + + - Integration Steps + + The service mesh can be configured to work with an OIDC provider to validate tokens for each request, ensuring authenticated and authorized communication. + + - Benefits + + When a user or service attempts to access the RAG system, the service mesh intercepts this request and checks for valid authentication tokens provided by the OIDC/OAuth2 service. This ensures that only authenticated users and services can interact with the RAG system, enhancing security and access control. + +- Performance and Scalability + + The architecture supports horizontal scaling and can handle varying loads, ensuring high availability and minimal latency. + +## Architecture Diagram + +The diagram visualizes the first version of the Operator. Later more microservices can be added. + +![Sample network topology](/images/reference-arch-01.png) + +## Use Cases + +### Secure API Endpoints + +**Implementation**: The service mesh employs mTLS (mutual Transport Layer Security) to encrypt data transmitted between the API endpoints. + +**Functionality**: All incoming and outgoing traffic from the API endpoints passes through the service mesh, where it is encrypted, ensuring data integrity and confidentiality. + +**Benefits**: This encryption secures the API endpoints against interception and unauthorized access. + +### Ingress Management + +**Implementation**: The service mesh acts as an intelligent ingress controller, managing the flow of external traffic into the RAG system. + +**Functionality**: It filters and routes incoming requests to the appropriate services within the RAG system, applying necessary security checks and load balancing. + +**Benefits**: This ensures controlled and secure access to the system's resources, preventing unauthorized access and optimizing resource utilization. + +### OpenTelemetry Protocol (OTLP) Telemetry + +**Implementation**: The service mesh is configured to support OTLP for collecting and exporting networking telemetry data. + +**Functionality**: It captures metrics, access logs, and traces from different parts of the RAG system, forwarding them to an observability platform via OTLP. + +**Benefits**: This enables real-time monitoring and analysis of the system’s performance and security, aiding in prompt issue detection and resolution. + +### RBAC for API Endpoints + +**Implementation**: Role-Based Access Control (RBAC) is integrated within the service mesh to manage access to API endpoints. + +**Functionality**: The service mesh checks the roles and permissions of authenticated users or services against predefined policies to grant or deny access to specific endpoints. + +**Benefits**: This ensures that only users or services with the appropriate permissions, especially those belonging to specific groups, can access certain endpoints, enforcing fine-grained access control. + +### Load Balancing + +Service-to-service communication within the mesh has source load-balancing with automatic service discovery. The mesh ingress endpoint creates Kubernetes service of type Load Balancer and is usually automatically realized on the infrastructure layer. diff --git a/secure-services-istio-keycloak/manifests/authorizationPolicy.yaml b/secure-services-istio-keycloak/manifests/authorizationPolicy.yaml new file mode 100644 index 000000000..3dfdbf147 --- /dev/null +++ b/secure-services-istio-keycloak/manifests/authorizationPolicy.yaml @@ -0,0 +1,30 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: nim-auth-policy + namespace: +spec: + selector: + matchLabels: + app.kubernetes.io/name: inferencing + rules: + - from: + - source: + requestPrincipals: ["*"] + to: + - operation: + methods: ["POST"] + paths: ["/v1/completions*"] + when: + - key: request.auth.claims[realm_access][roles] + values: ["completions"] + - from: + - source: + requestPrincipals: ["*"] + to: + - operation: + methods: ["POST"] + paths: ["/v1/chat/completions*"] + when: + - key: request.auth.claims[realm_access][roles] + values: ["chat"] \ No newline at end of file diff --git a/secure-services-istio-keycloak/manifests/istio-sample-manifest.yaml b/secure-services-istio-keycloak/manifests/istio-sample-manifest.yaml new file mode 100644 index 000000000..9fdecb0aa --- /dev/null +++ b/secure-services-istio-keycloak/manifests/istio-sample-manifest.