Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Based on "standard" ONAP installation used for Daily pipelines.
It checks, how Keycloak can be deployed as PaaS component, whereas ONAP realm with user/roles are created as part of the OOM delivery.
e.g. https://gerrit.onap.org/r/c/oom/+/116260

Keycloak deployment

Based on:
https://github.com/codecentric/helm-charts/blob/master/charts/keycloakx/examples/postgresql/readme.md

Add helm registries:

Code Block
collapsetrue
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

...

Code Block
titlekeycloak-db-values.yaml
collapsetrue
# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql
global:
  postgresql:
    auth:
      username: dbusername
      password: dbpassword
      database: keycloak
  storageClass: cinder-csi

Create value file for keycloak server:

Code Block
titlekeycloak-server-values.yaml
collapsetrue
# This is an example configuration, for production grade configuration see the Keycloak documentation.
# See https://www.keycloak.org/server/configuration
# See https://www.keycloak.org/server/all-config
command:
  - "/opt/keycloak/bin/kc.sh"
  - "--verbose"
  - "start"
  - "--http-enabled=true"
  - "--http-port=8080"
  - "--hostname-strict=false"
  - "--hostname-strict-https=false"
  - "--spi-events-listener-jboss-logging-success-level=info"
  - "--spi-events-listener-jboss-logging-error-level=warn"

extraEnv: |
  - name: KEYCLOAK_ADMIN
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: user
  - name: KEYCLOAK_ADMIN_PASSWORD
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: password
  - name: JAVA_OPTS_APPEND
    value: >-
      -XX:+UseContainerSupport
      -XX:MaxRAMPercentage=50.0
      -Djava.awt.headless=true
      -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless

dbchecker:
  enabled: true

database:
  vendor: postgres
  hostname: keycloak-db-postgresql
  port: 5432
  username: dbusername
  password: dbpassword
  database: keycloak

secrets:
  admin-creds:
    annotations:
      my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
    stringData:
      user: admin
      password: secret

Add Istio-Ingress resources for the Keycloak access:

: enabled: true
Code Block
titlekc-ingress
.yaml
collapsetrue
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: keycloak-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - keycloak.simpledemo.onap.org
      port:
        name: http
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true
    - hosts:
        - keycloak.simpledemo.onap.org
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: ingress-tls-secret
        mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: keycloak-service
spec:
  hosts:
    - keycloak.simpledemo.onap.org
  gateways:
    - keycloak-gateway
  http:
    - route:
      - destination:
          port:
            number: 80
          host: keycloak-keycloakx-http


Create Namespace:

Code Block
kubectl create namespace keycloak
kubectl label namespace keycloak istio-injection=enabled

...

Code Block
helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml


Add Istio-Ingress Ressources to integrate keycloak to the Ingress:

Code Block
kubectl -n keycloak apply ./kc-ingress.yaml