authN-authZ: add oauth2-proxy support for authentication and authoriz…

…ation together with GMC (#291) * authN-authZ: update documentation and policy * Add more descriptions for the authentication and authorization part * change the sample authorization to perform on role Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com> * authN-authZ: add documentation and configs for oauth2 * add the yamls for configurations of oauth2 * add oauth2-proxy installation guide * update documentations Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com> * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Iris <shaojun.ding@intel.com>
opea-project · Aug 16, 2024 · 488a1ca · 488a1ca
1 parent faa976b
commit 488a1ca
Show file tree

Hide file tree

Showing 20 changed files with 427 additions and 23 deletions.
diff --git a/microservices-connector/config/authN-authZ/README.md b/microservices-connector/config/authN-authZ/README.md
diff --git a/microservices-connector/config/authN-authZ/chatQnA_authN_keycloak.yaml b/microservices-connector/config/authN-authZ/chatQnA_authN_keycloak.yaml
@@ -7,8 +7,8 @@ metadata:
   name: jwt-keycloak
 spec:
   jwtRules:
-  - issuer: http://${KEYCLOAK_ADDR}/realms/istio
-    jwksUri: http://${KEYCLOAK_ADDR}/realms/istio/protocol/openid-connect/certs
+  - issuer: http://${KEYCLOAK_ADDR}/realms/${REALM}
+    jwksUri: http://${KEYCLOAK_ADDR}/realms/${REALM}/protocol/openid-connect/certs
     outputPayloadToHeader: jwt-parsed
   selector:
     matchLabels:

