Introduction
This repository represents rapp service exposure prototyping in O-RAN.
...
The relevant code is in the service-exposure folder.
How it works
The helm charts include an "rapp" section that is read by the installer and used when installing.
Code Block | ||||
---|---|---|---|---|
| ||||
securityEnabled: true
type: provider
realm: demo
client: demoprovider-cli
authenticator: client-jwt
roles:
- role : provider-viewer
grants:
- GET
- role : provider-admin
grants:
- GET
- POST
- PUT
- DELETE |
The rapp type is "provider", this tells the installer to setup a realm named demo and a client named demoprovider-cli and to use the client-jwt method to authenticate the token request. The invoker will wrap the client certificate in a JWT token and send it to keycloak in order to obtain an access token which will authorize it to access the provider.
The appropriate istio template files are also applied to secure the service.
Template | Purpose |
---|---|
Gateway-template.txt | Creates a gateway for the service |
VirtualService-template.txt | Configures routing rules |
RequestAuthentication-template.txt | Configures JWT authentication endpoint |
AuthorizationPolicy-template.txt | Configures checks to be carried out on JWT |
The rapp type is "invoker" only needs to setup one istio resource - the envoy filter
Template | Purpose |
---|---|
EnvoyFilter-template.txt | Intercept outgoing requests, call the JWT retrieval scriptand insert the JWT into the request header |
The following code snippet shows how the script is called with the appropiate parameters:
Code Block | ||||
---|---|---|---|---|
| ||||
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"jwt_cluster",
{
[":method"] = "GET",
[":path"] = "/token",
[":authority"] = "jwt-proxy",
["realm"] = "{{.Realm}}",
["client"] = "{{.Client}}",
["authenticator"] = "{{.Authenticator}}",
["ns"] = "{{.Namespace}}"
},
"jwt call",
5000) |
The following diagram illustrates the flow:
The flow only applies when the side car has been injected.
This is configured in the MutatingWebhookConfiguration.yaml file.
Code Block | ||||
---|---|---|---|---|
| ||||
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: jwt-proxy-webhook
namespace: default
webhooks:
- name: rapps-webhook.default.svc.cluster.local
admissionReviewVersions:
- "v1beta1"
sideEffects: "None"
timeoutSeconds: 30
objectSelector:
matchLabels:
app.kubernetes.io/name: rapp-helloworld-invoker1 |
The objectSelector field determine where to apply the webhook.
Prerequisites
Istio
Istio should be installed on your cluster ith the demo profile and istioctl should be added to your $PATH variable.
...
To replicate these tests you will need to setup the various host path referenced in the yaml files on your own machine.
YAML | Path |
---|---|
chartmuseum.yaml | /var/chartmuseum/charts |
keycloak.yaml | /var/keycloak/certs |
postgres.yaml | /var/keycloak/data2 |
rapps-keycloak-mgr.yaml | /var/rapps/certs |
rapps-webhook.yaml | /var/rapps/certs |
or change them to match your own setup.
...