Security and Microservices

Content:

Overview
1 - Setup the work environment
2 - Setup Istio
3 - Istio Ingress gateway via HTTPS/TLS
4 - Setup Keycloak
5 - Deploy the microservices to K8s
6 - Strict mTLS
7 - Istio Authorization
8 - Authentication in the Vue.js fronted
9 - Authorization in Quarkus app
Setup locally

Overview

This workshop is an adaptation of the IBM Workshop Get started with security for your Java Microservices application.

The IBM Workshop depends on preprovisioned Kubernetes clusters on the IBM Cloud based on IBM Cloud Kubernetes Service (IKS) which are not free to use, they incur costs.

Instead, this version of the workshop is based on Minikube running on your own workstation.


In this workshop you will learn how to get started with Application Security from two perspectives:

We will show you with an example application:

The exercises are based on an example application based on our Open Source Github project Cloud Native Starter, build with Quarkus and Eclipse Microprofile.

The following screenshot shows the web application, you have to logon to see the list of articles.

Architecture

The following diagram shows the architecture of the sample application. There is a Web-App service that serves the Javascript/Vue.js code to the browser. The Web-App code running in the browser invokes a REST API of the Web-API microservice. The Web-API microservice in turn invokes a REST API of the Articles microservice.

To see the results in the web application, users need to be authenticated and they need to have the role user.

Objectives

After completion of this workshop, you should understand the following application security related topics:

Application security provided by the platform

Application security with Keycloak and Quarkus

The scope of this workshop is not to explain every aspect of application security.

Agenda

These are the sections of this workshop, go through all of them in sequence:

The last section shows how to compile and run the application locally:

Compatibility

This workshop has been tested on the following platforms:

Technology Used

Credits