diff --git a/microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml b/microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml
@@ -0,0 +1,15 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: security.istio.io/v1
+kind: RequestAuthentication
+metadata:
+  name: oauth2-keycloak-auth
+  namespace: istio-system
+spec:
+  jwtRules:
+  - issuer: http://${KEYCLOAK_ADDR}/realms/${REALM}
+    jwksUri: http://${KEYCLOAK_ADDR}/realms/${REALM}/protocol/openid-connect/certs
+  selector:
+    matchLabels:
+      istio: ingressgateway
diff --git a/microservices-connector/config/authN-authZ/chatQnA_authZ_keycloak.yaml b/microservices-connector/config/authN-authZ/chatQnA_authZ_keycloak.yaml
@@ -15,9 +15,9 @@ spec:
     - key: request.auth.claims[preferred_username]
       values:
       - 'mary'
-    - key: request.auth.claims[aud]
+    - key: request.auth.claims[realm_access][roles]
       values:
-      - 'istio'
+      - 'user'
   selector:
     matchLabels:
       app: router-service
diff --git a/microservices-connector/config/authN-authZ/chatQnA_authZ_oauth.yaml b/microservices-connector/config/authN-authZ/chatQnA_authZ_oauth.yaml
@@ -0,0 +1,20 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: chatqna-ext-authz
+  namespace: istio-system
+spec:
+  action: CUSTOM
+  provider:
+    name: oauth2-proxy
+  rules:
+  - to:
+    - operation:
+        notPaths:
+        - /realms/*
+  selector:
+    matchLabels:
+      istio: ingressgateway
diff --git a/microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml b/microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml
@@ -0,0 +1,40 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+data:
+  mesh: |-
+    accessLogFile: /dev/stdout
+    defaultConfig:
+      discoveryAddress: istiod.istio-system.svc:15012
+      proxyMetadata: {}
+      tracing:
+        zipkin:
+          address: localhost:9411
+    enablePrometheusMerge: true
+    enableTracing: false
+    outboundTrafficPolicy:
+      mode: ALLOW_ANY
+    trustDomain: cluster.local
+    extensionProviders:
+    - name: oauth2-proxy
+      envoyExtAuthzHttp:
+        service: oauth-proxy.oauth2-proxy.svc.cluster.local
+        port: 4180
+        timeout: 1.5s
+        includeRequestHeadersInCheck: ["authorization", "cookie"]
+        headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token", "x-auth-request-groups"]
+        headersToDownstreamOnDeny: ["content-type", "set-cookie"]
+  meshNetworks: 'networks: {}'
+kind: ConfigMap
+metadata:
+  labels:
+    install.operator.istio.io/owning-resource: installed-state
+    install.operator.istio.io/owning-resource-namespace: istio-system
+    istio.io/rev: default
+    operator.istio.io/component: Pilot
+    operator.istio.io/managed: Reconcile
+    operator.istio.io/version: 1.22.2
+    release: istio
+  name: istio
+  namespace: istio-system
diff --git a/microservices-connector/config/authN-authZ/chatQnA_router_gateway_oauth.yaml b/microservices-connector/config/authN-authZ/chatQnA_router_gateway_oauth.yaml
@@ -0,0 +1,39 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: chatqna-gateway
+  namespace: istio-system
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - hosts:
+    - chatqna-service.com
+    port:
+      name: http
+      number: 80
+      protocol: HTTP
+---
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: chatqna-virtual-service
+  namespace: istio-system
+spec:
+  gateways:
+  - istio-system/chatqna-gateway
+  hosts:
+  - chatqna-service.com
+  http:
+  - match:
+    - uri:
+        prefix: /
+    route:
+    - destination:
+        host: router-service.chatqa.svc.cluster.local
+        port:
+          number: 8080
diff --git a/microservices-connector/config/authN-authZ/chatQnA_ui_gateway.yaml b/microservices-connector/config/authN-authZ/chatQnA_ui_gateway.yaml
@@ -0,0 +1,47 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: chatqna-ui-gateway
+  namespace: istio-system
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - hosts:
+    - chatqna-ui.com
+    port:
+      name: http
+      number: 80
+      protocol: HTTP
+---
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: chatqna-ui-virtual-service
+  namespace: istio-system
+spec:
+  gateways:
+  - istio-system/chatqna-ui-gateway
+  hosts:
+  - chatqna-ui.com
+  http:
+  - match:
+    - uri:
+        prefix: /oauth2
+    route:
+    - destination:
+        host: oauth-proxy.oauth2-proxy.svc.cluster.local
+        port:
+          number: 4180
+  - match:
+    - uri:
+        prefix: /
+    route:
+    - destination:
+        host: ui.default.svc.cluster.local
+        port:
+          number: 5174
diff --git a/...ervices-connector/config/authN-authZ/docs/OPEA auth flow with OIDC provider.png b/...ervices-connector/config/authN-authZ/docs/OPEA auth flow with OIDC provider.png
diff --git a/...services-connector/config/authN-authZ/docs/OPEA auth flow with oauth2-proxy.png b/...services-connector/config/authN-authZ/docs/OPEA auth flow with oauth2-proxy.png
diff --git a/microservices-connector/config/authN-authZ/docs/add_group_scope.png b/microservices-connector/config/authN-authZ/docs/add_group_scope.png
diff --git a/microservices-connector/config/authN-authZ/docs/add_mapper.png b/microservices-connector/config/authN-authZ/docs/add_mapper.png
diff --git a/microservices-connector/config/authN-authZ/docs/add_scope.png b/microservices-connector/config/authN-authZ/docs/add_scope.png
diff --git a/microservices-connector/config/authN-authZ/docs/attach_group_scope.png b/microservices-connector/config/authN-authZ/docs/attach_group_scope.png
diff --git a/microservices-connector/config/authN-authZ/docs/create_client_1.png b/microservices-connector/config/authN-authZ/docs/create_client_1.png
diff --git a/microservices-connector/config/authN-authZ/docs/create_client_2.png b/microservices-connector/config/authN-authZ/docs/create_client_2.png
diff --git a/microservices-connector/config/authN-authZ/docs/create_client_3.png b/microservices-connector/config/authN-authZ/docs/create_client_3.png
diff --git a/microservices-connector/config/authN-authZ/docs/create_realm.png b/microservices-connector/config/authN-authZ/docs/create_realm.png
diff --git a/microservices-connector/config/authN-authZ/docs/create_user.png b/microservices-connector/config/authN-authZ/docs/create_user.png
diff --git a/microservices-connector/config/authN-authZ/oauth2_install.yaml b/microservices-connector/config/authN-authZ/oauth2_install.yaml
@@ -0,0 +1,111 @@
+
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: v1
+data:
+  oauth2-proxy.cfg: |-
+    # Provider config
+    provider="keycloak-oidc"
+    provider_display_name="Keycloak"
+    login_url="http://${KEYCLOAK_ADDR}/realms/${REALM}/protocol/openid-connect/auth"
+    redeem_url="http://${KEYCLOAK_ADDR}/realms/${REALM}/protocol/openid-connect/token"
+    validate_url="http://${KEYCLOAK_ADDR}/realms/${REALM}/protocol/openid-connect/userinfo"
+    profile_url="http://${KEYCLOAK_ADDR}/realms/${REALM}/protocol/openid-connect/userinfo"
+    # Client config
+    client_id="${CLIENT}"
+    client_secret="${CLIENT_SECRET}"
+    cookie_secret="ZzBkN000Wm0pQkVkKUhzMk5YPntQRUw_ME1oMTZZTy0="
+    cookie_secure="false"
+    allowed_groups=["/user"]
+    allowed_roles=["${CLIENT}:user"]
+    # Upstream config
+    http_address="0.0.0.0:4180"
+    upstreams=["static://200"]
+    oidc_issuer_url="http://${KEYCLOAK_ADDR}/realms/${REALM}"
+    oidc_groups_claim="groups"
+    scope="openid groups"
+    whitelist_domains=["*"]
+    # Redis session store config
+    session_store_type="redis"
+    redis_connection_url="redis://redis-service:6379"
+    # Redirect url
+    redirect_url="http://chatqna-ui.com:${INGRESS_PORT}/oauth2/callback"
+    #extra attributes
+    pass_host_header = true
+    reverse_proxy = true
+    auth_logging = true
+    cookie_httponly = true
+    cookie_refresh = "2m"
+    cookie_expire = "3m"
+    email_domains = "*"
+    pass_access_token = true
+    pass_authorization_header = true
+    request_logging = true
+    set_authorization_header = true
+    set_xauthrequest = true
+    silence_ping_logging = true
+    skip_provider_button = true
+    skip_auth_strip_headers = false
+    skip_jwt_bearer_tokens = true
+    ssl_insecure_skip_verify = true
+    standard_logging = true
+kind: ConfigMap
+metadata:
+  name: oauth2-proxy-config
+  namespace: oauth2-proxy
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: oauth2-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "oauth2-proxy"
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy
+        sidecar.istio.io/inject: "true"
+    spec:
+      volumes:
+        - name: oauth2-proxy-config
+          configMap:
+            name: oauth2-proxy-config
+      containers:
+      - name: oauth2-proxy
+        image: "quay.io/oauth2-proxy/oauth2-proxy:latest"
+        ports:
+        - containerPort: 4180
+        volumeMounts:
+        - name: oauth2-proxy-config
+          mountPath: /etc/oauth2-proxy.cfg
+          subPath: oauth2-proxy.cfg
+        args:
+          - --config=/etc/oauth2-proxy.cfg
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: oauth-proxy
+  name: oauth-proxy
+  namespace: oauth2-proxy
+spec:
+  ports:
+  - name: http-oauthproxy
+    port: 4180
+    protocol: TCP
+    targetPort: 4180
+  selector:
+    app: oauth-proxy
+  sessionAffinity: None
+  type: ClusterIP
+status:
+  loadBalancer: {}