Deploy an example application

Deploy an example

Import the security rules

The example package includes an example financial portal application. You can also deploy it using Helm, but first we need to import the security rules for this application.

./bin/mpctl.sh import -d policies/financial-portal/kubernetes.yaml -d policies/scopes.yaml -p policies/financial-portal/default.yaml

The output of the command above will be similar to:

mpctl-darwin-amd64 info: "OK services/transaction-service.default.cluster.local/policies"
mpctl-darwin-amd64 info: "OK services/financial-service.default.cluster.local/rules"
mpctl-darwin-amd64 info: "OK services/transaction-service.default.cluster.local/rules"
mpctl-darwin-amd64 info: "OK services/financial-service.default.cluster.local/policies"
mpctl-darwin-amd64 info: "OK services/financial-service.default.cluster.local/endpoints"
mpctl-darwin-amd64 info: "OK edge/rules/transaction-service.default.cluster.local"
mpctl-darwin-amd64 info: "OK edge/rules/financial-service.default.cluster.local"
mpctl-darwin-amd64 info: "OK services/transaction-service.default.cluster.local/endpoints"
mpctl-darwin-amd64 info: "OK edge/policies/transaction-service.default.cluster.local"
mpctl-darwin-amd64 info: "OK edge/policies/financial-service.default.cluster.local"

Deploy the application

To deploy the demo application run:

helm upgrade \
  --install financial-portal \
  -f helm/registry/docker-microperimeter.artifactory.cloudentity.com/registry.yaml \
  -f values.yaml \
  --set global.tag=2.6.0 \
  --set global.registry=docker-microperimeter.artifactory.cloudentity.com \
  --wait samples/financial-portal

The output of that installation should look following:

Release "financial-portal" does not exist. Installing it now.
NAME:   financial-portal
LAST DEPLOYED: Wed May 15 18:41:24 2019
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/ConfigMap
NAME              DATA  AGE
financial-portal  8     3m10s

==> v1/Pod(related)
NAME                                         READY  STATUS   RESTARTS  AGE
financial-service-6477c7955f-bz9wj           2/2    Running  0         3m10s
financial-service-frontend-665ffd84db-wlq42  1/1    Running  0         3m10s
transaction-datastore-66655599f6-2xdbm       1/1    Running  0         3m10s
transaction-service-79d97bcdb-6x9wp          2/2    Running  2         3m10s

==> v1/Secret
NAME              TYPE                     DATA  AGE
financial-portal  kubernetes.io/dockercfg  1     3m10s

==> v1/Service
NAME                        TYPE       CLUSTER-IP      EXTERNAL-IP  PORT(S)   AGE
financial-service           ClusterIP  10.97.221.147   <none>       8080/TCP  3m10s
financial-service-frontend  ClusterIP  10.108.166.34   <none>       9090/TCP  3m10s
transaction-datastore       ClusterIP  10.99.18.1      <none>       6379/TCP  3m10s
transaction-service         ClusterIP  10.111.125.191  <none>       8080/TCP  3m10s

==> v1/ServiceAccount
NAME                 SECRETS  AGE
financial-service    1        3m10s
transaction-service  1        3m10s

==> v1beta1/Deployment
NAME                        READY  UP-TO-DATE  AVAILABLE  AGE
financial-service           1/1    1           1          3m10s
financial-service-frontend  1/1    1           1          3m10s
transaction-datastore       1/1    1           1          3m10s
transaction-service         1/1    1           1          3m10s

This example application consists of three microservices (financial-service, transaction-service, transaction-datastore) plus frontend app.

Expose and access the application

Same as before we will use the kubectl port-forward functionality:

kubectl -n default port-forward \
  $(kubectl get pod -n default -l app=financial-service-frontend -o jsonpath='{.items[0].metadata.name}') \
  4000:80

You can access an example financial portal app on http://localhost:4000/.

After the authentication with Cloudentity IdaaS acting as OIDC Authorization server, granting the requested OAuth scopes:

FinPortal Consent Screen

You will be able to see a list of transactions:

FinPortal App

Check the MicroPerimeter™ Dashboard

Now after deploying the example application protected by MicroPerimeter™ Sidecar you should be able to see the protected services in MicroPerimeter™ Security.

Dashboard view: FinPortal App

Services view: FinPortal App

Detailed services view: FinPortal App