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: rag-gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http2 + protocol: HTTP + hosts: + - "*" + +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: sample-vs + namespace: +spec: + hosts: + - "*" + gateways: + - istio-system/rag-gateway + http: + - match: + - uri: + prefix: /admin + - uri: + prefix: /resources + - uri: + prefix: /welcome + - uri: + prefix: /realms + route: + - destination: + host: keycloak.default.svc.cluster.local + port: + number: 8080 + - match: + - uri: + prefix: /v1/completions + - uri: + prefix: /v1/chat/completions + route: + - destination: + host: inferencing + port: + number: 8080 diff --git a/secure-services-istio-keycloak/manifests/requestAuthentication.yaml b/secure-services-istio-keycloak/manifests/requestAuthentication.yaml new file mode 100644 index 000000000..fb16b3b3b --- /dev/null +++ b/secure-services-istio-keycloak/manifests/requestAuthentication.yaml @@ -0,0 +1,46 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: nim-request-authentication + namespace: +spec: + selector: + matchLabels: + app.kubernetes.io/name: inferencing + jwtRules: + - issuer: "http://10.176.21.249:30669/realms/nvidia-nim" + jwksUri: "http://keycloak.default.svc.cluster.local:8080/realms/nvidia-nim/protocol/openid-connect/certs" + forwardOriginalToken: true + fromHeaders: + - name: Authorization + prefix: "Bearer" + - issuer: "http://10.176.21.249/realms/nvidia-nim" + jwksUri: "http://keycloak.default.svc.cluster.local:8080/realms/nvidia-nim/protocol/openid-connect/certs" + forwardOriginalToken: true + fromHeaders: + - name: Authorization + prefix: "Bearer" +--- +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: nim-request-authentication-gw + namespace: istio-system +spec: + selector: + matchLabels: + istio: ingressgateway + jwtRules: + - issuer: "http://10.176.21.249:30669/realms/nvidia-nim" + jwksUri: "http://keycloak.default.svc.cluster.local:8080/realms/nvidia-nim/protocol/openid-connect/certs" + forwardOriginalToken: true + fromHeaders: + - name: Authorization + prefix: "Bearer" + - issuer: "http://10.176.21.249/realms/nvidia-nim" + jwksUri: "http://keycloak.default.svc.cluster.local:8080/realms/nvidia-nim/protocol/openid-connect/certs" + forwardOriginalToken: true + fromHeaders: + - name: Authorization + prefix: "Bearer" diff --git a/secure-services-istio-keycloak/platform-support.md b/secure-services-istio-keycloak/platform-support.md new file mode 100755 index 000000000..2073bc11c --- /dev/null +++ b/secure-services-istio-keycloak/platform-support.md @@ -0,0 +1,97 @@ + + +# Platform Support + +````{only} not publish_bsp +```{contents} +:depth: 2 +:backlinks: none +:local: true +``` +```` + +## Operating Systems and Kubernetes Platforms + +```{list-table} +:header-rows: 1 +:stub-columns: 1 + +* - Operating System + - Kubernetes + - Red Hat OpenShift + - VMware vSphere with Tanzu + +* - Ubuntu 22.04 + - 1.29---1.31 + - + - 8.0 Update 2 + +* - Red Hat Core OS + - + - 4.16 + - +``` + +## Container Runtimes + +```{list-table} +:header-rows: 1 + +* - Operating System + - containerd + - CRI-O + +* - Ubuntu 22.04 + - 1.6, 1.7 + - 1.30 + +* - Red Hat Core OS + - None + - Yes [{sup}`1`](cri-o-ocp) +``` + +(cri-o-ocp)= +{sup}`1` The CRI-O version supported by OpenShift Container Platform is supported. + +## Command-Line Tools + +```{list-table} +:header-rows: 1 +:widths: 30 70 + +* - Tool + - Installation Documentation + +* - kubectl (match cluster version) + - Refer to + [Install Tools](https://kubernetes.io/docs/tasks/tools/) + in the Kubernetes documentation for more information. + +* - Helm v3 and higher + - Refer to + [Install Helm](https://helm.sh/docs/intro/install/) + in the Helm documentation for more information. +``` + +## Installed Componenets + +```{list-table} +:header-rows: 1 +:widths: 30 70 + +* - Component + - Verified Version + +* - Istio + - 1.23.2 + Refer to [Istion Releases](https://github.com/istio/istio/tree/release-1.23) + for more information. + +* - Keycloak + - 26.0.0 + Refer to [Keycloak Releases](https://github.com/keycloak/keycloak/tree/release/26.0) + for more information. +``` \ No newline at end of file diff --git a/secure-services-istio-keycloak/versions.json b/secure-services-istio-keycloak/versions.json new file mode 100755 index 000000000..c74b4cd63 --- /dev/null +++ b/secure-services-istio-keycloak/versions.json @@ -0,0 +1,9 @@ +{ + "latest": "0.1.0", + "versions": + [ + { + "version": "0.1.0" + } + ] +}