This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 7bf2346ad1b CAMEL-21879: Run camel-oauth examples on openshift (#17524)
7bf2346ad1b is described below
commit 7bf2346ad1bc79ac3ebea8f0820245269531cbe8
Author: Thomas Diesler <tdies...@redhat.com>
AuthorDate: Thu Apr 3 10:28:08 2025 +0200
CAMEL-21879: Run camel-oauth examples on openshift (#17524)
CAMEL-21878: Run camel-oauth examples on remote k8s cluster
---
components/camel-oauth/README.md | 147 --------------
components/camel-oauth/helm/README.md | 216 +++++++++++++++++++++
components/camel-oauth/helm/etc/cluster.crt | 64 +++---
components/camel-oauth/helm/etc/cluster.key | 100 +++++-----
components/camel-oauth/helm/etc/san.cnf | 6 +-
.../{traefik-secret.yaml => backdoor.yaml} | 33 ++--
components/camel-oauth/helm/templates/kafka.yaml | 24 +--
.../camel-oauth/helm/templates/keycloak.yaml | 68 ++++---
.../{traefik-secret.yaml => traefik-tls.yaml} | 0
components/camel-oauth/helm/templates/whoami.yaml | 17 +-
components/camel-oauth/helm/values-kafka.yaml | 5 +-
...eycloak.yaml => values-keycloak-openshift.yaml} | 8 +-
components/camel-oauth/helm/values-keycloak.yaml | 6 +-
...traefik-secret.yaml => values-traefik-tls.yaml} | 6 +-
components/camel-oauth/helm/values-whoami.yaml | 5 +-
.../camel-oauth/src/main/docs/oauth-component.adoc | 171 ++++++++++++++++
.../main/java/org/apache/camel/oauth/OAuth.java | 18 +-
.../camel/oauth/OAuthBearerTokenProcessor.java | 6 +-
.../oauth/OAuthClientCredentialsProcessor.java | 6 +-
.../apache/camel/oauth/OAuthCodeFlowCallback.java | 2 +-
.../apache/camel/oauth/OAuthCodeFlowProcessor.java | 6 +-
.../apache/camel/oauth/jakarta/ServletOAuth.java | 10 +-
.../org/apache/camel/oauth/vertx/VertxOAuth.java | 9 +-
.../camel-oauth/src/test/resources/index.html | 2 +-
.../camel-oauth/src/test/resources/protected.html | 2 +-
.../modules/others/pages/oauth-component.adoc | 1 +
26 files changed, 600 insertions(+), 338 deletions(-)
diff --git a/components/camel-oauth/README.md b/components/camel-oauth/README.md
deleted file mode 100644
index 690c1b4f5da..00000000000
--- a/components/camel-oauth/README.md
+++ /dev/null
@@ -1,147 +0,0 @@
-
-# Camel OAuth (Preview)
-
-The camel-oauth module comes with a set of Processors that can be added to a
route on the client and resource owner side
-like
[this|https://github.com/tdiesler/camel-cloud-examples/blob/main/camel-main/platform-http-oauth/platform-http-files/platform-http-route.yaml]
...
-
-## Supported OIDC, OAuth functionality
-
-* OIDC Authentication using Authorization Code Flow (OAuthCodeFlowProcessor,
OAuthCodeFlowCallbackProcessor)
-* OAuth Client Credentials Grant (OAuthClientCredentialsProcessor,
OAuthBearerTokenProcessor)
-* Identity Provider (Keycloak only) logout (OAuthLogoutProcessor)
-
-For details, see these specs ...
-
-* [OAuth 2.0|https://datatracker.ietf.org/doc/html/rfc6749]
-* [OIDC 1.0|https://openid.net/specs/openid-connect-core-1_0.html]
-
-Our Identity Provider (Keycloak) can be deployed to a local k8s cluster with a
[helm chart|./helm] that comes with this project.
-
-Respective jbang projects live
[here|https://github.com/tdiesler/camel-cloud-examples/tree/main/camel-main]
-
-For Kafka we use strimzi kafka-oauth-client directly, which is documented
[here|https://github.com/tdiesler/camel-cloud-examples/blob/main/camel-main/kafka-oauth/kafka-oauth-route.yaml].
-
-## Ingress with Traefik
-
-An Identity Provider should only be accessed with transport layer security
(TLS) in place. This is in the nature
-of communicating privacy/security sensitive data over any communication
channel.
-
-Therefore, we place Keycloak behind an TLS terminating proxy (Traefik). It has
the advantage that any traffic
-(i.e. not only for Keycloak) can be secured at ingress level.
-
-https://doc.traefik.io/traefik/
-
-```
-helm repo add traefik https://traefik.github.io/charts
-helm repo update
-helm install traefik traefik/traefik
-```
-
-## Ingress TLS Certificate
-
-```
-# Generate TLS Certificate
-openssl req -x509 -newkey rsa:4096 -keyout ./helm/etc/cluster.key -out
./helm/etc/cluster.crt -days 365 -nodes -config ./helm/etc/san.cnf
-
-# Import TLS Certificate to Java Keystore (i.e. trust the certificate)
-sudo keytool -import -alias keycloak -file ./helm/etc/cluster.crt -keystore
$JAVA_HOME/lib/security/cacerts -storepass changeit
-
-# Remove TLS Certificate from Java Keystore
-sudo keytool -delete -alias keycloak -keystore $JAVA_HOME/lib/security/cacerts
-storepass changeit
-```
-
-### Verify with TLS access
-
-```
-helm upgrade --install traefik-secret ./helm -f
./helm/values-traefik-secret.yaml
-helm upgrade --install whoami ./helm -f ./helm/values-whoami.yaml
-```
-
-https://cluster.local/who
-
-## Keycloak as the Identity Provider
-
-Currently, we use Keycloak as OIDC Provider - Hashicorp Vault is underway.
-
-Keycloak can be configured/deployed via Helm like this...
-
-```
-kubectl config use-context docker-desktop \
- && helm upgrade --install keycloak ./helm -f ./helm/values-keycloak.yaml \
- && kubectl wait --for=condition=Ready pod -l
app.kubernetes.io/name=keycloak --timeout=20s \
- && kubectl logs --tail 400 -f -l app.kubernetes.io/name=keycloak
-
-helm uninstall keycloak
-```
-
-https://keycloak.local/kc
-
-Admin: admin/admin
-User: alice/alice
-
-### Keycloak Admin Tasks
-
-Create realm 'camel' if not already imported
-
-```
-kcadm config credentials --server https://keycloak.local/kc --realm master
--user admin --password admin
-
-kcadm create realms -s realm=camel -s enabled=true
-
-kcadm create clients -r camel \
- -s clientId=camel-client \
- -s publicClient=false \
- -s standardFlowEnabled=true \
- -s serviceAccountsEnabled=true \
- -s "redirectUris=[\"http://127.0.0.1:8080/auth\"]"; \
- -s "attributes.\"post.logout.redirect.uris\"=\"http://127.0.0.1:8080/\"";
-
-clientId=$(kcadm get clients -r camel -q clientId=camel-client --fields id
--format csv --noquotes)
-kcadm update clients/${clientId} -r camel -s secret="camel-client-secret"
-
-kcadm create users -r camel \
- -s username=alice \
- -s email=al...@example.com \
- -s emailVerified=true \
- -s firstName=Alice \
- -s lastName=Brown \
- -s enabled=true
-
-userid=$(kcadm get users -r camel -q username=alice --fields id --format csv
--noquotes)
-kcadm set-password -r camel --userid=${userid} --new-password alice
-
-kcadm delete realms/camel -r master
-```
-
-Show realm, client, user configuration
-
-```
-kcadm get realms | jq -r '.[] | select(.realm=="camel")'
-
-kcadm get clients -r camel | jq -r '.[] | select(.clientId=="camel-client")'
-
-kcadm get users -r camel | jq -r '.[] | select(.username=="alice")'
-```
-
-## Kafka on Kubernetes
-
-### Extract the Keycloak cert
-
-In this configuration, Keycloak is deployed behind Traefik, which is our TLS
terminating proxy.
-The domain `keycloak.local` is mapped to an actual IP in `/etc/hosts`.
-
-```
-echo -n | openssl s_client -connect keycloak.local:443 -servername
keycloak.local | openssl x509 > keycloak.crt
-cat keycloak.crt | openssl x509 -noout -text
-```
-
-Deploy a single node Kafka cluster
-
-```
-kubectl config use-context docker-desktop \
- && helm upgrade --install kafka ./helm -f ./helm/values-kafka.yaml \
- && kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=kafka
--timeout=20s \
- && kubectl logs --tail 400 -f -l app.kubernetes.io/name=kafka
-
-helm uninstall kafka
-```
diff --git a/components/camel-oauth/helm/README.md
b/components/camel-oauth/helm/README.md
new file mode 100644
index 00000000000..6563035d3c2
--- /dev/null
+++ b/components/camel-oauth/helm/README.md
@@ -0,0 +1,216 @@
+# Local Kubernetes Cluster
+
+To keep the entry barrier for Camel OAuth low, we initially deploy Keycloak as
our Identity Provider on Docker Desktop Kubernetes.
+This is a single node Kubernetes cluster running on localhost.
+
+## Ingress with Traefik
+
+Keycloak should only be accessed with transport layer security (TLS) in place.
This is in the nature
+of exchanging privacy/security sensitive data over any channel.
+
+Here we place Keycloak behind a TLS terminating proxy (Traefik). It has the
advantage that any traffic
+(i.e. not only for Keycloak) can be secured at ingress level.
+
+https://doc.traefik.io/traefik/
+
+```
+helm repo add traefik https://traefik.github.io/charts
+helm repo update
+helm install traefik traefik/traefik
+```
+
+Once Traefik is installed, we create a Kubernetes TLS 'secret'.
+
+In case you'd like to regenerate the TLS certificate and key, do this ...
+Also, a Java app that wants to access Keycloak over TLS, must trust that
certificate.
+
+```
+# Generate TLS Certificate
+openssl req -x509 -newkey rsa:4096 -keyout ./helm/etc/cluster.key -out
./helm/etc/cluster.crt -days 365 -nodes -config ./helm/etc/san.cnf
+
+# Show Certificate
+cat ./helm/etc/cluster.crt | openssl x509 -noout -text
+
+# Import TLS Certificate to Java Keystore (i.e. trust the certificate)
+sudo keytool -import -alias keycloak -file ./helm/etc/cluster.crt -keystore
$JAVA_HOME/lib/security/cacerts -storepass changeit
+
+# Remove TLS Certificate from Java Keystore
+sudo keytool -delete -alias keycloak -keystore $JAVA_HOME/lib/security/cacerts
-storepass changeit
+
+# Trust this cert on macOS
+sudo security add-trusted-cert -d -r trustRoot -k
/Library/Keychains/System.keychain ./helm/etc/cluster.crt
+
+# Trust this cert on Rock9
+sudo cp ./helm/etc/cluster.crt /etc/pki/ca-trust/source/anchors/ && sudo
update-ca-trust
+```
+
+Once we have the TLS certificate, we can install the TLS secret like this ...
+
+```
+helm upgrade --install traefik-tls ./helm -f ./helm/values-traefik-tls.yaml
+```
+
+... and verify that TLS access is working
+
+```
+helm upgrade --install whoami ./helm -f ./helm/values-whoami.yaml
+```
+
+https://example.local/who
+
+Note, the domains `example.local` and `keycloak.local` are mapped to an actual
IP in `/etc/hosts`.
+
+## Installing Keycloak
+
+Using Helm, we can install a pre-configured instance of Keycloak behind
Traefik like this ...
+
+```
+helm upgrade --install keycloak ./helm -f ./helm/values-keycloak.yaml \
+ && kubectl wait --for=condition=Ready pod -l
app.kubernetes.io/name=keycloak --timeout=20s \
+ && kubectl logs --tail 400 -f -l app.kubernetes.io/name=keycloak
+
+helm uninstall keycloak
+```
+
+https://keycloak.local/kc
+
+Admin: admin/admin
+User: alice/alice
+
+You should now be able to examine the 'camel' realm and its pre-configured
clients.
+
+Note, in case you see `NoSuchAlgorithmException: RSA-OAEP`, we can disable
that [like this](https://github.com/tdiesler/camel-cloud-examples/issues/16).
+
+### Keycloak Configuration
+
+Create realm 'camel' if not already imported
+
+```
+kcadm config credentials --server https://keycloak.local/kc --realm master
--user admin --password admin
+
+kcadm create realms -s realm=camel -s enabled=true
+
+kcadm create clients -r camel \
+ -s clientId=camel-client \
+ -s publicClient=false \
+ -s standardFlowEnabled=true \
+ -s serviceAccountsEnabled=true \
+ -s "redirectUris=[\"http://127.0.0.1:8080/auth\"]"; \
+ -s "attributes.\"post.logout.redirect.uris\"=\"http://127.0.0.1:8080/\"";
+
+clientId=$(kcadm get clients -r camel -q clientId=camel-client --fields id
--format csv --noquotes)
+kcadm update clients/${clientId} -r camel -s secret="camel-client-secret"
+
+kcadm create users -r camel \
+ -s username=alice \
+ -s email=al...@example.com \
+ -s emailVerified=true \
+ -s firstName=Alice \
+ -s lastName=Brown \
+ -s enabled=true
+
+userid=$(kcadm get users -r camel -q username=alice --fields id --format csv
--noquotes)
+kcadm set-password -r camel --userid=${userid} --new-password alice
+
+kcadm delete realms/camel -r master
+```
+
+Show realm, client, user configuration
+
+```
+kcadm get realms | jq -r '.[] | select(.realm=="camel")'
+
+kcadm get clients -r camel | jq -r '.[] | select(.clientId=="camel-client")'
+
+kcadm get users -r camel | jq -r '.[] | select(.username=="alice")'
+```
+
+## Installing Kafka
+
+We can install a single node Kafka cluster like this
+
+```
+helm upgrade --install kafka ./helm -f ./helm/values-kafka.yaml \
+ && kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=kafka
--timeout=20s \
+ && kubectl logs --tail 400 -f -l app.kubernetes.io/name=kafka
+
+helm uninstall kafka
+```
+
+# Remote Kubernetes Cluster
+
+Next level up, we run a single node cluster that we access remotely -
[K3S](https://k3s.io/) is an excellent choice for that.
+
+Once K3s is running, we can use [Lens](https://k8slens.dev/),
[kubectx](https://github.com/ahmetb/kubectx) or plain `kubectl config` for
context switching to k3s.
+
+As above, we need to install the TLS secret
+
+```
+helm upgrade --install traefik-tls ./helm -f ./helm/values-traefik-tls.yaml
+```
+
+... and then Keycloak
+
+```
+helm upgrade --install keycloak ./helm -f ./helm/values-keycloak.yaml \
+ && kubectl wait --for=condition=Ready pod -l
app.kubernetes.io/name=keycloak --timeout=20s \
+ && kubectl logs --tail 400 -f -l app.kubernetes.io/name=keycloak
+
+helm uninstall keycloak
+```
+
+https://keycloak.k3s/kc
+
+## Modifying CoreDNS
+
+Unlike DockerDesktop Kubernetes, pods deployed on K3S do not see /etc/hosts
from the host system. Instead, K3S uses
+CoreDNS to resolve host names, which we can use to add the required mapping.
+
+```
+kubectl -n kube-system edit configmap coredns
+
+ Corefile: |
+ .:53 {
+ ...
+ hosts /etc/coredns/NodeHosts {
+ <host-ip> keycloak.k3s
+ ttl 60
+ reload 15s
+ fallthrough
+ }
+```
+
+Please let us know, when there is a better way to provide a host mapping such
that traffic goes through the Keycloak
+IngressRoute, which references our custom TLS certificate.
+
+## Private Registry
+
+Most of our examples reference images that are deployed to the private
registry of the given cluster (i.e. these images
+are not available in public registries).
[camel-cloud-examples](https://github.com/tdiesler/camel-cloud-examples/tree/main)
+provides [Ansible
playbooks](https://github.com/tdiesler/camel-cloud-examples/tree/main/ansible)
that show how ton install
+a private registry in K3S. There is also some documentation in K3S
[directly](https://docs.k3s.io/installation/private-registry).
+
+# OpenShift
+
+First, we create a new project on the OpenShift cluster
+
+```
+oc new-project camel
+```
+
+## Installing Keycloak
+
+```
+export OPENSHIFT_HOSTNAME=apps.rosa.nxus7-dbdhd-pp7.vxfp.p3.openshiftapps.com
+helm upgrade --install keycloak --namespace examples --set
openshift.hostName=${OPENSHIFT_HOSTNAME} ./helm -f
./helm/values-keycloak-openshift.yaml \
+ && kubectl wait --for=condition=Ready pod -l
app.kubernetes.io/name=keycloak --timeout=20s \
+ && kubectl logs --tail 400 -f -l app.kubernetes.io/name=keycloak
+
+helm uninstall keycloak
+```
+
+Verify access to the OIDC configuration
+
+```
+curl -s
https://keycloak.${OPENSHIFT_HOSTNAME}/realms/camel/.well-known/openid-configuration
| jq .
