Keycloak is a widely adopted Identity and Access Management (IAM for short) open-source solution. 2014 was a big year for groundbreaking technologies as both the Keycloak and Kubernetes projects were initially released a few weeks apart. Unsurprisingly, many Kubernetes end-users are turning to Keycloak as the preferred way to manage access to the secure APIs and services of their platform.

Keycloak是广泛采用的身份和访问管理(简称IAM )开源解决方案。 2014年是突破性技术的丰收年，因​​为Keycloak和Kubernetes项目最初相隔数周才发布。 毫不奇怪，许多Kubernetes最终用户都将Keycloak用作管理对其平台安全API和服务的访问的首选方法。

Simply running Keycloak in Kubernetes won’t however make your platform secure. A lot of concerns are left to the user to configure and implement: from exposing the Keycloak API endpoints using TLS and an ingress-controller, to enforcing security policies on specific business endpoints. When solving these problems, we have a bias towards using an API Gateway solution to handle encrypted connections and centralize API management policies instead of re-implementing authentication strategies in every language and application of your microservice architecture.

但是，仅在Kubernetes中运行Keycloak并不能确保您的平台安全。 用户需要配置和实现许多问题：从使用TLS和入口控制器公开Keycloak API端点到在特定业务端点上实施安全策略。 解决这些问题时，我们倾向于使用API​​网关解决方案来处理加密的连接并集中化API管理策略，而不是在您的微服务体系结构的每种语言和应用程序中重新实现身份验证策略。

Our goal today will be to install Keycloak as our IAM solution and secure it behind the Ambassador Edge Stack, our API Gateway acting as a Kubernetes ingress controller. As a final step, we will deploy a sample application and demonstrate how to use Keycloak as an Identity provider (IdP for short) to restrict access to this application with OAuth2 using request Filters.

我们今天的目标是安装Keycloak作为我们的IAM解决方案，并将其保护在Ambassador Edge Stack (我们的API网关充当Kubernetes入口控制器)的后面。 最后，我们将部署一个示例应用程序，并演示如何使用Keycloak作为身份提供程序(简称IdP )，以使用请求过滤器通过OAuth2限制对此应用程序的访问。

入门 (Getting Started)

In this tutorial, we will use a non-production-ready Keycloak installation. To simplify our dependency graph, we’ll use the in-memory datastore, which is totally suitable for a demo but wouldn’t guarantee high-availability in a production environment. If you are looking for production-grade persistence, Keycloak offers a variety of storage solutions.

在本教程中，我们将使用非生产就绪的Keycloak安装。 为了简化依赖关系图，我们将使用内存数据存储，它完全适合于演示，但不能保证生产环境中的高可用性。 如果您正在寻找生产级的持久性， Keycloak提供了多种存储解决方案 。

The ingress controller is the missing building block in most Kubernetes offerings. Although Kubernetes defines an Ingress resource, it is not actually backed by any implementation that will turn the resource into a public service! The choice and installation of an ingress solution are left to the operator. Here, we will use the community version of the Ambassador Edge Stack, because of its direct integration with Keycloak for authentication, to expose and secure public traffic coming in from internet requests to downstream private services running in our Kubernetes cluster.

入口控制器是大多数Kubernetes产品中缺少的构建块。 尽管Kubernetes定义了Ingress资源，但实际上并没有任何将资源变成公共服务的实现的支持！ 入口解决方案的选择和安装留给操作员。 在这里，我们将使用社区边缘堆栈版本的Ambassador Edge Stack，因为它直接与Keycloak集成以进行身份​​验证，以公开和保护从Internet请求进入到Kubernetes集群中运行的下游私有服务的公共流量。

At the end of the tutorial, we’ll be up and running with the Ambassador Edge Stack doing TLS termination at the edge of the Kubernetes network, exposing our Keycloak installation under /auth/ and securing our Quote application under /backend/.

在本教程的最后，我们将与Ambassador Edge Stack一起启动并运行，在Kubernetes网络的边缘进行TLS终止，在/auth/下公开我们的Keycloak安装，并在/backend/下保护Quote应用程序。

使用K8s初始化程序进行脚手架 (Scaffolding with the K8s Initializer)

Kubernetes is often made fun of because of the copious amounts of YAML required. Instead of going into a scavenger hunt for YAML samples and assembling all puzzle pieces together from stale sources, we’ll be using the K8s Initializer to generate all of the Kubernetes resources for us. The K8s Initializer is a project generator tool similar to what exists for application developers: think Spring Initializr or Yeoman.

