container-native-spring-postgresql
container-native-spring-postgresql copied to clipboard
Published
20 hours ago •
redhat-cop
redhat-cop
Container Native Microservices with OpenShift Sample Application
This tutorial shows the steps to install and run a Spring Boot microservice with PostgreSQL in a container-native way.
This sample application is comprised of:
- Spring Boot 1.5 with RHOAR for microservices (In Progress)
- Red Hat SSO 7.1 (a.k.a. Keycloak 2.5.5) for user management, authentication with JWT
- Scalable, High Availability configuration using Kube Ping
- Persistence with PostgreSQL
- Pre-configured Realms for quick setup (TODO)
- Istio 0.4 (latest) for service mesh and security (In Progress)
- Injection of Envoy/Istio sidecar proxy into microservice pod
- Authorization of web service access via JWT and SSO with Istio Mixer rule
- Mutual TLS
- Microsegmentation Rules (TODO)
- Prometheus (Istio Integration)
- Zipkin (Istio Integration)
- Grafana (Istio Integration)
- Service Graph (Istio Integration)
- Hashicorp Vault for managing secrets (In Progress)
- Crunchy Operator for High Availability PostgreSQL (In Progress)
The application has the following architecture:
Assumptions:
- You have an OpenShift Container Platform cluster >= 3.7
- You have dynamic volume provisioning available (it's possible to use static provisioning provided that you have enough volumes)
- You are running the network policy plugin.
- To enable the network policy plugin on Minishift use:
./minishift openshift config set --patch='{"networkConfig":{"networkPluginName":"redhat/openshift-ovs-networkpolicy"}}
- To enable the network policy plugin on Minishift use:
Here are the steps for the installation:
| Step | Architcture |
|---|---|
| 1. Deploy the Crunchy Postgres operator |  |
| 2. Deploy Postgres in HA |  |
| 3. Deploy Hashicorp Vault |  |
| 4. Configure Vault to use Kubernetes backend authentication |  |
| 5. Configure Vault to manage the postgresql DB |  |
| 6. Configure application to use Vault to retrieve the postgresql account |  |
| 7. RH SSO installation |  |
| 8. Istio core installation |  |
| 9. Configure app to use Istio |  |
| 10. Configure Istio to do Mutual TLS authentication |  |
| 11. Configure istio to do OAuth Authentication via RH SSO |  |
| 12. Istio Add-ons installation (prometheus, Jaeger) |  |
| 13. Configure microsegmentation |  |
| 14. Build and deploy the application |  |
POC Outcome (as of 2/1/2018)
| technology | production ready | comments |
|---|---|---|
| RHOAR | yes | the maven plugin may not be fitting for all use cases |
| HA database running in openshift | yes | - HA templates to be developed with the customer - day 2 operations still not container native |
| postgres operator | no | main reason: lack of integration with enterprise security, it's in the roadmap to solve this |
| Vault | yes | |
| RH SSO | yes | |
| istio | no | privileged scc permission needs to be given to all pods running in the mesh |
| Application managed OAuth | yes | |
| Istio managed OAuth | no | seems a very frail configuration at this point, future versions of Istio may solve this issue |
| Istio managed mTLS | yes | more testing required |
| microsegmentation | N/A | not completed at this point |
redhat-cop