tomasdavidorg commented on code in PR #1902:
URL:
https://github.com/apache/incubator-kie-kogito-examples/pull/1902#discussion_r1551311638
##########
serverless-operator-examples/sonataflow-apisix-oidc/README.md:
##########
@@ -0,0 +1,124 @@
+# SonataFlow Authentication and Authorization with Keycloak and APISIX
+
+## Installing Keycloak
+
+Install Keycloak with PostgreSQL:
+
+```shell
+kubectl create ns keycloak
+kubectl kustomize manifests/bases | kubectl apply -f - -n keycloak
+```
+
+### Exposing Keycloak
+
+```shell
+# Let's use kubectl port-forward to equalize the Keycloak endpoint URI so
APISIX and your local env access Keycloak using the same URL
+# This method works even in Windows/Darwin where Podman/Docker won't give
access to the internal network
+# Hence, we must rely on tunnel/port-forward
+kubectl port-forward $(kubectl get pods -l app=myapp
--output=jsonpath='{.items[*].metadata.name}') 8080:8080 -n keycloak
+```
+
+Edit your `/etc/hosts` file to access Keycloak using the same DNS name:
+
+```shell
+sudo vi /etc/hosts
+```
+
+Then add this line to the file:
+
+```127.0.0.1 keycloak.keycloak.svc.cluster.local```.
+
+Now, you can access the Keycloak application via
[http://keycloak.keycloak.svc.cluster.local:8080](http://keycloak.keycloak.svc.cluster.local:8080)
+
+This is the same endpoint we will configure the APISIX Route. This is an
important step since the token must be generated and validated by the same OIDC
server and the host is part of the token validation.
+
+### Authenticating
+
+Using the above URL, you can try requesting a token using [Grant Type
Password](https://www.keycloak.org/docs/23.0.7/securing_apps/#_resource_owner_password_credentials_flow).
+
+```shell
+curl \
+ -d "client_id=apisix-ingress" \
+ -d "client_secret=kDb8jS1asUOxYjDJb3bUaimzUen9PRD4" \
+ -d "username=zanini" \
+ -d "password=zanini" \
+ -d "grant_type=password" \
+
"http://keycloak.keycloak.svc.cluster.local:8080/realms/sonataflow/protocol/openid-connect/token
+```
+
+## Installing APISIX
Review Comment:
Shouldn't we also mention how to add the apisix repo?
```
helm repo add apisix https://charts.apiseven.com
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
