How can I read all users using keycloak and spring in openshift? - spring-boot

here i am trying to get a list with users from keycloak.
it works withe docker compose, but not in openshift?!
my application.property
keycloak.enabled=true
keycloak.realm=somname
keycloak.ssl-required=none
keycloak.resource=someapp
keycloak.public-client=true
keycloak.auth-server-url=${KEYCLOAK_AUTH-SERVER-URL:https://localhost/auth}
keycloak.disable-trust-manager=true
app.connectors.KeyCloakAdminConnector.serverUri=${KEYCLOAK_ADMIN-URL:http://idm.local:8081/auth}
app.connectors.KeyCloakAdminConnector.realm=${keycloak.realm}
app.connectors.KeyCloakAdminConnector.username=admin
app.connectors.KeyCloakAdminConnector.password=pass
app.connectors.KeyCloakAdminConnector.clientId=${keycloak.resource}

As a solution i changed the:
keycloak-admin-url: 'my-keycloak-route/auth'
in application.property to
keycloak-admin-url: 'http://myservice-keycloak-http:8080/auth'
so i change the connection between the Spring boot App and Keycloack from Rout-Object to a Service-Object.
its works because Service is not https. so i dont need to provide a certificate to JVM keytrust in the Spring boot App

Related

Spring security is interfering with actuator endpoint

I am using spring security in my microservice application, I also have actuator endpoint in place. Whenever I try to deploy my microservice and access the /actuator/prometheus URL it shows me the dialog box to enter Username and password. I want this to remove .
As described in the documentation (section named "Security")
If you deploy applications behind a firewall, you may prefer that all
your actuator endpoints can be accessed without requiring
authentication. You can do so by changing the
management.endpoints.web.exposure.include property, as follows:
management.endpoints.web.exposure.include=*

Spring Application (ear) on JBoss using keycloak

I have a spring application (not boot) that is deployed on a jboss 7.2.4 as an .ear file.
For security reasons I have to protect all REST-API ports that are provided by the application. For this our AD provides users and user groups to use.
As I cannot migrate the application into spring boot I have to use the existing spring/jboss installation and have to use keycloak for security handling.
I found no information how to use keycloak inside an jboss installation. Can anybody help? Is it possible at all?
Just configure an authorities converter to map authorities from keycloak roles and configure your authentication converter to use this authorities converter.
You can refer to this article for #Beans definition (yes, it is boot app, but it configures the two beans I'm talking about).

Spring Boot Actuator + Spring Boot Admin - Is there a way to define a custom management url?

Is there a way I can define the port for the management URLs (not the management.server.port) so that spring boot admin can identify the actuator URLs from the spring boot app for monitoring?
I'm running the spring boot app in a docker container and it's externally exposed on a different port using the Kubernetes NodePort.
If you are using service discovery for application lookup you could define the exposed management port in instance metadata. This metadata is used to build up the management URL.
More details documented here:
http://codecentric.github.io/spring-boot-admin/current/#spring-cloud-discovery-support
Handling is done in de.codecentric.boot.admin.server.cloud.discovery.DefaultServiceInstanceConverter
Example for Eureka:
eureka.instance.metadata-map.management.port=[K8S-EXPOSED-PORT]
If you are using Service Discovery, take a look into DefaultServiceInstanceConverter, try specifying the management.port property.
If you are not using Service Discovery, then take a look into de.codecentric.boot.admin.server.domain.values.Registration, you might need to use the builder apis to register your application correctly (try to set managementUrl properly). Note, you will need to do this in your client application (the one which is being monitored).

spring boot client app interaction with pcf config server backed by hashicorp vault?

I am working on spring boot app which will be deployed in pcf and it will use pcf config server service which is backed by hashicorp vault. What I would like to know is which dependencies I should be adding in my spring boot app other that spring-cloud-config-client. Do I need to add spring-cloud-vault, if yes then why does it need to be added if app only talks to config server? I would like to know how this end to end interaction works.

Netflix Arcaius serving as config service for multiple Spring Boot micro-services

I'm having a problem with how to use just Netflix Archaius to work as a config server for multiple Spring Boot microservices. Previously when I applied Eureka and Spring Cloud Config Server in my multiple-services project built with Spring Boot, each microservie would get its own .properties file from the Spring Cloud Config server through the discovery function of the Eureka service. But now I need to change the Spring Cloud Config Server into a Netflix Archaius service, from which the Spring Boot microservices will get .properties file, i have no idea about how to achieve it. Is there any good idea for my reference? Thanks in advance.
Finally I gave up using Netflix Archaius to pull properties file for microservices. Instead, I wrote down required key-value-pair properties into the application.properties of each springboot microservice. Since all the springboot microservices will be deployed in the DCOS platform in the form of docker containers, some inconstant properties were configured into the marathon deployment scripts, which could be populated into the springboot applet. In this way I managed to configure the key-value-pair properties from the outside instead of being hardcoded in the program codes.

Resources