Skip to content
This repository has been archived by the owner on Nov 20, 2023. It is now read-only.

redhat-cop/container-native-spring-postgresql

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

142 Commits

crunchy

crunchy

 
 

istio

istio

 
 

media

media

 
 

microsegmentation

microsegmentation

 
 

openshift

openshift

 
 

spring

spring

 
 

sso

sso

 
 

vault

vault

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

architecture.png

architecture.png

 
 

container_native.gliffy

container_native.gliffy

 
 

Repository files navigation

Container Native Microservices with OpenShift Sample Application

This tutorial shows the steps to install and run a Spring Boot microservice with PostgreSQL in a container-native way.

This sample application is comprised of:

  • Spring Boot 1.5 with RHOAR for microservices (In Progress)
  • Red Hat SSO 7.1 (a.k.a. Keycloak 2.5.5) for user management, authentication with JWT
    • Scalable, High Availability configuration using Kube Ping
    • Persistence with PostgreSQL
    • Pre-configured Realms for quick setup (TODO)
  • Istio 0.4 (latest) for service mesh and security (In Progress)
    • Injection of Envoy/Istio sidecar proxy into microservice pod
    • Authorization of web service access via JWT and SSO with Istio Mixer rule
    • Mutual TLS
  • Microsegmentation Rules (TODO)
  • Prometheus (Istio Integration)
  • Zipkin (Istio Integration)
  • Grafana (Istio Integration)
  • Service Graph (Istio Integration)
  • Hashicorp Vault for managing secrets (In Progress)
  • Crunchy Operator for High Availability PostgreSQL (In Progress)

The application has the following architecture:

Architecture

Assumptions:

  1. You have an OpenShift Container Platform cluster >= 3.7
  2. You have dynamic volume provisioning available (it's possible to use static provisioning provided that you have enough volumes)
  3. You are running the network policy plugin.
    • To enable the network policy plugin on Minishift use: ./minishift openshift config set --patch='{"networkConfig":{"networkPluginName":"redhat/openshift-ovs-networkpolicy"}}

Here are the steps for the installation:

Step Architcture
1. Deploy the Crunchy Postgres operator step1
2. Deploy Postgres in HA step2
3. Deploy Hashicorp Vault step3
4. Configure Vault to use Kubernetes backend authentication step4
5. Configure Vault to manage the postgresql DB step5
6. Configure application to use Vault to retrieve the postgresql account step6
7. RH SSO installation step7
8. Istio core installation step8
9. Configure app to use Istio step9
10. Configure Istio to do Mutual TLS authentication step10
11. Configure istio to do OAuth Authentication via RH SSO step11
12. Istio Add-ons installation (prometheus, Jaeger) step12
13. Configure microsegmentation step13
14. Build and deploy the application step14

POC Outcome (as of 2/1/2018)

technology production ready comments
RHOAR yes the maven plugin may not be fitting for all use cases
HA database running in openshift yes - HA templates to be developed with the customer - day 2 operations still not container native
postgres operator no main reason: lack of integration with enterprise security, it's in the roadmap to solve this
Vault yes
RH SSO yes
istio no privileged scc permission needs to be given to all pods running in the mesh
Application managed OAuth yes
Istio managed OAuth no seems a very frail configuration at this point, future versions of Istio may solve this issue
Istio managed mTLS yes more testing required
microsegmentation N/A not completed at this point

About

No description or website provided.

Topics

container-cop

Resources

Readme
Activity
Custom properties

Stars

21 stars

Watchers

15 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages