Part 2: Centralize Your Kubernetes Authentication Mechanisms Without Writing Any YAML
Configure Filter and FilterPolicy Resources with the K8s Initializer
Keycloak is a common Identity Provider solution for cloud native developers looking to centralize their authentication mechanisms across Kubernetes microservices. Installing Keycloak and configuring it with your ingress controller is often a time-consuming and unfulfilling task for many developers.
In the first part of this series, we wrote a step-by-step tutorial on how to set up centralized authentication for Kubernetes with Keycloak and the Ambassador Edge Stack. This tutorial used the K8s Initializer to install Ambassador and Keycloak and walked you through the process of manually defining realms and clients to enforce security policies.
Today, we are excited to announce new functionality in the K8s Initializer that allows for the configuration of Ambassador Filter and FilterPolicy resources. This functionality adds a new UI that guides the user through the configuration of Keycloak and interactively creates matching Kubernetes resources to take full advantage of Keycloak to secure your backend applications.
Getting Started
Like the previous part of this series, we will use Keycloak’s in-memory datastore in order to simplify our dependency graph, knowing that this is a non-production-ready Keycloak installation. For ingress, we will use the community version of the Ambassador Edge Stack because of its direct integration with Keycloak for authentication, to expose and secure public traffic coming in from internet requests to downstream private services running in our cluster.
The K8s Initializer will be used to simplify the configuration of these tools. The K8s Initializer is a self-service web-based interface designed to generate YAML files customized to your Kubernetes environment. In this tutorial, we’ll use the K8s Initializer to:
- Configure the Ambassador Edge Stack for ingress
- Configure Keycloak for authentication
- Configure Ambassador Filter and FilterPolicy resources in order to define realms and clients to enforce security policies
By the end of this tutorial, we’ll have an application running with the Ambassador Edge Stack handling TLS termination at the edge and our Keycloak installation under /auth/ and securing our Quote application under /backend/.
Configuring the Ambassador Edge Stack
For this tutorial, we pick a target Kubernetes cluster in Google Kubernetes Engine with a Google External Load Balancer (L4) load balancer. We will choose a public Hostname for our installation. Using a public hostname will require an extra step to configure a DNS entry to point to our installation, but given we want to demonstrate how to build a public secure application stack, it’s worth the extra effort. We will input these answers into the web-interface at https://app.getambassador.io/initializer/.
Configuring Keycloak
To configure Keycloak, we select the option and input a temporary password.
Installing the Generated YAML
To install the tools we have just configured, we’ll simply follow the instructions provided by the K8s Initializer. We’ll first install the Ambassador Edge Stack because it contains several Kubernetes Custom Resource Definitions dependencies. This is as simple as copying and running the generated ‘kubectl apply’ commands on the next page of the K8s Initializer.
Then, we’ll install the Ambassador Edge Stack with Keycloak with another ‘kubectl apply’ command. Once we configure the DNS entry to point to the external IP of the provisioned service and give Keycloak a few minutes to start, we’ll be able to access it’s UI at https://domain-name/auth/. We’ll then login to Keycloak’s Administration Console UI using the default ‘admin’ username and temporary password we’ve selected, and then change the password!
Configure a Keycloak Realm, Client and User
To secure our APIs using our new Keycloak installation as our IdP, we’ll first need to create a client to handle authentication requests from Ambassador.
As we navigate to https://app.getambassador.io/initializer/keycloak-filter-editor, the K8s Initializer will guide us through this process and generate the following YAML. .
Deploy a Quote Service
As with the first part of this tutorial, we’ll deploy a sample application to showcase how access can be restricted. We will create a Kubernetes Deployment, Service, and Mapping to publicly expose our running Quote application under the /backend/ path.
---
apiVersion: v1
kind: Service
metadata:
name: quote
namespace: default
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: quote
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: quote
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: quote
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: quote
spec:
containers:
- name: backend
image: docker.io/datawire/quote:0.4.1
ports:
- name: http
containerPort: 8080
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: quote-backend
namespace: default
spec:
prefix: /backend/
service: quoteGive it a try, it’s currently unprotected: https://domain-name/backend/.
Secure Access
Finally, in order to secure access to our backend Quote service, we’ll run the ‘kubectl apply’ command provided by the https://app.getambassador.io/initializer/keycloak-filter-editor from earlier, creating the Filter and FilterPolicy resources in Kubernetes necessary to enforce authentication on our API.
So, What’s Changed?
At the time of the previous blog post, the K8s Initializer only supported the installation and initial process configuration of Keycloak. The K8s Initializer felt short when it came to actually using Keycloak to define realms and clients to enforce security policies… What we would do is link to additional Ambassador and Keycloak documentation or blog posts to let developers go through this configuration manually, hoping for the best!
Now, we’ve moved the static “documentation and tutorial” part of the configuration process to a new UI that guides the developers through the setup and generates the resulting Kubernetes resources.
The new functionality allows developers to follow online step-by-step instructions to configure Keycloak and create Ambassador Filter and FilterPolicy manifests with a visual guide instead of having to manually edit YAML files, context-switch between many open windows and reduce the cognitive load required to understand the bootstrapping of Keycloak when used to secure APIs.
Get Started
You can get started configuring Keycloak and Ambassador customized to your own environment with the K8s Initializer today, just visit https://app.getambassador.io/initializer. Once you’ve taken it for a spin, we’d really appreciate your feedback on the usability of the tool as we already envision supporting more Kubernetes resource types with a similar guided approach to editing YAML manifests. You can share your feedback with us on Twitter @ambassadorlabs or in the #K8s-Initializer channel on our Community Slack.
