PostgreSQL External Service Proxy, and Keycloak JWT

[jodom1979]

Overview

I'm still somewhat new to Istio and have a bit of a weird setup that is mostly working. I would like to use my Istio service mesh to as a DB proxy (that part works), where I'm stuck is getting JWT working with Keycloak.

Pretty sure the RequestAuthentication and AuthorizationPolicy are the issue. If I remove the AuthorizationPolicy, traffic works without authentication. If I enable it, it fails.

It's possible that it has the correct config, but potentially the issue is where I'm trying to add JWT to a header that is TCP and not HTTP(s). From the examples I've see, to enable the packet to be respected by the AuthorizationPolicy, it needs to have the JWT token in the header. But I'm not sure I have a way of embedding the token with Postgres.

Notes:

• I can query and pull the Keycloak token via curl to the API using client-id and secret.
• Python test script shows a successful auth to Keycloak but fails on DB connection.
  • If I remove the AuthorizationPolicy it works.
• Works with a regular http service, like a plain website.

Any ideas would be appreciated!

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: postgres-destination-rule
  namespace: istio-ingress
spec:
  host: db.host.com

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: postgres-external
  namespace: istio-ingress
  labels:
    app: istio-ingress
spec:
  hosts:
  - db.host.com
  ports:
  - number: 5432
    name: tcp
    protocol: TCP
  resolution: DNS
  location: MESH_EXTERNAL

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: postgres-gateway
  namespace: istio-ingress
spec:
  selector:
    istio: ingress
  servers:
  - port:
      number: 5432
      name: postgres
      protocol: TCP
    hosts:
    - "inbound.db.ingress.com"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: postgres-vs
  namespace: istio-ingress
spec:
  hosts:
  - "inbound.db.ingress.com"
  gateways:
  - postgres-gateway
  tcp:
  - match:
    - port: 5432
    route:
    - destination:
        host: db.host.com
        port:
          number: 5432

---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: keycloak-auth
  namespace: istio-ingress
spec:
  selector:
    matchLabels:
      app: istio-ingress
  jwtRules:
  - forwardOriginalToken: true
    outputPayloadToHeader: x-jwt-payload
    issuer: "https://keycloak.host.global/realms/realm"
    jwksUri: "https://keycloak.host.global/realms/realm/protocol/openid-connect/certs"

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-jwt
  namespace: istio-ingress
spec:
  selector:
    matchLabels:
      app: istio-ingress
  action: ALLOW
  rules:
  - from: 
    - source:
        requestPrincipals: ["*"]

Testing Script:

import requests
import psycopg2
import psycopg2.extras
import logging

# Configure logging
logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger(__name__)

# Keycloak authentication details
keycloak_url = 'https://keycloak.host.global/realms/realm/protocol/openid-connect/token'
keycloak_client_id = 'clientid'
keycloak_client_secret = ''
keycloak_username = ''
keycloak_password = ''

# PostgreSQL connection details
pg_host = 'inbound.db.ingress.com'
pg_port = 5432
pg_dbname = 'databasename'
pg_user = 'username'
pg_password = ''

try:
    # Authenticate with Keycloak
    logger.debug('Authenticating with Keycloak...')
    keycloak_data = {
        'grant_type': 'password',
        'client_id': keycloak_client_id,
        'client_secret': keycloak_client_secret,
        'username': keycloak_username,
        'password': keycloak_password,
    }

    response = requests.post(keycloak_url, data=keycloak_data)
    response.raise_for_status()
    token = response.json()['access_token']
    logger.debug('Successfully authenticated with Keycloak.')

    # Headers for Istio service (if needed for HTTP requests to Istio services)
    headers = {
        'Authorization': f'Bearer {token}',
    }

    # Connect to PostgreSQL
    logger.debug('Connecting to PostgreSQL...')
    conn = psycopg2.connect(
        host=pg_host,
        port=pg_port,
        dbname=pg_dbname,
        user=pg_user,
        password=pg_password,
        sslmode='require'
    )
    logger.debug('Successfully connected to PostgreSQL.')

    # Example query to get PostgreSQL version
    with conn.cursor(cursor_factory=psycopg2.extras.DictCursor) as cursor:
        cursor.execute("SELECT version();")
        version = cursor.fetchone()
        logger.info("PostgreSQL version: %s", version)

    # Query to list all databases
    list_databases_query = "SELECT datname FROM pg_database;"

    with conn.cursor(cursor_factory=psycopg2.extras.DictCursor) as cursor:
        cursor.execute(list_databases_query)
        databases = cursor.fetchall()
        logger.info("Databases:")
        for db in databases:
            logger.info(db['datname'])

    # Close the connection
    conn.close()
    logger.debug('PostgreSQL connection closed.')

except requests.exceptions.RequestException as e:
    logger.error('Error during Keycloak authentication: %s', e)
except psycopg2.OperationalError as e:
    logger.error('Error during PostgreSQL connection: %s', e)
except Exception as e:
    logger.error('An unexpected error occurred: %s', e)