In this blog series , I will be developing a micro-service architecture , secure it and deploy in RedHat Openshift. Openshift is an on-premises platform as a service built around Docker containers orchestrated and managed by Kubernetes .
If you have an enterprise monolithic application and planning to migrate to micro-service architecture using traditional spring boot , RedHat Openshift could be a game changer. It provides all the important hooks and products that are required for micro-service orchestration . I am trying to cover the complete micro-service setup on RedHat Openshift .
Below is the tech stack I am going to use :
- I will be using spring-boot project for micro-service .
- Angular for front end .
- RedHat provides Keycloak which I am using as the Identity provider for Single Sign On.
- I will be using Jenkins for CI CD .
- Redhat provides 3scale for API Gateway (Although I am not much impressed by this product )
Below are the topics to cover:
- Micro-service Design & Architecture
- Securing Spring boot Micro-service with Keycloak
- Jenkins Build Pipeline of the Micro-service in Openshift
- Securing 3Scale API Gateway
- Angular Integration with Keycloak and 3Scale
Topics which I will not cover from the design below are :
- Spring Config server
- Log management .
Micro-service Design & Architecture
Below is the high level design :
In the above design we have secured all rest calls with Keycloak . I used 3scale to do API management and a APICast gateway for external facing applications. There are multiple microservices which are grouped together under external and internal . External are exposed via gateway where as internals are only meant for internal communication. Be it internal or external, all the calls are secured and are executed only when they are validated in Keycloak.
Here is a sequence of events that happens :
- User request for the secured pages in angular app
- Angular app looks for the token in request header , but did not get hence redirects to the keycloak login page .
- User enters credentials in login page of the keycloak, and keycloak sends back a token to angular app .
- Amgular pass this token to the 3scale or the APICast gateway , which validates the token and the request pass on to the micro-services .
- The spring-security keycloak adapter in Spring boot app also validates the token and gives back appropriate response .
- We will be keeping all the spring boot configuration details in Spring config server .
- We will be having the zipkin for distributed tracing and Elastic Logstash and Kibana for logging .
I will be applying the above design in building my Recipe book . My Recipe Book will have these below features :
- Retrieve my account profile
- Create Ingredients and List all ingredients
- Create recipe with those added ingredients and show an approximate cost of the recipe .
The app is still under development , however i will be mainly focusing on the setup of the aforementioned design .
High level functionalities
Dashboard without login :
On click of Login , the page redirects to Keycloak login page :
The login is happening at keycloak server end , hence it will be completely secure . After login , page redirects back to the home page which now shows the Create recipe page :
And in the Ingredients tab has list of ingredients section ,
We will create an ingredient first ,
Now we will create a recipe :
Description with cost of the recipe ,:
Clicking My Account displays the Profile details :
The design in 1.2 can be redrawn as below for understanding purpose . :
recipe-service helps in creating and listing of recipe .
cost-service provides the cost of the recipe. recipe-service invokes cost-service to retrieve the cost of the recipe . Profile details comes from profile-service .
In the next section we will see how we can secure the above micro-services with keycloak .