Based on "standard" ONAP installation used for Daily pipelines.
It checks, how Keycloak can be deployed as PaaS component, whereas ONAP realm with user/roles are created as part of the OOM delivery.
e.g. https://gerrit.onap.org/r/c/oom/+/116260
Keycloak deployment
Based on:
https://github.com/codecentric/helm-charts/blob/master/charts/keycloakx/examples/postgresql/readme.md
Add helm registries:
Code Block |
---|
|
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update |
...
Code Block |
---|
title | keycloak-db-values.yaml |
---|
collapse | true |
---|
|
# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql
global:
postgresql:
auth:
username: dbusername
password: dbpassword
database: keycloak
storageClass: cinder-csi |
Create value file for keycloak server:
Code Block |
---|
title | keycloak-server-values.yaml |
---|
collapse | true |
---|
|
# This is an example configuration, for production grade configuration see the Keycloak documentation.
# See https://www.keycloak.org/server/configuration
# See https://www.keycloak.org/server/all-config
command:
- "/opt/keycloak/bin/kc.sh"
- "--verbose"
- "start"
- "--http-enabled=true"
- "--http-port=8080"
- "--hostname-strict=false"
- "--hostname-strict-https=false"
- "--spi-events-listener-jboss-logging-success-level=info"
- "--spi-events-listener-jboss-logging-error-level=warn"
extraEnv: |
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: user
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: password
- name: JAVA_OPTS_APPEND
value: >-
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=50.0
-Djava.awt.headless=true
-Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
dbchecker:
enabled: true
database:
vendor: postgres
hostname: keycloak-db-postgresql
port: 5432
username: dbusername
password: dbpassword
database: keycloak
secrets:
admin-creds:
annotations:
my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
stringData:
user: admin
password: secret
|
Add Istio-Ingress resources for the Keycloak access:
Code Block |
---|
| :
enabled: true
|
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: keycloak-gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- keycloak.simpledemo.onap.org
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- keycloak.simpledemo.onap.org
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: ingress-tls-secret
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: keycloak-service
spec:
hosts:
- keycloak.simpledemo.onap.org
gateways:
- keycloak-gateway
http:
- route:
- destination:
port:
number: 80
host: keycloak-keycloakx-http |
Create Namespace:
Code Block |
---|
kubectl create namespace keycloak
kubectl label namespace keycloak istio-injection=enabled |
...
Code Block |
---|
helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml |
Add Istio-Ingress Ressources to integrate keycloak to the Ingress:
Code Block |
---|
kubectl -n keycloak apply ./kc-ingress.yaml |