Based on "standard" ONAP installation used for Daily pipelines.
It checks, how Keycloak can be deployed as PaaS component, whereas ONAP realm with user/roles are created as part of the OOM delivery.
e.g. https://gerrit.onap.org/r/c/oom/+/116260
Keycloak deployment
Based on:
https://github.com/codecentric/helm-charts/blob/master/charts/keycloakx/examples/postgresql/readme.md
Add helm registries
...
Code Block |
---|
title | Add Helm Repos |
---|
collapse | true |
---|
|
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update |
Create override files
Create value files for PostgreSQL instance (storageClass only required, if default class is not defined):
Code Block |
---|
title | keycloak-db-values.yaml |
---|
collapse | true |
---|
|
# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql
global:
postgresql:
auth:
username: dbusername
password: dbpassword
database: keycloak
# storageClass: cinder-csi - only required if other storageclass than default is used |
Create value file for keycloak server (for keycloakx charts) - (currently not recommended, use keycloak instead of keycloakx charts):
Code Block |
---|
title | keycloakx-server-values.yaml |
---|
collapse | true |
---|
|
# This is an example configuration, for production grade configuration see the Keycloak documentation.
# See https://www.keycloak.org/server/configuration
# See https://www.keycloak.org/server/all-config
command:
- "/opt/keycloak/bin/kc.sh"
- "--verbose"
- "start"
- "--http-enabled=true"
- "--http-port=8080"
- "--hostname-strict=false"
- "--hostname-strict-https=false"
- "--spi-events-listener-jboss-logging-success-level=info"
- "--spi-events-listener-jboss-logging-error-level=warn"
extraEnv: |
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: user
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: password
- name: JAVA_OPTS_APPEND
value: >-
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=50.0
-Djava.awt.headless=true
-Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
dbchecker:
enabled: true
database:
vendor: postgres
hostname: keycloak-db-postgresql
port: 5432
username: dbusername
password: dbpassword
database: keycloak
secrets:
admin-creds:
annotations:
my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
stringData:
user: admin
password: secret
|
Create value file for keycloak server (for keycloak charts):
Code Block |
---|
title | keycloak-server-values.yaml |
---|
collapse | true |
---|
|
image:
# The Keycloak image repository
repository: quay.io/keycloak/keycloak
# Overrides the Keycloak image tag whose default is the chart appVersion
tag: "19.0.3-legacy"
postgresql:
# If `true`, the Postgresql dependency is enabled
enabled: false
extraEnv: |
- name: KEYCLOAK_USER
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: user
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: password
- name: DB_VENDOR
value: postgres
- name: DB_ADDR
value: keycloak-db-postgresql
- name: DB_PORT
value: "5432"
- name: DB_DATABASE
value: keycloak
- name: DB_USER
value: dbusername
- name: DB_PASSWORD_FILE
value: /secrets/db-creds/password
- name: PROXY_ADDRESS_FORWARDING
value: "true"
extraVolumeMounts: |
- name: db-creds
mountPath: /secrets/db-creds
readOnly: true
extraVolumes: |
- name: db-creds
secret:
secretName: keycloak-db-postgresql
secrets:
admin-creds:
annotations:
my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
stringData:
user: admin
password: secret
|
Add Istio-Ingress resources for the Keycloak access (not required, if ONAP-Platform component is installed):
Code Block |
---|
title | kc-ingress.yaml |
---|
collapse | true |
---|
|
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: keycloak-gateway
spec:
selector:
istio: ingress
servers:
- hosts:
- keycloak.simpledemo.onap.org
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- keycloak.simpledemo.onap.org
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: ingress-tls-secret
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: keycloak-service
spec:
hosts:
- keycloak.simpledemo.onap.org
gateways:
- keycloak-gateway
http:
- route:
- destination:
port:
number: 80
host: keycloak-http |
Install Keycloak DB and Keycloak
Create Namespace:
Code Block |
---|
kubectl create namespace keycloak
kubectl label namespace keycloak istio-injection=enabled |
...
Code Block |
---|
helm -n keycloak installupgrade -i keycloak-db bitnami/postgresql --values ./keycloak-db-values.yaml |
Install Keycloak Server (based on keycloakx) - (currently not recommended, use keycloak instead of keycloakx charts):
Code Block |
---|
helm -n keycloak upgrade install-i keycloak codecentric/keycloakx --values ./keycloakx-server-values.yaml |
Install Keycloak Server (based on keycloak):
Code Block |
---|
helm -n keycloak upgrade -i keycloak codecentric/keycloak --values ./keycloak-server-values.yaml |
Add Istio-Ingress Ressources to integrate keycloak to the Ingress (not required, if ONAP-Platform component is installed):
Code Block |
---|
kubectl -n keycloak apply -f ./kc-ingress.yaml |