Install Keycloak in ONAP Platform

Based on "standard" ONAP installation used for Daily pipelines.
It checks, how Keycloak can be deployed as PaaS component, whereas ONAP realm with user/roles are created as part of the OOM delivery.
e.g. https://gerrit.onap.org/r/c/oom/+/116260

Keycloak deployment

Based on:
https://github.com/codecentric/helm-charts/blob/master/charts/keycloakx/examples/postgresql/readme.md

Add helm registries

Add Helm Repos

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

Create override files

Create value files for PostgreSQL instance (storageClass only required, if default class is not defined):

keycloak-db-values.yaml

# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql
global:
  postgresql:
    auth:
      username: dbusername
      password: dbpassword
      database: keycloak
  # storageClass: cinder-csi - only required if other storageclass than default is  used

Create value file for keycloak server (for keycloakx charts) - (currently not recommended, use keycloak instead of keycloakx charts):

keycloakx-server-values.yaml

# This is an example configuration, for production grade configuration see the Keycloak documentation.
# See https://www.keycloak.org/server/configuration
# See https://www.keycloak.org/server/all-config
command:
  - "/opt/keycloak/bin/kc.sh"
  - "--verbose"
  - "start"
  - "--http-enabled=true"
  - "--http-port=8080"
  - "--hostname-strict=false"
  - "--hostname-strict-https=false"
  - "--spi-events-listener-jboss-logging-success-level=info"
  - "--spi-events-listener-jboss-logging-error-level=warn"

extraEnv: |
  - name: KEYCLOAK_ADMIN
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: user
  - name: KEYCLOAK_ADMIN_PASSWORD
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: password
  - name: JAVA_OPTS_APPEND
    value: >-
      -XX:+UseContainerSupport
      -XX:MaxRAMPercentage=50.0
      -Djava.awt.headless=true
      -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless

dbchecker:
  enabled: true

database:
  vendor: postgres
  hostname: keycloak-db-postgresql
  port: 5432
  username: dbusername
  password: dbpassword
  database: keycloak

secrets:
  admin-creds:
    annotations:
      my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
    stringData:
      user: admin
      password: secret

Create value file for keycloak server (for keycloak charts):

keycloak-server-values.yaml

Add Istio-Ingress resources for the Keycloak access (not required, if ONAP-Platform component is installed):

kc-ingress.yaml

Install Keycloak DB and Keycloak

Create Namespace:

Install DB:

Install Keycloak Server (based on keycloakx) - (currently not recommended, use keycloak instead of keycloakx charts):

Install Keycloak Server (based on keycloak):

Add Istio-Ingress Ressources to integrate keycloak to the Ingress (not required, if ONAP-Platform component is installed):