由于需要大量的YAML，因此经常被人嘲笑Kubernetes。 我们将使用K8s Initializer为我们生成所有Kubernetes资源，而不是去寻找YAML样本并从陈旧的来源中组装所有拼图块。 K8s Initializer是一个项目生成器工具，类似于应用程序开发人员可以使用的工具：例如Spring Initializr或Yeoman。

The wizard-like interface of the K8s Initializer will guide us through a few questions to understand and configure specific settings that vary from one cloud provider to the other. These implementation details are often where promises are broken and portability falls short, making it hard to configure ingress controllers and expose services to public traffic. Hopefully, we can do away with the little gotchas by using a comprehensive tool like the K8s Initializer who will provide us with an optimal configuration.

K8s Initializer的类似于向导的界面将引导我们解决一些问题，以了解和配置具体设置，具体设置因一家云提供商而异。 这些实现细节经常在承诺被兑现且可移植性不足的地方，使得难以配置入口控制器并将服务暴露给公共流量。 希望我们可以使用像K8s Initializer这样的综合工具来消除一些小麻烦，它将为我们提供最佳配置。

Specifically for this tutorial, we picked our target Kubernetes cluster: “Google Kubernetes Engine” with a “Google External Load Balancer (L4)” load balancer. We also chose a public Hostname for our installation. Using a public hostname will require an extra step to configure a DNS entry to point to our installation, but given we want to demonstrate how to build a public secure application stack, it’s worth the extra effort. As for the K8s Initializer’s Auth configuration, we undoubtedly selected Keycloak, with a temporary password.

在本教程中，我们专门选择了目标Kubernetes集群：“ Google Kubernetes Engine”和“ Google External Load Balancer(L4)”负载均衡器。 我们还为安装选择了公共主机名。 使用公共主机名将需要额外的步骤来配置DNS条目以指向我们的安装，但是鉴于我们要演示如何构建公共安全应用程序堆栈，因此值得付出额外的努力。 至于K8s Initializer的Auth配置，我们无疑选择了带有临时密码的Keycloak。

Once satisfied with our K8s Initializer options, we hit the “download” button. We’ll be given a set of ready-to-go YAML files and instructions.

对我们的K8s Initializer选项满意后，我们点击“下载”按钮。 我们将为您提供一套现成的YAML文件和说明。

Give it a try! https://app.getambassador.io/

试试看！ https://app.getambassador.io/

安装大使边缘堆栈 (Installing the Ambassador Edge Stack)

We’ll start by installing the Ambassador Edge Stack simply because it contains a bunch of Kubernetes Custom Resource Definitions dependencies. Given you have access to your desired Kubernetes cluster, the installation will be as simple as running kubectl apply commands and configuring a DNS entry to point to the external IP of the provisioned service.

我们将首先安装Ambassador Edge Stack，因为它包含了一堆Kubernetes自定义资源定义依赖项。 如果您可以访问所需的Kubernetes群集，则安装将像运行kubectl apply命令并配置DNS条目以指向所配置服务的外部IP一样简单。

安装Keycloak (Installing Keycloak)

Installing Keycloak from the generated YAML is again straightforward: a single kubectl apply command. One curious cat might peek at the Keycloak YAML file, don’t worry it won’t kill you! You’ll actually be able to appreciate how the Ambassador Mapping resource will instruct traffic hitting the public /auth/ prefix endpoint to be forwarded to our private Keycloak pod running in our Kubernetes cluster.

从生成的YAML安装Keycloak还是很简单的：一个kubectl apply命令。 一只好奇的猫可能会偷看Keycloak YAML文件，不要担心它不会杀死您！ 您实际上将能够理解大使映射资源将如何指示到达公共/auth/前缀端点的流量转发到运行在Kubernetes集群中的私有Keycloak pod。

Giving Keycloak a few minutes to start, we’ll then be able to access it’s UI at https://domain-name/auth/. Since we chose to let “Ambassador terminate TLS using a Let’s Encrypt certificate” in the K8s Initializer options, we can appreciate how automatic TLS termination is happening with a secure certificate for our Keycloak installation.

让Keycloak几分钟开始，然后我们可以通过https：// domain-name / auth /来访问它的UI。 由于我们选择了K8s Initializer选项中的“ 大使使用Let's Encrypt证书来终止TLS” ，因此我们可以了解在安装Keycloak时使用安全证书进行自动TLS终止的情况。

We can then log in to Keycloak’s Administration Console UI using the default admin username and the temporary password we’ve selected previously to configure Keycloak to our needs… and change the password!

