← Recipes

oidc-secured-webhook v1.0.0

REST-Endpoint hinter Keycloak-OIDC-Auth (APISIX jwt-auth) leitet weiter an Camel-K → Kafka

↗ Deploy Instance

Voraussetzungen

tenant camel-k crd integrations.camel.apache.org
tenant strimzi-kafka kafka events -n kafka
tenant apisix deploy apisix -n apisix
hub keycloak sts keycloak-keycloakx -n keycloak

Parameter

tenant *Pflicht

schema: {"pattern": "^[a-z][a-z0-9-]{1,30}$", "type": "string"}
instance *Pflicht

schema: {"pattern": "^[a-z][a-z0-9-]{1,30}$", "type": "string"}
route_uri default: /secure

schema: {"pattern": "^/[a-z0-9/_-]+$", "type": "string"}
realm default: demo-realm

schema: {"minLength": 1, "type": "string"}
topic default: oidc-events

schema: {"pattern": "^[a-zA-Z0-9._-]{1,249}$", "type": "string"}
client_id default: demo-app

schema: {"minLength": 1, "type": "string"}

Komponenten (3)

Phase 2 tenant declarative kafka-topic waitFor: kafka-topic-ready

Template anzeigen

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
  name: ${TOPIC}
  namespace: kafka
  labels:
    strimzi.io/cluster: events
    ${RECIPE_LABELS}
spec:
  partitions: 3
  replicas: 3
  config:
    retention.ms: 604800000
    segment.bytes: 1073741824

Phase 2 tenant declarative camel-integration waitFor: integration-ready

Template anzeigen

apiVersion: camel.apache.org/v1
kind: Integration
metadata:
  name: ${INSTANCE}-producer
  namespace: ipaas-flows
  labels:
    ${RECIPE_LABELS}
spec:
  traits:
    service:
      enabled: true
    ingress:
      enabled: false
  flows:
    - from:
        uri: platform-http:${ROUTE_URI}
        parameters:
          httpMethodRestrict: POST
        steps:
          - log:
              message: "${INSTANCE} INBOUND: ${body}"
          - to:
              uri: kafka:${TOPIC}
              parameters:
                brokers: events-kafka-bootstrap.kafka.svc.cluster.local:9092
          - setHeader:
              name: Content-Type
              simple: application/json
          - setBody:
              constant: '{"status":"queued","topic":"${TOPIC}","instance":"${INSTANCE}"}'

Phase 3 tenant imperative apisix-route

Template anzeigen

#!/usr/bin/env bash
# Imperative Komponente: APISIX-Route mit openid-connect-Plugin
# Idempotent (PUT auf /apisix/admin/routes/<id>)
set -euo pipefail

ROUTE_ID="${INSTANCE}-secure"
ADMIN_KEY=$(vault kv get -field=api_key secret/ipaas-platform/tenants/${TENANT}/apisix/admin)
CLIENT_SECRET=$(vault kv get -field=client_secret secret/ipaas-platform/hub/keycloak/${REALM}-client)
CLIENT_ID_VAL=$(vault kv get -field=client_id secret/ipaas-platform/hub/keycloak/${REALM}-client)

KUBECONFIG="$TENANT_KUBECONFIG" kubectl -n apisix port-forward svc/apisix-admin 19180:9180 >/tmp/ap-admin-${INSTANCE}.log 2>&1 &
PF=$!
trap "kill $PF 2>/dev/null || true" EXIT
sleep 3

cat > /tmp/route-${INSTANCE}.json <<JSON
{
  "id": "$ROUTE_ID",
  "name": "${INSTANCE}-keycloak-jwt",
  "uri": "${ROUTE_URI}",
  "methods": ["GET", "POST"],
  "labels": {
    "recipe.ipaas/name": "${RECIPE_NAME}",
    "recipe.ipaas/version": "${RECIPE_VERSION}",
    "recipe.ipaas/instance": "${INSTANCE}",
    "recipe.ipaas/tenant": "${TENANT}"
  },
  "plugins": {
    "openid-connect": {
      "discovery": "https://auth.ctva.it/realms/${REALM}/.well-known/openid-configuration",
      "client_id": "$CLIENT_ID_VAL",
      "client_secret": "$CLIENT_SECRET",
      "realm": "${REALM}",
      "bearer_only": true,
      "ssl_verify": false,
      "set_userinfo_header": false,
      "set_id_token_header": false,
      "set_access_token_header": false
    },
    "proxy-rewrite": {
      "uri": "${ROUTE_URI}"
    }
  },
  "upstream": {
    "type": "roundrobin",
    "scheme": "http",
    "nodes": {
      "${INSTANCE}-producer.ipaas-flows.svc.cluster.local:80": 1
    }
  }
}
JSON

curl -sf -X PUT \
  -H "X-API-KEY: $ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d @/tmp/route-${INSTANCE}.json \
  "http://127.0.0.1:19180/apisix/admin/routes/$ROUTE_ID" >/dev/null

echo "✓ APISIX-Route $ROUTE_ID (URI ${ROUTE_URI}) deployed"

Deployed Instances (0)

Noch keine Instances deployed.