Install Keycloak in ONAP Platform

Based on "standard" ONAP installation used for Daily pipelines.
It checks, how Keycloak can be deployed as PaaS component, whereas ONAP realm with user/roles are created as part of the OOM delivery.
e.g. https://gerrit.onap.org/r/c/oom/+/116260

Keycloak deployment

Based on:
https://github.com/codecentric/helm-charts/blob/master/charts/keycloakx/examples/postgresql/readme.md

Add helm registries

Add Helm Repos

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

Create override files

Create value files for PostgreSQL instance (storageClass only required, if default class is not defined):

keycloak-db-values.yaml

# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql
global:
  postgresql:
    auth:
      username: dbusername
      password: dbpassword
      database: keycloak
  # storageClass: cinder-csi - only required if other storageclass than default is  used

Create value file for keycloak server (for keycloakx charts) - (currently not recommended, use keycloak instead of keycloakx charts):

keycloakx-server-values.yaml

# This is an example configuration, for production grade configuration see the Keycloak documentation.
# See https://www.keycloak.org/server/configuration
# See https://www.keycloak.org/server/all-config
command:
  - "/opt/keycloak/bin/kc.sh"
  - "--verbose"
  - "start"
  - "--http-enabled=true"
  - "--http-port=8080"
  - "--hostname-strict=false"
  - "--hostname-strict-https=false"
  - "--spi-events-listener-jboss-logging-success-level=info"
  - "--spi-events-listener-jboss-logging-error-level=warn"

extraEnv: |
  - name: KEYCLOAK_ADMIN
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: user
  - name: KEYCLOAK_ADMIN_PASSWORD
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: password
  - name: JAVA_OPTS_APPEND
    value: >-
      -XX:+UseContainerSupport
      -XX:MaxRAMPercentage=50.0
      -Djava.awt.headless=true
      -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless

dbchecker:
  enabled: true

database:
  vendor: postgres
  hostname: keycloak-db-postgresql
  port: 5432
  username: dbusername
  password: dbpassword
  database: keycloak

secrets:
  admin-creds:
    annotations:
      my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
    stringData:
      user: admin
      password: secret

Create value file for keycloak server (for keycloak charts):

keycloak-server-values.yaml

image:
  # The Keycloak image repository
  repository: quay.io/keycloak/keycloak
  # Overrides the Keycloak image tag whose default is the chart appVersion
  tag: "19.0.3-legacy"

postgresql:
  # If `true`, the Postgresql dependency is enabled
  enabled: false

extraEnv: |
  - name: KEYCLOAK_USER
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: user
  - name: KEYCLOAK_PASSWORD
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: password
  - name: DB_VENDOR
    value: postgres
  - name: DB_ADDR
    value: keycloak-db-postgresql
  - name: DB_PORT
    value: "5432"
  - name: DB_DATABASE
    value: keycloak
  - name: DB_USER
    value: dbusername
  - name: DB_PASSWORD_FILE
    value: /secrets/db-creds/password
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"
 
extraVolumeMounts: |
  - name: db-creds
    mountPath: /secrets/db-creds
    readOnly: true

extraVolumes: |
  - name: db-creds
    secret:
      secretName: keycloak-db-postgresql

secrets:
  admin-creds:
    annotations:
      my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
    stringData:
      user: admin
      password: secret

Add Istio-Ingress resources for the Keycloak access (not required, if ONAP-Platform component is installed):

kc-ingress.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: keycloak-gateway
spec:
  selector:
    istio: ingress
  servers:
    - hosts:
        - keycloak.simpledemo.onap.org
      port:
        name: http
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true
    - hosts:
        - keycloak.simpledemo.onap.org
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: ingress-tls-secret
        mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: keycloak-service
spec:
  hosts:
    - keycloak.simpledemo.onap.org
  gateways:
    - keycloak-gateway
  http:
    - route:
      - destination:
          port:
            number: 80
          host: keycloak-http

Install Keycloak DB and Keycloak

Create Namespace:

kubectl create namespace keycloak
kubectl label namespace keycloak istio-injection=enabled

Install DB:

helm -n keycloak upgrade -i keycloak-db bitnami/postgresql --values ./keycloak-db-values.yaml

Install Keycloak Server (based on keycloakx) - (currently not recommended, use keycloak instead of keycloakx charts):

helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloakx-server-values.yaml

Install Keycloak Server (based on keycloak):

helm -n keycloak upgrade -i keycloak codecentric/keycloak --values ./keycloak-server-values.yaml

Add Istio-Ingress Ressources to integrate keycloak to the Ingress (not required, if ONAP-Platform component is installed):

kubectl -n keycloak apply -f ./kc-ingress.yaml

ONAP Wiki