/
Install Keycloak in ONAP Platform

Install Keycloak in ONAP Platform

Based on "standard" ONAP installation used for Daily pipelines.
It checks, how Keycloak can be deployed as PaaS component, whereas ONAP realm with user/roles are created as part of the OOM delivery.
e.g. https://gerrit.onap.org/r/c/oom/+/116260

Keycloak deployment

Based on:
https://github.com/codecentric/helm-charts/blob/master/charts/keycloakx/examples/postgresql/readme.md

Add helm registries



Add Helm Repos
helm repo add bitnami https://charts.bitnami.com/bitnami helm repo add codecentric https://codecentric.github.io/helm-charts helm repo update

Create override files

Create value files for PostgreSQL instance (storageClass only required, if default class is not defined):

keycloak-db-values.yaml
# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql global: postgresql: auth: username: dbusername password: dbpassword database: keycloak # storageClass: cinder-csi - only required if other storageclass than default is used


Create value file for keycloak server (for keycloakx charts) - (currently not recommended, use keycloak instead of keycloakx charts):

keycloakx-server-values.yaml
# This is an example configuration, for production grade configuration see the Keycloak documentation. # See https://www.keycloak.org/server/configuration # See https://www.keycloak.org/server/all-config command: - "/opt/keycloak/bin/kc.sh" - "--verbose" - "start" - "--http-enabled=true" - "--http-port=8080" - "--hostname-strict=false" - "--hostname-strict-https=false" - "--spi-events-listener-jboss-logging-success-level=info" - "--spi-events-listener-jboss-logging-error-level=warn" extraEnv: | - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: {{ include "keycloak.fullname" . }}-admin-creds key: user - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: {{ include "keycloak.fullname" . }}-admin-creds key: password - name: JAVA_OPTS_APPEND value: >- -XX:+UseContainerSupport -XX:MaxRAMPercentage=50.0 -Djava.awt.headless=true -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless dbchecker: enabled: true database: vendor: postgres hostname: keycloak-db-postgresql port: 5432 username: dbusername password: dbpassword database: keycloak secrets: admin-creds: annotations: my-test-annotation: Test secret for {{ include "keycloak.fullname" . }} stringData: user: admin password: secret



Create value file for keycloak server (for keycloak charts):

keycloak-server-values.yaml



Add Istio-Ingress resources for the Keycloak access (not required, if ONAP-Platform component is installed):

kc-ingress.yaml



Install Keycloak DB and Keycloak

Create Namespace:



Install DB:



Install Keycloak Server (based on keycloakx) - (currently not recommended, use keycloak instead of keycloakx charts):

Install Keycloak Server (based on keycloak):



Add Istio-Ingress Ressources to integrate keycloak to the Ingress  (not required, if ONAP-Platform component is installed):