+```
diff --git a/components/camel-oauth/helm/etc/cluster.crt
b/components/camel-oauth/helm/etc/cluster.crt
index df065655ad6..fa81b599224 100644
--- a/components/camel-oauth/helm/etc/cluster.crt
+++ b/components/camel-oauth/helm/etc/cluster.crt
@@ -1,34 +1,34 @@
-----BEGIN CERTIFICATE-----
-MIIF1DCCA7ygAwIBAgIUG1nj2lY4cjhn275nh3491iZZ2eUwDQYJKoZIhvcNAQEL
-BQAwaDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
-MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xDTALBgNVBAsMBFVuaXQxFDASBgNVBAMM
-C0NhbWVsIE9BdXRoMB4XDTI1MDMxMDExNDYyMloXDTI2MDMxMDExNDYyMlowaDEL
-MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYD
-VQQKDAxPcmdhbml6YXRpb24xDTALBgNVBAsMBFVuaXQxFDASBgNVBAMMC0NhbWVs
-IE9BdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3PDEVJ9z9S9o
-99a6wmgf+LdWoRUGM3rsNWXsVEpHavwRlOU4khwNcNUBfdg3ACnzTxIBeUix8VRS
-kDEpLRAuK1IVhoLi+vXbDzl58WqZvK4JSb97TzSlt14Ka4twmli9+A85dDcmxhWm
-VAL7qloC5oW1p3eB00mIm3XZAoGqudRzLxaE7aNrZ8Alk6/3PFZZpkf36/iA2XsL
-C7qvCPlJ5wi/gh18pLcirabNkbLMtkKERmSUL1verUxQdpR9cMl4m5XaWBRWgoQK
-r5hAL1GDebwRlHj+0w2WlWbryHGQK0udakB0i4QHirn/Nttm9mOpZv55FFGbRtbh
-GpTYVLRfyNreQ1+n76KwDutoRff8NpWv7jr96GX9PrvqI8xgL5Yd3VHsy6ZbZuuF
-K6HM5ELXVlietF/1KGhCephC3hVAHDMeCrF8++Graj8Dzu8DS7I61lpvaT6Qbxjv
-8Q48A1VgsTXsEoDiloRJt6cAQSXsv+2/xOsjW8lbmWyWslv4Ib+Qzm6EZ/DGVJ2U
-Qdpu3iXf+On+ep10fPTCmS/WrX4lNY866pqwnol9ln0kZQG1577l/e3tjjyIOyAE
-ua/B0pXwg72zc97cW0ydA9ABsa6zI2CjzOaK+PFLsvJesQD4yklwUL9BnMViHJfS
-2Z8f7IIfbcaMJU8D1oj5C7L9B7kScgUCAwEAAaN2MHQwDgYDVR0PAQH/BAQDAgWg
-MBMGA1UdJQQMMAoGCCsGAQUFBwMBMC4GA1UdEQQnMCWCDWNsdXN0ZXIubG9jYWyC
-DmtleWNsb2FrLmxvY2FshwR/AAABMB0GA1UdDgQWBBSgrQRoOUiJOt+dN8D7Yd+a
-PUD72DANBgkqhkiG9w0BAQsFAAOCAgEAAmjrTVBrI9DUyQvVN6VHwv6lgJZvJvTy
-7TWgZUqQULo0Ay1B6m8Dp87i5EasjhYljZ5nm4MS92LcTW+ar3K7JAq43MRN8uVy
-4TMeNfZGFAWdcaxFZv5s//mnECE72WTDMUDCEAth7pnLFn43nHLYPyMfkmUJ7Yxy
-+sSSD+uwFB8hzxx4T65sBuI1MoUSnDOWssHnNlJZN3/Y/ZMyMsomfjvPDqpv2MO8
-kn2wzT/eXQnmhRe0LktlpyU/dLa59+Md31RAP6YWqUGQftnzT6J2a438NxuqKu8v
-PdwlNQ2BFI6gHgYlNwB4ayQlbYMgrKSVcEsF2rgoMT4mSOu+LNwL4tks643npC1p
-gg7lCoJywjDz8owKGrY1lhz7ZdgnpdgUcefldw7zCXDPSgUnmgpdMXtvwgVa6G13
-pI/lGlb5UTdbR9HtHnEvfz1FWRBZbaupsM1cQ14rJCyn9EEm8jgU0VsS0P9kJxbQ
-HUKwLnN7gGtWvtyW6iIkJmN0OUtgaQxJzWYNBguwEGgGDXBbwYoulgvSbqsnUl3V
-JhGZ+RIa78r+iaQ4cx2giMtbIH+HmBua7jCNn3ZJtS745kRBb6Sf95HjdSrzEig6
-PkmSt/1wM/s/+BTiZR/XnAz9Lg+DgwqrdcA350PKF5D/RNQSxc2x54jkp9nrUT/M
-ztaJIfsNLiY=
+MIIF5TCCA82gAwIBAgIUX9D9OZsmMOP0QrpB+CqabkzLivAwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xDTALBgNVBAsMBFVuaXQxHTAbBgNVBAMM
+FENhbWVsIENsb3VkIEV4YW1wbGVzMB4XDTI1MDMyMDA5NTQzM1oXDTI2MDMyMDA5
+NTQzM1owcTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARD
+aXR5MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xDTALBgNVBAsMBFVuaXQxHTAbBgNV
+BAMMFENhbWVsIENsb3VkIEV4YW1wbGVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEAqneLc6LEN/2r1AEIM0A/+8hINA/Bi9AUlX4SZVnvTE5A59Y9/PgA
+yeH+Bsk2gf067h1zUT9Mzke46VhpWlk+qUodr3+dmW10k038xAR2y0WiuXdeQoE4
+ZrD20rB1vi2DG9NtA1dvI5e5ljwCTw8C1/VP7dO/daFrgmP9t/kXKLXfxxZdv39K
+Tg8AYG44Puv/V/7lUYR/6Pc+yJTOXTf3u6KHEAz9wVJmBeZNTh5Od5qZDPSmDyXF
+DUmTFNTjeHcHUYsJVeLcwXmh9H+/HtBvEN4075Nj598x1fe2zjV0gIWXAnsxelbG
+zq4YO92CNxLAo18ESgu2Q3L39AIb7Db8V/kYZwe2aSaj6hp6rYFZ4YJ1upxnsttE
+g3qjqFgKg1jwdmQWezXoFPszADxt2dtA0/FtCArto/+dnfaClwVKtpxMRcG8YYGk
+R7M/uZKBmv4/9tNipMK8Pe6nC5iaGTxiXZms1cVQ4PPKUEYWFVlC4JZhWRMYgjhJ
+3tiHm4gahGDTEbBlWcEuH+x9ek9GBSOg7Mg5NhPn4aAKQvet3cogPalmeWDD2OEB
+Cr20ggLFg+qpFMUwtifSQ87LwvBovroPV7N9tCGubAzk2aod1xjjtjoFwh3gZLND
+iZlfciBC71ws5++3DcN2ynLNsfwjLipiTUe4uP1TG5d3pUQltf+BoncCAwEAAaN1
+MHMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMC0GA1UdEQQm
+MCSCDmtleWNsb2FrLmxvY2FsggxrZXljbG9hay5rM3OHBH8AAAEwHQYDVR0OBBYE
+FPq85386UIVJT+edIsaopFRhoejJMA0GCSqGSIb3DQEBCwUAA4ICAQAjA7o0qZWA
+S2V596H0a66j+8HZdO5omzHQRmlI+5ZPA14sxpUnD7ZM/NUEwiPMmZfNzn5j2TdS
+xWtVPRp9lFBIWzobJhsYUNZn7D+cFpFDOWTQI6b1NxL60HByUpUOIACWEaPAK2p4
+qTFc60OJU/JH2hPwWiSBF8OxGkB/BYg3PrQ8WwKaNaG/qN35SK6zSEc4LI4eVsZ4
+NNfnMHzEvbMgGvKwxIYWTd2lu6UTEbhib2HAPk2/b99J2n3tBIQz8urJrIi4BoWP
+TF3Sy3qSGrZgvlSVzfsAowXPwKq/0H7DjMo/f/pMrPM7P/YuWT2omqz6riS1nQNO
+MaC8Tf98C/41NFiojjNHKdKprXcGLwh4x80Ypoi3Jjl3FGJAv57ob9bIhVJYBMYn
+NNrlZAJEgiH4sCfOpElkThjkZIZ5O+UL7/uQ6/juGgX1YLpOKBB1ypwOO3uFlMZS
+a+rAFqBsfqFcK6XlWQW7kU4ZOS1eGJ8IpFBT07ttWnooUsFKQZPDt9wpJd7XJLw+
+6DmqqlQXyNo8vfo0g9SJmjaaeRClFC5r6t45xIPGKXAqXID2M3jwnpfF12BScpoO
++anWevw2zZDM4/mYed67/h2nO2wS8Ruqx/xCsYrmnlyGV9fufpAVKwpOlcv9k1hE
+P71otbzLMAi8HN3aU9m/Ocjg5iFRyjB3Jw==
-----END CERTIFICATE-----
diff --git a/components/camel-oauth/helm/etc/cluster.key
b/components/camel-oauth/helm/etc/cluster.key
index 01a889dc670..909ca8d3f9d 100644
--- a/components/camel-oauth/helm/etc/cluster.key
+++ b/components/camel-oauth/helm/etc/cluster.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDc8MRUn3P1L2j3
-1rrCaB/4t1ahFQYzeuw1ZexUSkdq/BGU5TiSHA1w1QF92DcAKfNPEgF5SLHxVFKQ
-MSktEC4rUhWGguL69dsPOXnxapm8rglJv3tPNKW3Xgpri3CaWL34Dzl0NybGFaZU
-AvuqWgLmhbWnd4HTSYibddkCgaq51HMvFoTto2tnwCWTr/c8VlmmR/fr+IDZewsL
-uq8I+UnnCL+CHXyktyKtps2Rssy2QoRGZJQvW96tTFB2lH1wyXibldpYFFaChAqv
-mEAvUYN5vBGUeP7TDZaVZuvIcZArS51qQHSLhAeKuf8222b2Y6lm/nkUUZtG1uEa
-lNhUtF/I2t5DX6fvorAO62hF9/w2la/uOv3oZf0+u+ojzGAvlh3dUezLpltm64Ur
-oczkQtdWWJ60X/UoaEJ6mELeFUAcMx4KsXz74atqPwPO7wNLsjrWWm9pPpBvGO/x
-DjwDVWCxNewSgOKWhEm3pwBBJey/7b/E6yNbyVuZbJayW/ghv5DOboRn8MZUnZRB
-2m7eJd/46f56nXR89MKZL9atfiU1jzrqmrCeiX2WfSRlAbXnvuX97e2OPIg7IAS5
-r8HSlfCDvbNz3txbTJ0D0AGxrrMjYKPM5or48Uuy8l6xAPjKSXBQv0GcxWIcl9LZ
-nx/sgh9txowlTwPWiPkLsv0HuRJyBQIDAQABAoICABt44KC5Fv0UwROYIq7LrbYK
-bf4nlBbQoRBetQ0iE1FNOI5wFiGs1UsDYWUZfnVJwhRB4+cF0AJ2/rEpO7p7uZHv
-affIzJpx+aQh/HS1UZpxdXwzEA0gOb7cNaV7uCuo/y4aDoXR2cNlq8HkgRCEkrnB
-RH4nUQBJs2/JLouuPeFPdmcTgMHfwRosfT+o8LAS+KDBcCVqR/NC5nO16c/O146f
-uthd/EKq9ufqxsLoHaZIDRSHqxlcbgrUY2jrO9HLa3DFKFotZThjXMTKxKhdlWCM
-rw7sIJtzpBa9rnHFFS0dANzWWOeEKj/ossBKdboLWGQTHlEVeJ5NV74rZd7actJW
-otvI8V9pitXNFBdpM9moad3/R4WzgbmdzO1EAlXEBcVVlUTpCxblzbOKnA87u7Fn
-NzBjQl3TVj2exTNkQRZWinhk9jJlNyUVVx6q9B7lary2qqdzAOjtPNozjGhBQOaB
-z9gaVZpZgCSIojfkfVXiO2NU3GxMkvpiiZ5XR/+yxxTN4A0EzQpPZgJTkOQ4PNqy
-lvjpa8cZM7a+jrvFfcDe69Tq2v4Ng2Dwjk8v9xXf8fdDgf54OrrPl0D+ATUYBznb
-DGJVKZ12ceij+jbP62KKfa1R+FEw4avsi7hhaTm99jf9J/ghGvgcL+mXlM3i777f
-nX8KQDUSscx2Ja7/iqBBAoIBAQDz9f9BlzKdIjQj3T8Jj8AlQKod5tMy3NJuaYPh
-lL44l3uUNODAUXm6OBnSKtwR5NSmad+PslG1R694RpqxjcKMAcPbtRUzANZLxJ0z
-GF5LEwrqLGpJ8pB15qApmKmS+Qzffx1r8h/ziy266Xg/gkmN63SdqBihUPbE1crc
-lC++1tMKBnainOyByFkdyXbw2y2pE05LVWnryhhsLFotgY0W0I+Ovgz6QqfE79KU
-WWMFuFFpchKoe9bKmucfQXnDjWaU++3GRXSSx2nRQfjaRZBAL+z3vJcUXuikwMVd
-tEUrq0dj95lCu7RRqRXESWfQu280YoX5ANKGY/j6uLFZtU0RAoIBAQDn1/LSadHi
-RHVoA4TtYPgckmABZbcEViN/d2sEOM4fTnvF3gotkgyUVVouZI7XivV2f9zPa6zl
-LbfmD9xts/cVolN7UZzgMM3tRYoyM5A1oCwm/ZjGDGu/eUvaqRMGEVJCb0jkITqf
-XkBC5WpZs42agPvR90B8eeB2rvBUDwAFWfW1M44yK1HKS9bYAGs5YhEbOyvOSGZp
-K0VpvaqsOohPzip1KKr9W3bPmgTM2qd/qal0lAzFXRBqFRQGZSuDnrYsIjJjvEv5
-aA4br8UT0S1ImBIVBKF4z1xQFBL/GxQ0i/UNASdSLHq1r3E/4yHmtpcUNWnwSFaS
-Tzufqh35x6W1AoIBAQDL0kC6qfntckAhnp0l/eXIuefnJ4xYOEnPWXSHqV/rpBPp
-VOxZgTi0Ll7USl6mzIolptrTEWZWkFe3ozVnFkrt8iOSkg3uGMrxbojvwXI2Quih
-kQ4UTgYHmvFBD3zNgCoTJ/6KyzWKokNIn/qJBO8zFP7PITvCuwQQm5XrCBuD07Np
-8tB3N6gZHivmSQWIYXYahjipk+j0yFnzNnL5Bf28i+8EkSACjmHglYVXz/59LutF
-r7qK7Twc9aIXaPq0OJT18C1Ns4Wbg+OSow2oPuov1lqi9/s5V7oCu9OpYA1SWL1C
-dgCj0nLqrtuyrKmBqLdWCuJnkRpSkX/Y6SmzC1ghAoIBAQCXxu/YgB4/GsIhzev/
-2zOSwODJCWW/GQU0NWGB6g5GwIKXDr1rB+nkUdwv8vTwdrArW5ma0MrnXf6+RjPw
-PZjMOPCeEte4jTrC0nueUdNex/UfsXWKcic3upjGFVm25zAK/f+iGX7fRjybjsUI
-5FsXgslYs50r4D3qdKww24EP/8yzS4UTovhwjyWfUubfMiwwv5P1/7/LqeBPUTOi
-fM8wL6/r8yu9oVsunY327k4pbVDaWPHjYwGT8Sii5yiNiiGI0vpaALNcG5rg1TkX
-uCEFHUj5KYbsKBQu+HVXPMsFe3p5gP/U8/mBZ9GkGXXgLDjLqgwombLTJbvK0vu8
-wc7hAoIBAQCiUUl9oQhyHJ+Ixu02s+Ym6h5LMAH/I/S7m76LV8x3NSZMepU6jZjd
-LnULDsN7ZdbFGCLnjqr6c0xG00bR1ptL4V5yba8xqhCOLXazXUamP2uJISHPSauy
-2DT0paNr/2ksBL/pEkv8okA6jpbmCj/y4m48AkE8dWo3HR2kRiv6UXTtzlPrIYBl
-2gEBsZOqvuvzsAjzGnL0dZDoqP7/HK6plUHwTlvg15lPJmnbNj0jmtn+3OAVKOws
-myUTdDO7p4XkRRGPHedip9SXiVoBVJxmcopHhmYihyyJc1Dk/yxE7KDq5Hnla5XT
-nrJv2Z4xG1KIkEOjCOn+klnstOI9tboD
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCqd4tzosQ3/avU
+AQgzQD/7yEg0D8GL0BSVfhJlWe9MTkDn1j38+ADJ4f4GyTaB/TruHXNRP0zOR7jp
+WGlaWT6pSh2vf52ZbXSTTfzEBHbLRaK5d15CgThmsPbSsHW+LYMb020DV28jl7mW
+PAJPDwLX9U/t0791oWuCY/23+Rcotd/HFl2/f0pODwBgbjg+6/9X/uVRhH/o9z7I
+lM5dN/e7oocQDP3BUmYF5k1OHk53mpkM9KYPJcUNSZMU1ON4dwdRiwlV4tzBeaH0
+f78e0G8Q3jTvk2Pn3zHV97bONXSAhZcCezF6VsbOrhg73YI3EsCjXwRKC7ZDcvf0
+AhvsNvxX+RhnB7ZpJqPqGnqtgVnhgnW6nGey20SDeqOoWAqDWPB2ZBZ7NegU+zMA
+PG3Z20DT8W0ICu2j/52d9oKXBUq2nExFwbxhgaRHsz+5koGa/j/202Kkwrw97qcL
+mJoZPGJdmazVxVDg88pQRhYVWULglmFZExiCOEne2IebiBqEYNMRsGVZwS4f7H16
+T0YFI6DsyDk2E+fhoApC963dyiA9qWZ5YMPY4QEKvbSCAsWD6qkUxTC2J9JDzsvC
+8Gi+ug9Xs320Ia5sDOTZqh3XGOO2OgXCHeBks0OJmV9yIELvXCzn77cNw3bKcs2x
+/CMuKmJNR7i4/VMbl3elRCW1/4GidwIDAQABAoICAAMvkMLS4k/mXo7rv53iYxyI
+tbC8/dg0rCECTJDp78SOG3Bs9JbRtVIQj/eYf+Hi1amCXpfAhkyLBc2pzu49VL2q
+AO85Hbzl6scF+7KK7Go7UIgFNXtdgHkkcLh0GJjUfB39Aybyb17lUWnMkIGuiiMQ
+sDNSdCjCoSIitEJhiVx3A0oGBPwbNbKxXRRwR7Ge8q3phmeezk7DfPNKtKcEilpO
+kBYHG1PAzBKE9CG0BBgzVdqEIZMofyV5ObwRIav5E+eJbapvpVu7f83BK9U4ZM4v
+5bvEfJpMwljfwRVBf0sXmnOvBOtNMkUsKilhDma948b2ptUR1JCWIxD2wroINqPc
+0WkIZuoJoNTg2ZpOgaYQIZZfioSUnA384+RmiK2crWjg8XLcYCYQQS9EXhIHFMC6
+7bI/ElMmyE2W8wdO9osOgKSF1c91Rvhd/qgwTbaTmjATsDZAQTtFC2+Ot36Bqo3D
+wNhDdDilDPH8mc2gH+C32g1rkBMPsmuRRNHUEG6GUGg3XAxggbLJHLo4OevJjh0Y
+0GbhsbHStTsy8e5d3BlbXieOQiz6ShvkcFXtz5DZI/XvuarRvW2E/17AKC1TC3b6
+qpo+15mNHofoM599QhepDfmgsPfGghBbVuRD9oEcynASx4q0kYWoY8EBzDWA0+lj
+e1/hD/Zcf3943kciZg7hAoIBAQDj5MFypqChsK3HzyELb2wE29EIpoP94tIt+Zsc
+eyOanwjVb0a5zoQGqK6p1cbtxtLRZLvwpi7g8P1sc2GUJiBohedrR7IcHi6JZv3/
+rzQTmMW0J6LpG3thcVYczI1mr1FEmwIt23qU2bR3+ftBEf7d/d22NuAGT9aDI/xU
+L5rOoTu9DPnyfbGXRTi1wsMPoSgckWumkrq4JxpJkA3jxKfELzC8Vt43BCp2aH2I
+57fNld5eak1H3P3aPFuygpj/ogqbpEnLIvF6jqxytJBiluVzp1xzCQZbWtO3MpG9
+hAS0M1eUc5D8dsDN11hzRF7qls84Az0aOd9CKn0KgNlxm+e7AoIBAQC/fas5G1AD
+mRYuiRy9qKBCUHwnDGcQFLv4f6UOBTosC7XNX1hjZHf03VrySyhspQReZYXMEn0U
+7EG4P2UutSLxSapnBg46i3CUkGAovz1XLjK8hAHrdeLZZOddO/v1P3UGmpoCNIBb
+bjfTALc0TXdDbkCAWiVWHniY3IlypqadSWKfrzY5GmxoYjLaXHZbgKKdzE5rikI+
+iHdmUF694QQy52oqVY/i3PwBMBmY/ViXIx+PJ90LDABj52itpyI2VSJX5RjFhYtP
+RJJ6DzbPYrIE5fI8cPAX/AKB2gW++AuTq0u2eVp53kwhEnvSsM4yShwJBzdoEH5z
+2MjWn61tNY51AoIBAQCpimGwXe5a3AotABdhXn9KDg6xFNBVbQ1YTr3qrmGKgo4b
+2zEOwmjOW2e1yei4tJXaWcrH+ZoelqqyqBQMF2E84YGM+kWzTXDpn8mPElT3z0wl
+/ubf7SYZFCwwOK1pmzwmgftZClNjsaLlLwCRJEYr+NWc3a5Eg9jer0LljpTo7GJ4
+/tJkaMZZ95F9B2v+kLI6rqUbw0VOAyk3WQg8Tu1QsprbQvUGkP7WIF5kH59KPxiz
+vPnJYMsqNIUzhJ02cOLbb5nGmjR0LPh2TYatEf2Z0QSiQDCOfj/Lpr9t8m1dcmTR
+eDiA2ggOGwseldrXQ2LeFOq8PBmwK9PioIEkWAxJAoIBAGr2x64ek5Nu7/UOof9P
+MjXYv4EQbIGPE3C73Hb4dIYmBGez2quqc1dUTnkJgostokMYcqSLr1MApbVFtD9i
+7yHZBFaIC2qoeTqDazNXn+wS4kRreKcOMqk8tABggV19FOGbemvA5/IqnwQ+YhfV
+Lcl8zIrlz/VLEBJTHnPsoyU42N5aAO/k0ql8MOvIulRihnOerC9mC5rin8+HFWT7
+TF0i5yq+oKEYz6vaMnJDEjlaZUaR/ectzQoBOXfG5FV1OLngPvYWorqkky2bUgKG
+Huqdh7I7Y+IB42SlZJBH/i9+f8xt/RwWEHBo4sHOAWAWBZMFdO2sSPZtIcLBbx6R
+zAECggEBAIfJgDeKrf53CkwjeXMcBdCPPkj5g292+rQ9zrecLYvMtkkC9sd/rzO9
+6ihkBOVgRMR1bcRe4oXZdN6fxa7slhSZ8WGDvnRSn9cloqryQvcI0S8/RrKbVq6i
+Ce4zwBppopHcAtnV1CcqqlNyAmFu6GtaqfNpy+Gq675MmdjGBlTKzUM7NRr8n9k7
+bra3YwQqPpfwNkyvahfdHhLp1jdLZMNI/7dKibTLWLFGkH53VkbN0CLIAgQe7CI0
+uHez6YA8Bofa6mzGMgucTfbvk8jPz/Ipnz1KVabQe9FkBMKi+Sib7/X3+76fYsPe
+mQE10mG/icF6LNXz4e/8R/x9kzjmptk=
-----END PRIVATE KEY-----
diff --git a/components/camel-oauth/helm/etc/san.cnf
b/components/camel-oauth/helm/etc/san.cnf
index 9a04e08acf3..273d11e73a4 100644
--- a/components/camel-oauth/helm/etc/san.cnf
+++ b/components/camel-oauth/helm/etc/san.cnf
@@ -10,7 +10,7 @@ ST = State
L = City
O = Organization
OU = Unit
-CN = Camel OAuth
+CN = Camel Cloud Examples
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
@@ -18,6 +18,6 @@ extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
-DNS.1 = cluster.local
-DNS.2 = keycloak.local
+DNS.1 = keycloak.local
+DNS.2 = keycloak.k3s
IP.1 = 127.0.0.1
diff --git a/components/camel-oauth/helm/templates/traefik-secret.yaml
b/components/camel-oauth/helm/templates/backdoor.yaml
similarity index 61%
copy from components/camel-oauth/helm/templates/traefik-secret.yaml
copy to components/camel-oauth/helm/templates/backdoor.yaml
index 9763ed228ae..44a1bf81a12 100644
--- a/components/camel-oauth/helm/templates/traefik-secret.yaml
+++ b/components/camel-oauth/helm/templates/backdoor.yaml
@@ -15,23 +15,32 @@
# limitations under the License.
#
-{{- with .Values.deployments.traefik }}
-
-# Traefik TLS Secret
+{{- with .Values.deployments.backdoor }}
---
-apiVersion: v1
-kind: Secret
+apiVersion: apps/v1
+kind: Deployment
metadata:
- name: traefik-tls
+ name: backdoor
labels:
- app.kubernetes.io/name: traefik
+ app.kubernetes.io/name: backdoor
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/release: {{ $.Release.Name }}
app.kubernetes.io/revision: '{{ $.Release.Revision }}'
-type: kubernetes.io/tls
-data:
- tls.crt: {{ $.Files.Get "etc/cluster.crt" | b64enc }}
- tls.key: {{ $.Files.Get "etc/cluster.key" | b64enc }}
-
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: backdoor
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: backdoor
+ app.kubernetes.io/release: {{ $.Release.Name }}
+ app.kubernetes.io/revision: '{{ $.Release.Revision }}'
+ spec:
+ containers:
+ - name: backdoor
+ image: registry.access.redhat.com/ubi8/ubi-minimal:{{ .version }}
+ imagePullPolicy: Always
+ command: [ "sleep", "infinity" ]
---
{{- end }}
diff --git a/components/camel-oauth/helm/templates/kafka.yaml
b/components/camel-oauth/helm/templates/kafka.yaml
index 1da36e56fdc..b145cb1bc49 100644
--- a/components/camel-oauth/helm/templates/kafka.yaml
+++ b/components/camel-oauth/helm/templates/kafka.yaml
@@ -23,7 +23,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: kafka-scripts
+ name: kafka-extra-files
data:
functions.sh: |-
{{- $.Files.Get "scripts/functions.sh" | nindent 4 }}
@@ -53,10 +53,10 @@ spec:
initContainers:
- name: kafka-init
image: busybox
- command: ["sh", "-c", "cp /tmp/kafka/scripts/* /opt/kafka/scripts/
&& chmod +x /opt/kafka/scripts/*.sh"]
+ command: ["sh", "-c", "cp /tmp/extra-files/*.sh /opt/kafka/scripts/
&& chmod +x /opt/kafka/scripts/*.sh"]
volumeMounts:
- - name: kafka-scripts-configmap
- mountPath: /tmp/kafka/scripts
+ - name: kafka-extra-files
+ mountPath: /tmp/extra-files
- name: kafka-scripts
mountPath: /opt/kafka/scripts
containers:
@@ -81,7 +81,7 @@ spec:
- name: KAFKA_LISTENERS
value:
"CONTROLLER://:9091,INTERNPLAIN://:9092,INTERNSECURE://:9093,EXTERNSECURE://:9194"
- name: KAFKA_ADVERTISED_LISTENERS
- value:
"INTERNPLAIN://:9092,INTERNSECURE://kafka:9093,EXTERNSECURE://127.0.0.1:{{
$.Values.kafkaNodePort }}"
+ value:
"INTERNPLAIN://:9092,INTERNSECURE://kafka:9093,EXTERNSECURE://127.0.0.1:{{
.nodePort }}"
- name: KAFKA_LISTENER_SECURITY_PROTOCOL_MAP
value:
"CONTROLLER:PLAINTEXT,INTERNPLAIN:PLAINTEXT,INTERNSECURE:SASL_PLAINTEXT,EXTERNSECURE:SASL_PLAINTEXT"
- name: KAFKA_CONTROLLER_LISTENER_NAMES
@@ -97,15 +97,15 @@ spec:
- name:
KAFKA_LISTENER_NAME_INTERNSECURE_OAUTHBEARER_SASL_JAAS_CONFIG
value: |-
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
-
oauth.jwks.endpoint.uri="http://keycloak.local/kc/realms/camel/protocol/openid-connect/certs";
-
oauth.token.endpoint.uri="http://keycloak.local/kc/realms/camel/protocol/openid-connect/token";
+
oauth.jwks.endpoint.uri="http://keycloak:8080/kc/realms/camel/protocol/openid-connect/certs";
+
oauth.token.endpoint.uri="http://keycloak:8080/kc/realms/camel/protocol/openid-connect/token";
oauth.check.issuer=false
unsecuredLoginStringClaim_sub="unused";
- name:
KAFKA_LISTENER_NAME_EXTERNSECURE_OAUTHBEARER_SASL_JAAS_CONFIG
value: |-
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
-
oauth.jwks.endpoint.uri="http://keycloak.local/kc/realms/camel/protocol/openid-connect/certs";
-
oauth.token.endpoint.uri="http://keycloak.local/kc/realms/camel/protocol/openid-connect/token";
+
oauth.jwks.endpoint.uri="http://keycloak:8080/kc/realms/camel/protocol/openid-connect/certs";
+
oauth.token.endpoint.uri="http://keycloak:8080/kc/realms/camel/protocol/openid-connect/token";
oauth.check.issuer=false
unsecuredLoginStringClaim_sub="unused";
@@ -126,9 +126,9 @@ spec:
runAsUser: 1001 # The UID of the kafka user
runAsGroup: 0 # The GID of the root group (since kafka is in
root group)
volumes:
- - name: kafka-scripts-configmap
+ - name: kafka-extra-files
configMap:
- name: kafka-scripts
+ name: kafka-extra-files
- name: kafka-logs
emptyDir: {}
- name: kafka-scripts
@@ -169,7 +169,7 @@ spec:
ports:
- port: 9094
targetPort: 9094
- nodePort: {{ $.Values.kafkaNodePort }}
+ nodePort: {{ .nodePort }}
selector:
app.kubernetes.io/name: kafka
---
diff --git a/components/camel-oauth/helm/templates/keycloak.yaml
b/components/camel-oauth/helm/templates/keycloak.yaml
index 3dbcc32a6e7..5d3809f20b3 100644
--- a/components/camel-oauth/helm/templates/keycloak.yaml
+++ b/components/camel-oauth/helm/templates/keycloak.yaml
@@ -17,12 +17,12 @@
{{- with .Values.deployments.keycloak }}
-# Keycloak Realm ConfigMap
---
+# Keycloak Realm ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
- name: keycloak-realm-config
+ name: keycloak-realm-import
labels:
app.kubernetes.io/name: keycloak
app.kubernetes.io/managed-by: Helm
@@ -32,8 +32,8 @@ data:
camel-realm.json: |-
{{- $.Files.Get "etc/camel-realm.json" | nindent 4 }}
-# Keycloak Deployment
---
+# Keycloak Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -63,9 +63,9 @@ spec:
- "start-dev"
- "--import-realm"
- "--http-enabled=true"
- - "--http-relative-path=/kc"
- "--proxy-headers=xforwarded"
- - "--proxy-protocol-enabled=false"
+ - "--proxy-protocol-enabled=false"{{- if eq $.Values.environment
"k8s" }}
+ - "--http-relative-path=/kc"{{- end }}
env:
- name: KC_BOOTSTRAP_ADMIN_USERNAME
value: admin
@@ -74,16 +74,16 @@ spec:
ports:
- containerPort: 8080
volumeMounts:
- - name: keycloak-realm-config
+ - name: keycloak-realm-import
mountPath: /opt/keycloak/data/import
readOnly: true
volumes:
- - name: keycloak-realm-config
+ - name: keycloak-realm-import
configMap:
- name: keycloak-realm-config
+ name: keycloak-realm-import
-# Keycloak Service
---
+# Keycloak Service
apiVersion: v1
kind: Service
metadata:
@@ -96,33 +96,17 @@ spec:
port: 8080
selector:
app.kubernetes.io/name: keycloak
+---
-# Keycloak Ingress Http
-#---
-#apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
-#metadata:
-# name: keycloak-http
-# labels:
-# app.kubernetes.io/name: keycloak-http
-#spec:
-# entryPoints:
-# - web
-# routes:
-# - match: PathPrefix(`/kc`)
-# kind: Rule
-# services:
-# - name: keycloak
-# port: 8080
-
-# Keycloak Ingress Https
+{{- if eq $.Values.environment "k8s" }}
---
+# Keycloak Ingress Https
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
- name: keycloak-https
+ name: keycloak
labels:
- app.kubernetes.io/name: keycloak-https
+ app.kubernetes.io/name: keycloak
spec:
entryPoints:
- websecure
@@ -135,4 +119,28 @@ spec:
tls:
secretName: traefik-tls
---
+{{- end }} # environment == 'k8s'
+
+{{- if eq $.Values.environment "openshift" }}
+# Keycloak Route
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+ name: keycloak
+ labels:
+ app.kubernetes.io/name: keycloak
+spec:
+ host: keycloak.{{ $.Values.openshift.hostName }}
+ to:
+ kind: Service
+ name: keycloak
+ port:
+ targetPort: 8080
+ tls:
+ termination: edge
+ insecureEdgeTerminationPolicy: Redirect
+---
+{{- end }} # environment == 'openshift'
+
{{- end }}
diff --git a/components/camel-oauth/helm/templates/traefik-secret.yaml
b/components/camel-oauth/helm/templates/traefik-tls.yaml
similarity index 100%
rename from components/camel-oauth/helm/templates/traefik-secret.yaml
rename to components/camel-oauth/helm/templates/traefik-tls.yaml
diff --git a/components/camel-oauth/helm/templates/whoami.yaml
b/components/camel-oauth/helm/templates/whoami.yaml
index c4a49b0f14e..87706a44d54 100644
--- a/components/camel-oauth/helm/templates/whoami.yaml
+++ b/components/camel-oauth/helm/templates/whoami.yaml
@@ -37,9 +37,10 @@ spec:
spec:
containers:
- name: whoami
- image: traefik/whoami
+ image: traefik/whoami:{{ .version }}
+ args: [ "--port=8080" ]
ports:
- - containerPort: 80
+ - containerPort: 8080
# Whoami Service
---
@@ -48,13 +49,15 @@ kind: Service
metadata:
name: whoami
spec:
+ type: ClusterIP
ports:
- - name: web
- port: 80
- targetPort: 80
+ - port: 8080
+ targetPort: 8080
selector:
app.kubernetes.io/name: whoami
+---
+{{- if eq $.Values.environment "k8s" }}
# Whoami IngressRoute
---
apiVersion: traefik.io/v1alpha1
@@ -72,7 +75,7 @@ spec:
kind: Rule
services:
- name: whoami
- port: 80
+ port: 8080
middlewares:
- name: strip-prefix-who
tls:
@@ -90,4 +93,6 @@ spec:
prefixes:
- /who
---
+{{- end }} # environment == 'k8s'
+
{{- end }}
diff --git a/components/camel-oauth/helm/values-kafka.yaml
b/components/camel-oauth/helm/values-kafka.yaml
index eba9e046dfc..050c8061e5c 100644
--- a/components/camel-oauth/helm/values-kafka.yaml
+++ b/components/camel-oauth/helm/values-kafka.yaml
@@ -15,9 +15,8 @@
# limitations under the License.
#
-
-kafkaNodePort: 30094
+environment: k8s
deployments:
kafka:
- name: "kafka"
+ nodePort: 30094
diff --git a/components/camel-oauth/helm/values-keycloak.yaml
b/components/camel-oauth/helm/values-keycloak-openshift.yaml
similarity index 91%
copy from components/camel-oauth/helm/values-keycloak.yaml
copy to components/camel-oauth/helm/values-keycloak-openshift.yaml
index 3cf2797d207..d20e3d1cdc8 100644
--- a/components/camel-oauth/helm/values-keycloak.yaml
+++ b/components/camel-oauth/helm/values-keycloak-openshift.yaml
@@ -15,11 +15,11 @@
# limitations under the License.
#
-deployments:
+environment: openshift
+
+hostName: apps.rosa.<cluster-name>.openshiftapps.com
+deployments:
keycloak:
- name: "keycloak"
version: 26.1.2
- nodePortHttp: 30100
- nodePortHttps: 30443
diff --git a/components/camel-oauth/helm/values-keycloak.yaml
b/components/camel-oauth/helm/values-keycloak.yaml
index 3cf2797d207..c7f582a5807 100644
--- a/components/camel-oauth/helm/values-keycloak.yaml
+++ b/components/camel-oauth/helm/values-keycloak.yaml
@@ -15,11 +15,9 @@
# limitations under the License.
#
-deployments:
+environment: k8s
+deployments:
keycloak:
- name: "keycloak"
version: 26.1.2
- nodePortHttp: 30100
- nodePortHttps: 30443
diff --git a/components/camel-oauth/helm/values-traefik-secret.yaml
b/components/camel-oauth/helm/values-traefik-tls.yaml
similarity index 88%
rename from components/camel-oauth/helm/values-traefik-secret.yaml
rename to components/camel-oauth/helm/values-traefik-tls.yaml
index 456168bbbda..c570dfa0525 100644
--- a/components/camel-oauth/helm/values-traefik-secret.yaml
+++ b/components/camel-oauth/helm/values-traefik-tls.yaml
@@ -15,7 +15,11 @@
# limitations under the License.
#
+#
+# helm upgrade --install traefik-tls ./helm -f ./helm/values-traefik-tls.yaml
+#
+
deployments:
traefik:
- name: "traefik-secret"
+ name: "traefik-tls"
diff --git a/components/camel-oauth/helm/values-whoami.yaml
b/components/camel-oauth/helm/values-whoami.yaml
index ea21c35fbd4..a823210a412 100644
--- a/components/camel-oauth/helm/values-whoami.yaml
+++ b/components/camel-oauth/helm/values-whoami.yaml
@@ -15,8 +15,9 @@
# limitations under the License.
#
-deployments:
+environment: k8s
+deployments:
whoami:
- name: "whoami"
+ version: latest
diff --git a/components/camel-oauth/src/main/docs/oauth-component.adoc
b/components/camel-oauth/src/main/docs/oauth-component.adoc
new file mode 100644
index 00000000000..56c5c8488c7
--- /dev/null
+++ b/components/camel-oauth/src/main/docs/oauth-component.adoc
@@ -0,0 +1,171 @@
+= OAuth Component
+:doctitle: OAuth
+:shortname: oauth
+:artifactid: camel-oauth
+:description: Socket level networking using TCP or UDP with Netty 4.x.
+:since: 4.12
+:supportlevel: Preview
+:tabs-sync-option:
+:component-header: Set of Exchange Processors
+//Manually maintained attributes
+//:camel-spring-boot-name: oauth
+
+*Since Camel {since}*
+
+*{component-header}*
+
+The camel-oauth module comes with Processors that can be added to a route on
the client and resource owner side.
+These processors intercept the message flow and perform the necessary
authentication steps against an Identity Provider (IdP) in some specs it also
called Authorization Server. Our primary choice of IdP is
https://www.keycloak.org[Keycloak]
+
+The idea is that a "Resource Owner" can give a "User Agent" access to some
protected resources without sharing credentials directly with the agent.
+
+For example, Alice has an account with Spotify and now wishes to use a cool
service from Acme which compiles a daily playlist according based on Alice's
preferences. Instead of giving Acme her Spotify credentials (i.e.
username/password) directly, Acme can obtain an access token from an Identity
Provider that encodes the scope and duration for Acme to access Alice's Spotify
account. Alice can revoke access any time - Acme never sees more information
thant waht Alice has granted and is ne [...]
+
+Maven users will need to add the following dependency to their `pom.xml`
+for this component:
+
+[source,xml]
+----
+<dependency>
+ <groupId>org.apache.camel</groupId>
+ <artifactId>camel-oauth</artifactId>
+ <version>x.x.x</version>
+ <!-- use the same version as your Camel core version -->
+</dependency>
+----
+
+
+// component-configure options: START
+// component-configure options: END
+
+// component options: START
+// component options: END
+
+// endpoint options: START
+// endpoint options: END
+
+// component headers: START
+// component headers: END
+
+== Authentication/Authorization Flow Types
+
+=== OIDC Authorization Code Flow
+
+The Authorization Code Flow returns an Authorization Code to the Client, which
can then exchange it for an ID Token and an Access Token directly. The
Authorization Code flow is suitable for Clients that can securely maintain a
Client Secret between themselves and the Authorization Server.
+
+This code flow relies on user interaction with a browser based application. It
is not suitable for fully automated authorization for example in the case of
REST based service interaction.
+
+For details see the https://openid.net/specs/openid-connect-core-1_0.html[OIDC
1.0] spec.
+
+==== Configuration Properties
+
+[width="100%",cols="10%,90%",options="header",]
+|===
+|Name |Description
+
+|`camel.oauth.base-uri` |The base URL to the identity provider (e.g.
https://keycloak.local/kc/realms/camel)
+
+|`camel.oauth.redirect-uri` |Valid URI pattern a browser can redirect to after
a successful login (e.g. http://127.0.0.1:8080/auth). Must be registered with
the identity provider.
+
+|`camel.oauth.client-id` |The client identifier registered with the identity
provider.
+
+|`camel.oauth.client-secret` |The client secret provided by the identity
provider.
+
+|`camel.oauth.logout.redirect-uri` |(Optional) Valid URI pattern a browser can
redirect to after a successful logout. Can be registered with the identity
provider.
+|===
+
+=== Client Credentials Grant
+
+A client can request an access token using only the client id and secret
shared with the identity provider.
+
+This code flow suitable for fully automated authorization for example in the
case of REST based service interaction.
+
+For details see the
https://datatracker.ietf.org/doc/html/rfc6749#section-4.4[OAuth 2.0] spec.
+
+==== Configuration Properties
+
+[width="100%",cols="10%,90%",options="header",]
+|===
+|Name |Description
+
+|`camel.oauth.base-uri` |The base URL to the identity provider (e.g.
https://keycloak.local/kc/realms/camel)
+
+|`camel.oauth.client-id` |The client identifier registered with the identity
provider.
+
+|`camel.oauth.client-secret` |The client secret provided by the identity
provider.
+|===
+
+== Trusted Certificates
+
+Naturally, we want all communication between camel and the identity provider
to be secured at the transport layer (TLS). For this, the Camel service need's
to trust the identity provider's certificate.
+
+[source,shell]
+----
+# Fetch the certificate from the IdP endpoint
+openssl s_client -connect keycloak.local:443 | openssl x509 > cluster.crt
+
+# Import certificate to Java Keystore (i.e. trust the certificate)
+sudo keytool -import -alias keycloak -file cluster.crt -keystore
$JAVA_HOME/lib/security/cacerts -storepass changeit
+
+# Trust this cert on macOS
+sudo security add-trusted-cert -d -r trustRoot -k
/Library/Keychains/System.keychain cluster.crt
+
+# Trust this cert on Linux
+sudo cp cluster.crt /etc/pki/ca-trust/source/anchors/ && sudo update-ca-trust
+----
+
+== OAuth for Kafka
+
+For Kafka we can use
https://github.com/strimzi/strimzi-kafka-oauth[strimzi-kafka-oauth] directly,
for example
https://github.com/tdiesler/camel-cloud-examples/blob/main/camel-main/kafka-oauth/kafka-oauth-files/kafka-oauth-route.yaml[like
this] ...
+
+== Supported Runtimes
+
+Camel OAuth is supported in all Camel Runtimes
+
+* camel-main
+* spring-boot
+* quarkus
+
+Specifically, it provides an abstraction for the various http-platforms that
are native to these runtimes.
+
+== Supported Cluster Environments
+
+Camel applications requiring OAuth authentication are likely part of a larger
more complex system architecture, which also likely are part of some larger
Kubernetes cluster deployment. In our examples we support these Kubernetes
environments ...
+
+* Local Cluster (e.g.
https://docs.docker.com/desktop/features/kubernetes/[DockerDesktop Kubernetes])
+* Remote https://k3s.io/[K3S] Cluster
+* Red Hat
https://www.redhat.com/en/technologies/cloud-computing/openshift[OpenShift]
+
+As part of this project we provide a set of https://helm.sh/[Helm] charts that
install the required infrastructure components for the respective cluster
environment. For details, have a look at the
https://github.com/apache/camel/tree/main/components/camel-oauth/helm/README.md[dedicated
readme].
+
+Keycloak is already configured in such a way that below examples should run
without further ado.
+
+== Camel OAuth Examples
+
+There is a comprehensive set of camel-oauth examples as part of
https://github.com/tdiesler/camel-cloud-examples[camel-cloud-examples]. You'll
find https://camel.apache.org/manual/camel-jbang.html[camel-jbang kubernetes]
examples for every OAuth flow, for every runtime, on every supported cluster.
+
+For example ...
+
+[source,makefile]
+----
+k8s-fetch-cert:
+ @mkdir -p tls
+ @echo -n | openssl s_client -connect keycloak.local:443 | openssl x509
> tls/cluster.crt
+
+k8s-export: k8s-fetch-cert
+ @$(CAMEL_CMD) kubernetes export platform-http-files/* tls/* \
+ --dep=org.apache.camel:camel-oauth:4.11.0-SNAPSHOT \
+ --gav=examples:platform-http-oauth:1.0.0 \
+ --property=camel.oauth.base-uri=https://keycloak.local/kc/realms/camel \
+ --property=camel.oauth.redirect-uri=http://127.0.0.1:8080/auth \
+ --property=camel.oauth.logout.redirect-uri=http://127.0.0.1:8080/ \
+ --property=camel.oauth.client-id=camel-client \
+ --property=camel.oauth.client-secret=camel-client-secret \
+ --property=ssl.truststore.certificates=tls/cluster.crt \
+ --ignore-loading-error=true \
+ --image-builder=docker \
+ --image-push=false \
+ --trait container.image-pull-policy=IfNotPresent \
+ --runtime=camel-main
+----
+
diff --git
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuth.java
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuth.java
index f8208ccc8f9..93bc587a52f 100644
--- a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuth.java
+++ b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuth.java
@@ -29,11 +29,11 @@ public abstract class OAuth {
// Camel OAuth Properties
//
- public static final String CAMEL_OAUTH_BASE_URI = "camel.oauth.baseUri";
- public static final String CAMEL_OAUTH_CLIENT_ID = "camel.oauth.clientId";
- public static final String CAMEL_OAUTH_CLIENT_SECRET =
"camel.oauth.clientSecret";
- public static final String CAMEL_OAUTH_LOGOUT_REDIRECT_URI =
"camel.oauth.logout.redirectUri";
- public static final String CAMEL_OAUTH_REDIRECT_URI =
"camel.oauth.redirectUri";
+ public static final String CAMEL_OAUTH_BASE_URI = "camel.oauth.base-uri";
+ public static final String CAMEL_OAUTH_CLIENT_ID = "camel.oauth.client-id";
+ public static final String CAMEL_OAUTH_CLIENT_SECRET =
"camel.oauth.client-secret";
+ public static final String CAMEL_OAUTH_LOGOUT_REDIRECT_URI =
"camel.oauth.logout.redirect-uri";
+ public static final String CAMEL_OAUTH_REDIRECT_URI =
"camel.oauth.redirect-uri";
// Camel OAuth Headers
//
@@ -80,6 +80,14 @@ public abstract class OAuth {
return getSessionStore().getSession(exchange);
}
+ public OAuthSession getOrCreateSession(Exchange exchange) {
+ var maybeSession = getSessionStore().getSession(exchange);
+ if (maybeSession.isEmpty()) {
+ maybeSession = Optional.of(createSession(exchange));
+ }
+ return maybeSession.get();
+ }
+
public OAuthSession createSession(Exchange exchange) {
return getSessionStore().createSession(exchange);
}
diff --git
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthBearerTokenProcessor.java
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthBearerTokenProcessor.java
index 35a491e06cb..40da9ce7a6c 100644
---
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthBearerTokenProcessor.java
+++
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthBearerTokenProcessor.java
@@ -16,8 +16,6 @@
*/
package org.apache.camel.oauth;
-import java.util.Optional;
-
import org.apache.camel.Exchange;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -65,9 +63,7 @@ public class OAuthBearerTokenProcessor extends
AbstractOAuthProcessor {
// Get or create the OAuthSession
//
- var session = oauth.getSession(exchange)
- .or(() -> Optional.of(oauth.createSession(exchange)))
- .get();
+ var session = oauth.getOrCreateSession(exchange);
session.putUserProfile(userProfile);
userProfile.logDetails("Authenticated");
diff --git
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthClientCredentialsProcessor.java
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthClientCredentialsProcessor.java
index 81a96622bc6..97a865b2c60 100644
---
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthClientCredentialsProcessor.java
+++
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthClientCredentialsProcessor.java
@@ -16,8 +16,6 @@
*/
package org.apache.camel.oauth;
-import java.util.Optional;
-
import org.apache.camel.Exchange;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -46,9 +44,7 @@ public class OAuthClientCredentialsProcessor extends
AbstractOAuthProcessor {
// Get or create the OAuthSession
//
- var session = oauth.getSession(exchange)
- .or(() -> Optional.of(oauth.createSession(exchange)))
- .get();
+ var session = oauth.getOrCreateSession(exchange);
// Authenticate an existing UserProfile from the OAuthSession
//
diff --git
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthCodeFlowCallback.java
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthCodeFlowCallback.java
index b2e1637ad53..d18c429d492 100644
---
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthCodeFlowCallback.java
+++
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthCodeFlowCallback.java
@@ -47,7 +47,7 @@ public class OAuthCodeFlowCallback extends
AbstractOAuthProcessor {
// Require an active OAuthSession
//
var oauth = findOAuthOrThrow(context);
- var session = oauth.getSession(exchange).orElseThrow();
+ var session = oauth.getOrCreateSession(exchange);
// Exchange the authorization code for access/refresh/id tokens
//
diff --git
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthCodeFlowProcessor.java
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthCodeFlowProcessor.java
index 66ccea2b86d..6a9cbf13f9e 100644
---
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthCodeFlowProcessor.java
+++
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/OAuthCodeFlowProcessor.java
@@ -16,8 +16,6 @@
*/
package org.apache.camel.oauth;
-import java.util.Optional;
-
import org.apache.camel.Exchange;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -45,9 +43,7 @@ public class OAuthCodeFlowProcessor extends
AbstractOAuthProcessor {
// Get or create the OAuthSession
//
- var session = oauth.getSession(exchange)
- .or(() -> Optional.of(oauth.createSession(exchange)))
- .get();
+ var session = oauth.getOrCreateSession(exchange);
// Authenticate an existing UserProfile from the OAuthSession
//
diff --git
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/jakarta/ServletOAuth.java
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/jakarta/ServletOAuth.java
index d991cf904c6..c651b5d977f 100644
---
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/jakarta/ServletOAuth.java
+++
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/jakarta/ServletOAuth.java
@@ -51,18 +51,18 @@ public class ServletOAuth extends OAuth {
@Override
public void discoverOAuthConfig(CamelContext ctx) throws OAuthException {
if (config == null) {
- var baseUrl = getRequiredProperty(ctx, CAMEL_OAUTH_BASE_URI);
+ var baseUri = getRequiredProperty(ctx, CAMEL_OAUTH_BASE_URI);
var clientId = getRequiredProperty(ctx, CAMEL_OAUTH_CLIENT_ID);
var clientSecret = getRequiredProperty(ctx,
CAMEL_OAUTH_CLIENT_SECRET);
var config = new OAuthConfig()
- .setBaseUrl(baseUrl)
+ .setBaseUrl(baseUri)
.setClientId(clientId)
.setClientSecret(clientSecret);
+ var wellKnownUri = baseUri + "/.well-known/openid-configuration";
try {
- var oidc_discovery_path = "/.well-known/openid-configuration";
- var content = Request.get(baseUrl +
oidc_discovery_path).execute().returnContent().asString();
+ var content =
Request.get(wellKnownUri).execute().returnContent().asString();
var json = JsonParser.parseString(content).getAsJsonObject();
config.setAuthorizationPath(json.get("authorization_endpoint").getAsString())
@@ -81,7 +81,7 @@ public class ServletOAuth extends OAuth {
config.setJWKSet(JWKSet.load(new URL(jwksPath)));
}
} catch (Exception ex) {
- throw new OAuthException("Cannot discover OAuth config from: "
+ baseUrl, ex);
+ throw new OAuthException("Cannot discover OAuth config from: "
+ wellKnownUri, ex);
}
this.config = config;
}
diff --git
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/vertx/VertxOAuth.java
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/vertx/VertxOAuth.java
index 9438c3b59a3..d5b3e97230f 100644
---
a/components/camel-oauth/src/main/java/org/apache/camel/oauth/vertx/VertxOAuth.java
+++
b/components/camel-oauth/src/main/java/org/apache/camel/oauth/vertx/VertxOAuth.java
@@ -52,20 +52,21 @@ public class VertxOAuth extends OAuth {
@Override
public void discoverOAuthConfig(CamelContext ctx) throws OAuthException {
if (config == null) {
- var baseUrl = getRequiredProperty(ctx, CAMEL_OAUTH_BASE_URI);
+ var baseUri = getRequiredProperty(ctx, CAMEL_OAUTH_BASE_URI);
var clientId = getRequiredProperty(ctx, CAMEL_OAUTH_CLIENT_ID);
var clientSecret = getRequiredProperty(ctx,
CAMEL_OAUTH_CLIENT_SECRET);
var config = new OAuthConfig()
- .setBaseUrl(baseUrl)
+ .setBaseUrl(baseUri)
.setClientId(clientId)
.setClientSecret(clientSecret);
OAuth2Options opts = new OAuth2Options()
- .setSite(baseUrl)
+ .setSite(baseUri)
.setClientId(config.getClientId())
.setClientSecret(config.getClientSecret());
+ var wellKnownUri = baseUri + "/.well-known/openid-configuration";
try {
oauth2 = OpenIDConnectAuth.discover(vertx, opts)
.toCompletionStage()
@@ -83,7 +84,7 @@ public class VertxOAuth extends OAuth {
config.setJWKSet(JWKSet.load(new URL(jwksPath)));
}
} catch (Exception ex) {
- throw new OAuthException("Cannot discover OAuth config from: "
+ baseUrl, ex);
+ throw new OAuthException("Cannot discover OAuth config from: "
+ wellKnownUri, ex);
}
this.config = config;
}
diff --git a/components/camel-oauth/src/test/resources/index.html
b/components/camel-oauth/src/test/resources/index.html
index 8f75dcc4f1f..28ffec3ee19 100644
--- a/components/camel-oauth/src/test/resources/index.html
+++ b/components/camel-oauth/src/test/resources/index.html
@@ -29,7 +29,7 @@
<p>All users can see this.</p>
<a href="/">Home</a>
<a href="/protected">Protected</a>
-<a href="https://keycloak.local:30443/"; target="_blank">Keycloak</a>
+<a href="https://keycloak.local/kc"; target="_blank">Keycloak</a>
<a href="/logout">Logout</a>
</body>
</html>
diff --git a/components/camel-oauth/src/test/resources/protected.html
b/components/camel-oauth/src/test/resources/protected.html
index 323118b076b..b23989db2d3 100644
--- a/components/camel-oauth/src/test/resources/protected.html
+++ b/components/camel-oauth/src/test/resources/protected.html
@@ -29,7 +29,7 @@
<p>Only authenticated users can see this.</p>
<a href="/">Home</a>
<a href="/protected">Protected</a>
-<a href="https://keycloak.local:30443/"; target="_blank">Keycloak</a>
+<a href="https://keycloak.local/kc"; target="_blank">Keycloak</a>
<a href="/logout">Logout</a>
</body>
</html>
diff --git a/docs/components/modules/others/pages/oauth-component.adoc
b/docs/components/modules/others/pages/oauth-component.adoc
new file mode 120000
index 00000000000..4c8a72360d6
--- /dev/null
+++ b/docs/components/modules/others/pages/oauth-component.adoc
@@ -0,0 +1 @@
+../../../../../components/camel-oauth/src/main/docs/oauth-component.adoc
\ No newline at end of file
