Skip to content

curityio/istio-demo-installation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

93 Commits
cluster
cluster
 
 
idsvr
idsvr
 
 
utility
utility
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
uninstall.sh
uninstall.sh
 
 

Repository files navigation

Curity Identity Server in an Istio Service Mesh

Quality Availability

A deployment code example where the Curity Identity Server runs alongside an Istio sidecar.
This provides a deployment option where no internal SSL certificates are needed.
The platform then ensures that mutual TLS is used, for OAuth requests inside the cluster.

Cloud Deployments

This is a development setup, but the Istio behaviors can be easily adapted to any cloud system.
To do so, follow one of the following tutorials to update the resources in the cluster folder:

Prerequisites

To deploy the development example, ensure that these tools are installed on your local computer:

Deploy the System

Run the install script to create the cluster and deploy components:

./install.sh

Then edit the /etc/hosts file and add the following entries:

127.0.0.1  login.curity.local admin.curity.local

Also add the following external root certificate to your system's certificate trust store:

./cluster/ingress-certificates/curity.external.ca.pem

Later, when you are finished testing, tear down the cluster with this command:

./uninstall.sh

Use the Admin UI

Once deployment has completed, login to the Admin UI and complete the initial setup wizard.
Do so by uploading a license.json file, then accepting all default options.

Run OAuth Requests Inside the Cluster

The deployment also includes the Istio sleep example.
This will act as an application pod that calls endpoints of the Curity Identity Server:

APPLICATION_POD="$(kubectl -n applications get pod -o name)"

Call the Curity Identity Server with an internal OAuth request that uses mutual TLS.
Note that the microservice uses only a plain HTTP URL:

kubectl -n applications exec $APPLICATION_POD -- \
  curl -s http://curity-idsvr-runtime-svc.curity:8443/oauth/v2/oauth-anonymous/jwks

Run this command to show the server X509 identity for connections to the Curity Identity Server:

kubectl -n applications exec $APPLICATION_POD -c istio-proxy \
     -- openssl s_client -showcerts \
     -connect curity-idsvr-runtime-svc.curity:8443 \
     -CAfile /var/run/secrets/istio/root-cert.pem 2>/dev/null | \
     openssl x509 -in /dev/stdin -text -noout

The response includes the SPIFFE identity:

X509v3 Subject Alternative Name: 
  URI:spiffe://cluster.local/ns/curity/sa/curity-idsvr-service-account

More Information

  • See the Istio Tutorial on the Curity website for further details about this deployment.
  • Please visit curity.io for more information about the Curity Identity Server.

About

Running the Curity Identity Server in a service mesh within a Kubernetes cluster

curity.io/resources/learn/istio-demo-installation/

Topics

kubernetes deployment helm service-mesh istio

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages