Skip to content

Enable OIDC based Authentication with apisix#312

Merged
mkbhanda merged 9 commits intoopea-project:mainfrom
ckhened:ckhened-apisix-authNZ
Sep 11, 2024
Merged

Enable OIDC based Authentication with apisix#312
mkbhanda merged 9 commits intoopea-project:mainfrom
ckhened:ckhened-apisix-authNZ

Conversation

@ckhened
Copy link
Copy Markdown
Collaborator

@ckhened ckhened commented Aug 18, 2024

Description

The proposed changes enable OIDC (Open ID Connect) based user Authentication using APISIX API gateway and Keycloak Identity provider to OPEA apps.

This change introduces 2 helm charts:

  1. helm-charts/auth-apisix/apisix-helm: This helm chart installs APISIX api gateway and APISIX ingress controller
  2. helm-charts/auth-apisix/apis-crd-helm: This helm chart contains CRDs for authenticated APIs that needs to be published in API gateway

The Readme file in helm-charts/auth-apisix/README.md gives instructions to install keycloak, apisix and API CRDs

APISIX is apache licensed open source API gateway which is light weight, delivers high performance. It can work with docker or kubernetes and with any service mesh within kubernetes.

Issues

n/a

Type of change

List the type of change like below. Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • [X ] New feature (non-breaking change which adds new functionality)
  • Breaking change (fix or feature that would break existing design and interface)

Dependencies

  1. apisix api gateway
  2. apisix-ingress-controller
  3. keycloak

Tests

Verified locally on my test system

@ckhened ckhened requested a review from ftian1 August 18, 2024 01:20
@hshen14 hshen14 requested a review from lvliang-intel August 18, 2024 23:44
hshen14
hshen14 reviewed Aug 19, 2024
View reviewed changes
lianhao
lianhao reviewed Aug 22, 2024
View reviewed changes
lianhao
lianhao reviewed Aug 22, 2024
View reviewed changes
@ckhened ckhened force-pushed the ckhened-apisix-authNZ branch 2 times, most recently from a37fc17 to 3bc5c7a Compare August 23, 2024 00:47
lianhao
lianhao reviewed Aug 23, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@lianhao lianhao left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this could NOT be covered by CI test due to the pre-requests, maybe we could move this to the top level folder authN-authZ, because this also resolves authentication & authorization.

@ckhened ckhened force-pushed the ckhened-apisix-authNZ branch 2 times, most recently from 485abc7 to 92be80d Compare August 23, 2024 23:30
@lianhao
Copy link
Copy Markdown
Collaborator

lianhao commented Aug 26, 2024

Also please fix the DCO error, thx

Ruoyu-y
Ruoyu-y reviewed Aug 26, 2024
View reviewed changes
helm-charts/auth-apisix/README.md
The access token, refresh token, userinfo and user roles can be obtained by invoking OIDC auth endpoint through UI or token endpoint through curl and providing user credentials. </br></br>

Below steps can be followed to get access token from keycloak and access the APISIX published ChatQnA API through curl

Copy link
Copy Markdown
Collaborator

@Ruoyu-y Ruoyu-y Aug 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please help explain your authentication and authorization scenarios here.

Copy link
Copy Markdown
Collaborator

@ftian1 ftian1 Aug 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree the proposal of the above folder layout.

@lianhao
Copy link
Copy Markdown
Collaborator

lianhao commented Aug 28, 2024

@ckhened PR #353 is merged. Please refactor based on that. Thanks!

@ckhened ckhened force-pushed the ckhened-apisix-authNZ branch from 3e1ec31 to c9f766c Compare August 29, 2024 00:58
lianhao
lianhao requested changes Aug 29, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@lianhao lianhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove duplicated files under helm-charts directory. Also please add reference in file authN-authZ/README.md

ckhened added 5 commits August 28, 2024 18:33
@ckhened
Enable OIDC based Authentication with apisix
ec03fcd 
Signed-off-by: Chaitanya Khened <chaitanya.khened@intel.com>
@ckhened
Update README.md
3f67bd3 
Signed-off-by: Chaitanya Khened <chaitanya.khened@intel.com>
@ckhened
incorporating review comments for apisix installation and updating di…
b91548b 
…rectory structure

Signed-off-by: Chaitanya Khened <chaitanya.khened@intel.com>
@ckhened
Adding more details in README and some cleanup in values files
d75749d 
Signed-off-by: Chaitanya Khened <chaitanya.khened@intel.com>
@ckhened
Adding in new directory structure and incorporating some review comments
03083b6 
Signed-off-by: Chaitanya Khened <chaitanya.khened@intel.com>
@ckhened ckhened force-pushed the ckhened-apisix-authNZ branch from a6512e5 to 03083b6 Compare August 29, 2024 01:43
@ckhened
Copy link
Copy Markdown
Collaborator Author

ckhened commented Aug 29, 2024

Moved auth-apisix dir to authN-authZ, fixed CI checks and incorporated other comments.
I'll add authentication and authorization scenarios examples (comment from @Ruoyu-y ) in the next commit

lianhao
lianhao requested changes Aug 30, 2024
View reviewed changes
ckhened and others added 2 commits September 10, 2024 23:59
@ckhened
updating READMEs
3f1cd32 
Signed-off-by: Chaitanya Khened <chaitanya.khened@intel.com>
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
54bafba 
for more information, see https://pre-commit.ci
@ckhened ckhened requested a review from lianhao September 11, 2024 07:13
@Ruoyu-y
Copy link
Copy Markdown
Collaborator

Ruoyu-y commented Sep 11, 2024

Moved auth-apisix dir to authN-authZ, fixed CI checks and incorporated other comments. I'll add authentication and authorization scenarios examples (comment from @Ruoyu-y ) in the next commit

This will not include in this PR, correct?

@mkbhanda mkbhanda merged commit ee907d6 into opea-project:main Sep 11, 2024
@joshuayao joshuayao mentioned this pull request Nov 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkbhanda mkbhanda mkbhanda left review comments

@hshen14 hshen14 hshen14 left review comments

@Ruoyu-y Ruoyu-y Ruoyu-y left review comments

@lianhao lianhao lianhao approved these changes

@ftian1 ftian1 ftian1 approved these changes

@lvliang-intel lvliang-intel Awaiting requested review from lvliang-intel

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ckhened @lianhao @Ruoyu-y @mkbhanda @ftian1 @hshen14