A deployment code example where the Curity Identity Server runs alongside an Istio sidecar.
This provides a deployment option where no internal SSL certificates are needed.
The platform then ensures that mutual TLS is used, for OAuth requests inside the cluster.
This is a development setup, but the Istio behaviors can be easily adapted to any cloud system.
To do so, follow one of the following tutorials to update the resources in the cluster
folder:
- Deploy to Google Kubernetes Engine (GKE)
- Deploy to Elastic Kubernetes Service (EKS)
- Deploy to Azure Kubernetes Service (AKS)
To deploy the development example, ensure that these tools are installed on your local computer:
Run the install script to create the cluster and deploy components:
./install.sh
Then edit the /etc/hosts
file and add the following entries:
127.0.0.1 login.curity.local admin.curity.local
Also add the following external root certificate to your system's certificate trust store:
./cluster/ingress-certificates/curity.external.ca.pem
Later, when you are finished testing, tear down the cluster with this command:
./uninstall.sh
Once deployment has completed, login to the Admin UI and complete the initial setup wizard.
Do so by uploading a license.json
file, then accepting all default options.
- URL: https://admin.curity.local/admin
- User: admin
- Password: Password1
The deployment also includes the Istio sleep example.
This will act as an application pod that calls endpoints of the Curity Identity Server:
APPLICATION_POD="$(kubectl -n applications get pod -o name)"
Call the Curity Identity Server with an internal OAuth request that uses mutual TLS.
Note that the microservice uses only a plain HTTP URL:
kubectl -n applications exec $APPLICATION_POD -- \
curl -s http://curity-idsvr-runtime-svc.curity:8443/oauth/v2/oauth-anonymous/jwks
Run this command to show the server X509 identity for connections to the Curity Identity Server:
kubectl -n applications exec $APPLICATION_POD -c istio-proxy \
-- openssl s_client -showcerts \
-connect curity-idsvr-runtime-svc.curity:8443 \
-CAfile /var/run/secrets/istio/root-cert.pem 2>/dev/null | \
openssl x509 -in /dev/stdin -text -noout
The response includes the SPIFFE identity:
X509v3 Subject Alternative Name:
URI:spiffe://cluster.local/ns/curity/sa/curity-idsvr-service-account
- See the Istio Tutorial on the Curity website for further details about this deployment.
- Please visit curity.io for more information about the Curity Identity Server.