然后，我们可以使用默认的admin用户名和先前选择的临时密码登录Keycloak的管理控制台UI，以根据需要配置Keycloak并更改密码！

使用Keycloak保护API (Securing your APIs with Keycloak)

配置Keycloak领域，客户端和用户 (Configuring a Keycloak Realm, Client and User)

To secure our APIs, we will be using our shiny new Keycloak installation as our IdP. We first need to create a client to handle authentication requests from Ambassador Edge Stack. All of these configuration steps can be achieved using the Keycloak UI.

为了保护我们的API，我们将使用闪亮的新Keycloak安装作为IdP。 我们首先需要创建一个客户端来处理来自Edge Edge大使馆的身份验证请求。 所有这些配置步骤都可以使用Keycloak UI来实现。

1. We first start by creating a new “Realm”. Hovering on top of the “Master” label in the right-hand navigation, we can click on “Add realm”. We picked ambassador as the “Name” of our new realm. This will be needed later on to configure the authorizationURL field in the auth Filter.

   我们首先从创建一个新的“领域”开始。 我们将鼠标悬停在右侧导航栏中的“主”标签上方，然后单击“添加领域”。 我们选择ambassador作为新领域的“名称”。 稍后将需要使用它来配置auth过滤器中的authorizationURL字段。

2. We’ll create a new client by navigating to “Clients” and clicking “Create”. We chose the following settings:

   我们将通过导航到“客户端”并单击“创建”来创建新客户端。 我们选择了以下设置：

   -

   --

   Client ID: ambassador — This value will be used in the clientID field of the auth Filter.

   客户端ID ： ambassador -该值将在auth过滤器的clientID字段中使用。

   -

   --

   Client Protocol: openid-connect

   客户端协议 ： openid-connect

   -

   --

   Root URL: None, left blank

   根网址 ：无，留空

3. On the following screen, we configured the Client with:

   在以下屏幕上，我们为客户端配置了：

   -

   --

   Access Type: confidential

   访问类型 ： confidential

   -

   --

   Valid Redirect URIs: *

   有效的重定向URI ： *

4. Navigating to the “Mappers” tab in our Client, we clicked “Create” and used the following settings:

   导航到客户端中的“映射器”选项卡，我们单击“创建”并使用以下设置：

   -

   --

   Protocol: openid-connect

   协议 ： openid-connect

   -

   --

   Name: Ambassador Mapper

   姓名 ： Ambassador Mapper

   -

   --

   Mapper Type: Audience

   对应类型 ： Audience

   -

   --

   Included Client Audience: Select the name of the Client from the dropdown. Remember, we named our Client ambassador.

   包括的客户对象 ：从下拉列表中选择客户的名称。 请记住，我们任命了我们的客户ambassador 。

5. Going back to our ambassador Client, we navigated to the “Client Scopes” section and configured our Client for offline_access.

   回到ambassador客户端，我们导航到“客户端范围”部分，并将客户端配置为offline_access 。

6. Back again to our ambassador Client, we then navigated to the “Credentials” section. We took note of the “Secret” value as it will be used later when configuring our auth Filter.

   返回到我们的ambassador客户，然后我们导航到“凭据”部分。 我们记下了“秘密”值，因为稍后将在配置我们的身份验证过滤器时使用它。

Along with our Client configuration, let’s configure a Keycloak “User”:

连同我们的客户端配置，让我们配置一个Keycloak“用户”：

1. Navigating to the “Users” section of the Keycloak Administration Console, we will click on “Add user”. We gave our user a simple username: my-keycloak-user, then clicked “Save”.

   导航到Keycloak管理控制台的“用户”部分，我们将单击“添加用户”。 我们为用户提供了一个简单的用户名： my-keycloak-user ，然后单击“保存”。

2. On the following screen, we switched to the User’s “Credentials” tab to set a temporary password.在以下屏幕上，我们切换到用户的“凭据”选项卡以设置临时密码。

Now that we have a user with which we are able to authenticate ourselves with, let’s deploy an application.

现在我们有了一个可以用来进行身份验证的用户，让我们部署一个应用程序。

部署报价服务 (Deploying a Quote service)

Deploying custom applications on Kubernetes is achieved by creating some Kubernetes resources defined as… You guessed it, more YAML! This time, since we are deploying a sample backend application, the sample is somewhat lightweight. You can save the following definitions to a “quote-service.yaml” file and deploy it using kubectl apply -f quote-service.yaml.

