Ingress Configuration with PortX IAM Security
Requirements
-
Service Principal and Roles Setup in IAM Portal
[https://<tenant name>.piam.tenants.portx.io](https://<tenant name>.piam.tenants.portx.io) -
Ingress configuration through GitOps
apps/<application>/values.yaml
PIAM Security
Application owners and developers need to generate APIs with associated roles, and establish service principals with assigned roles to facilitate precise access controls for backend APIs.
How to Fetch JWT Token (Bearer) Using Service Principal
Auth Token Endpoint
Application teams can set up the auth endpoint in their own tenants using a reverse proxy by routing to the PIAM URI.
PIAM Authentication Endpoint tailored to the Application Tenant
https://keycloak.piam.tenants.portx.io/realms/<tenant name>/protocol/openid-connect/token
Note: Please refer to the Rewrite Auth Endpoint section to shorten the token URL.
Example:
https://auth.<tenant>.tenants.portx.io/token
The endpoint accepts a POST call with client_id, client_secret, scope, and grant_type as body parameters.
For the scope, use the format <api name>:api:<env>, e.g. procapi:api:prod.
cURL Example
curl --location 'https://auth.piam.tenants.portx.io/realms/<tenant name>/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<client id>' \
--data-urlencode 'client_secret=<client secret>' \
--data-urlencode 'scope=<scope>'
Validate the token at: https://jwt.io
The token payload contains information useful for configuring Ingress Security rules. Rules can consist of one or multiple combinations.
Example claims:
{
"iss": "https://auth.piam.tenants.portx.io/realms/<tenant name>",
"scope": "procapi:api:prod",
"sub": "f7b4bec9-229c-4887-b71d-059714d4f539",
"roles": ["admin"]
}
Ingress Configuration (GitOps)
Pre-Requisites
Application should include a label to enable Istio sidecar injection:
common:
labels:
sidecar.istio.io/inject: 'true'
In your Chart.yaml, add the ingress dependency or use the shared web-application chart:
apiVersion: v2
version: 1.0.10
name: quote
description: quote
dependencies:
- name: ingress
version: "0.9.0"
repository: "@tenant-charts"
Ingress Values Configuration
ingress:
application:
name: <service name>
virtualservice:
enabled: true
hosts:
- <service name>.dev.<tenant>.tenants.portx.io
corsPolicy:
enabled: false # optional
gateways:
- default/<tenant>-gateway-public-dev
- default/<tenant>-gateway-private-dev
service: <service name>
port: <service port>
path: '<service path>'
Note:
default/<tenant>-gateway-private-devis accessible via Tailscale.default/<tenant>-gateway-public-devis publicly accessible.
PIAM Security (Auth & Authz)
To enable authentication and authorization, use a structure similar to the following example.
The authorization section is important.
ingress:
application:
name: <service name>
matchlabels:
app: <service name>
virtualservice:
enabled: true
service: <service name>
port: <service port>
path: '<service path>'
gateways:
- default/<service name>-gateway-public-dev
- default/<service name>-gateway-private-dev
hosts:
- <service name>.dev.<tenant name>.tenants.portx.io
corsPolicy:
enabled: true
allowOrigins:
- cors_type: 'regex'
cors_host: '.*.<tenant name>.tenants.portx.io'
allowHeaders:
- servicerid
- content-type
- authorization
- x-token
- x-origin
- refresh-token
allowMethods:
- GET
- POST
- DELETE
- PUT
- OPTIONS
- PATCH
maxAge: 24h
allowCredentials: ""
authentication:
enabled: true
kc_host: keycloak.piam.tenants.portx.io
kc_realms:
- <tenant name>
authorization:
enabled: true
policyAction: ALLOW
rules:
- tenant: <rule name>
rules:
- allowedPrincipals:
- '*'
allowedHosts: ["<api_endpoint>.dev.<tenant name>.tenants.portx.io"]
allowedMethods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
allowedPaths: ["/api/1.0/*"]
when:
request.auth.claims[iss]:
- https://keycloak.dev.piam.tenants.portx.io/realms/<tenant name>
request.auth.claims[scope]:
- <api_name>:api:<env>
request.auth.claims[roles]:
- admin
- tenant: <rule name>
rules:
- allowedPrincipals:
- '*'
allowedHosts: ["<api_endpoint>.dev.<tenant name>.tenants.portx.io"]
allowedMethods: ["GET"]
allowedPaths: ["/api/1.0/*"]
when:
request.auth.claims[iss]:
- https://keycloak.dev.piam.tenants.portx.io/realms/<tenant name>
request.auth.claims[scope]:
- <api_name>:api:<env>
request.auth.claims[roles]:
- readonly
Rewrite Auth Endpoint
PIAM's default token endpoint can be rewritten through a virtual service endpoint.
Example Rewrite
https://auth.<tenant>.tenants.portx.io/token
↓
https://keycloak.piam.tenants.portx.io/realms/<tenant name>/protocol/openid-connect/token
Chart.yaml
chart:
name: ingress
repo: 636674553584.dkr.ecr.us-west-2.amazonaws.com/charts
releaseName: rewrite-auth-path
namespace: dev
version: 0.8.0
Values.yaml
application:
name: rewrite-auth-path
virtualservice:
enabled: false
ingressproxy:
enabled: true
hosts:
- auth.dev.<tenant>.tenants.portx.io
gateways:
- default/<tenant>-gateway-private-dev
- default/<tenant>-gateway-public-dev
proxyhost: keycloak.piam.tenants.portx.io
port: 443
path: '/token'
rewrite:
path: "/realms/<tenant>/protocol/openid-connect/token"
location: 'MESH_EXTERNAL'
resolution: 'DNS'
proxyports:
- number: 443
name: https
protocol: TLS
trafficpolicy:
mode: SIMPLE