Versions Compared

Old Version 2

changes.mady.by.user Kevin Timoney

Saved on

compared with

New Version 3

changes.mady.by.user Kevin Timoney

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

This repository represents rapp service exposure prototyping in O-RAN.

...

The relevant code is in the service-exposure folder.



How it works

The helm charts include an "rapp" section that is read by the installer and used when installing.

Code Block
languageyml
titleprovider values.yaml
  securityEnabled: true
  type: provider
  realm: demo
  client: demoprovider-cli
  authenticator: client-jwt
  roles:
  - role : provider-viewer
    grants:
      - GET
  - role : provider-admin
    grants:
      - GET
      - POST
      - PUT
      - DELETE

The rapp type is "provider", this tells the installer to setup a realm named demo and a client named demoprovider-cli and to use the client-jwt method to authenticate the token request. The invoker will wrap the client certificate in a JWT token and send it to keycloak in order to obtain an access token which will authorize it to access the provider.

The appropriate istio template files are also applied to secure the service.

Template

Purpose
Gateway-template.txtCreates a gateway for the service
VirtualService-template.txtConfigures routing rules
RequestAuthentication-template.txtConfigures JWT authentication endpoint
AuthorizationPolicy-template.txtConfigures checks to be carried out on JWT

The rapp type is "invoker" only needs to setup one istio resource - the envoy filter

TemplatePurpose
EnvoyFilter-template.txtIntercept outgoing requests, call the JWT retrieval scriptand insert the JWT into the request header

The following code snippet shows how the script is called with the appropiate parameters:

Code Block
languagetext
titleEnvoy
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
 "jwt_cluster",
 {
  [":method"] = "GET",
  [":path"] = "/token",
  [":authority"] = "jwt-proxy",
  ["realm"] = "{{.Realm}}",
  ["client"] = "{{.Client}}",
  ["authenticator"] = "{{.Authenticator}}",
  ["ns"] = "{{.Namespace}}"
 },
"jwt call",
5000)

The following diagram illustrates the flow:

Image Added


The flow only applies when the side car has been injected.

This is configured in the MutatingWebhookConfiguration.yaml file.

Code Block
languageyml
titleMutatingWebhookConfiguration.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: jwt-proxy-webhook
  namespace: default
webhooks:
  - name: rapps-webhook.default.svc.cluster.local
    admissionReviewVersions:
      - "v1beta1"
    sideEffects: "None"
    timeoutSeconds: 30
    objectSelector:
      matchLabels:
        app.kubernetes.io/name: rapp-helloworld-invoker1

The objectSelector field determine where to apply the webhook.

Prerequisites

Istio

Istio should be installed on your cluster ith the demo profile and istioctl should be added to your $PATH variable.

...

To replicate these tests you will need to setup the various host path referenced in the yaml files on your own machine.

YAMLPath
chartmuseum.yaml /var/chartmuseum/charts
keycloak.yaml /var/keycloak/certs
postgres.yaml /var/keycloak/data2
rapps-keycloak-mgr.yaml  /var/rapps/certs
rapps-webhook.yaml/var/rapps/certs

or change them to match your own setup.

...