通过创建一些定义为…的Kubernetes资源，可以在Kubernetes上部署自定义应用程序。您猜到了，更多的YAML！ 这次，由于我们正在部署示例后端应用程序，因此该示例有些轻巧。 您可以将以下定义保存到“ quote-service.yaml”文件中，然后使用kubectl apply -f quote-service.yaml部署。

---apiVersion: v1kind: Servicemetadata:  name: quote  namespace: defaultspec:  ports:  - name: http    port: 80    targetPort: 8080  selector:    app: quote---apiVersion: apps/v1kind: Deploymentmetadata:  name: quote  namespace: defaultspec:  replicas: 1  selector:    matchLabels:      app: quote  strategy:    type: RollingUpdate  template:    metadata:      labels:        app: quote    spec:      containers:      - name: backend        image: docker.io/datawire/quote:0.4.1        ports:        - name: http          containerPort: 8080---apiVersion: getambassador.io/v2kind: Mappingmetadata:  name: quote-backend  namespace: defaultspec:  prefix: /backend/  service: quote

This will create a Kubernetes Deployment, Service, and Mapping to publicly expose our running Quote application under the /backend/ path. Give it a try, it’s currently unprotected: https://domain-name/backend/.

这将创建一个Kubernetes Deployment ， Service和Mapping以在/backend/路径下公开公开我们正在运行的Quote应用程序。 试试看，它目前未受保护： https：// domain-name / backend / 。

保护访问 (Securing access)

Building on the configurations we applied to our Keycloak installation in the “Configuring a Keycloak Realm, Client and User” section earlier, we’ll be creating an OAuth2 Filter and FilterPolicy resources in Kubernetes. Don’t forget to replace the placeholders in this YAML sample with the values from your installation! Once again, save the following definitions to a “keycloak-filter.yaml” file and deploy it using kubectl apply -f keycloak-filter.yaml.

在前面的“配置Keycloak领域，客户端和用户”部分中，基于我们应用于Keycloak安装的配置，我们将在Kubernetes中创建OAuth2 Filter和FilterPolicy资源。 不要忘记用安装中的值替换此YAML示例中的占位符！ 再次将以下定义保存到“ keycloak-filter.yaml”文件，并使用kubectl apply -f keycloak-filter.yaml 。

---apiVersion: getambassador.io/v2kind: Filtermetadata:  name: keycloak-filter  namespace: ambassadorspec:  OAuth2:    authorizationURL: https://{domain-name}/auth/realms/ambassador    audience: ambassador    clientID: ambassador    secret: {client_secret}    protectedOrigins:    - origin: https://{domain-name}---apiVersion: getambassador.io/v2kind: FilterPolicymetadata:  name: quote-policy  namespace: defaultspec:  rules:    - host: "*"      path: /backend/      filters:        - name: keycloak-filter          namespace: ambassador          arguments:            scopes:            - "offline_access"

Since the FilterPolicy is acting on the /backend/ path, when navigating to our Quote service under https://domain-name/backend/ we are now prompted for authentication by Keycloak! Try logging in with the my-keycloak-user username we created earlier!

由于FilterPolicy作用在/backend/路径上，因此当导航到https：// domain-name / backend /下的Quote服务时，Keycloak会提示我们进行身份验证！ 尝试使用我们之前创建的my-keycloak-user名登录！

We are just one step away from extending this FilterPolicy configuration to protect multiple paths, endpoints and services using the same authentication strategy. Talk about an efficient way to roll out single sign-on and centralize your authentication mechanism! Now, just follow these instructions to configure fine-grained settings of Filter and FilterPolicy resources with Keycloak.

与扩展此FilterPolicy配置以使用相同的身份验证策略保护多个路径，端点和服务仅一步之遥。 讨论推出单点登录并集中身份验证机制的有效方法！ 现在，只需按照以下说明使用Keycloak配置Filter和FilterPolicy资源的细粒度设置 。

学到更多 (Learn More)

In this tutorial, we’ve shown how to centralize your authentication in Kubernetes by deploying Keycloak as your IdP and the Ambassador Edge Stack as your Kubernetes-native API Gateway. With the help of the K8s Initializer, you are able to get these tools up and running in just a few clicks.

在本教程中，我们展示了如何通过将Keycloak部署为您的IdP和将Ambassador Edge Stack部署为您的Kubernetes本地API网关来在Kubernetes中集中身份验证。 借助K8s Initializer，您只需单击几下即可启动并运行这些工具。

To learn more about these tools and centralized authentication strategies, check out the following resources:

要了解有关这些工具和集中式身份验证策略的更多信息，请查看以下资源：

• Keycloak

  钥匙斗篷

• Ambassador Edge Stack

  边缘大使

• K8s Initializer

  K8s初始化器

• Join our Slack

  加入我们的松弛