Repository for the Alfresco Identity Service
Clone or download
rpopa DEPLOY-632: Update documentation where ingressvalues.yaml file is cre… (
#45)

* DEPLOY-632: Update documentation where ingressvalues.yaml file is created
   - updated README.md in order to use alfresco-infrastructure to deploy the identity service
Latest commit f5c4b98 Nov 14, 2018

README.md

Alfresco Identity Service

The Alfresco Identity Service will become the central component responsible for identity-related capabilities needed by other Alfresco software, such as managing users, groups, roles, profiles, and authentication. Currently it deals just with authentication. This project contains the open-source core of this service.

Prerequisites

The Alfresco Identity Service deployment requires:

Component Recommended version
Docker 17.0.9.1
Kubernetes 1.8.4
Kubectl 1.8.4
Helm 2.8.2
Kops 1.8.1

Any variation from these technologies and versions may affect the end result. If you do experience any issues please let us know through our Gitter channel.

Kubernetes Cluster

These instructions illustrate deployment to a Kubernetes cluster on AWS.

Please check the Anaxes Shipyard documentation on running a cluster.

If you are deploying the Identity Service into a cluster with other Alfresco components such as Content Services and Process Services, a VPC and cluster with 5 nodes is recommended. Each node should be a m4.xlarge EC2 instance.

Helm Tiller

Initialize the Helm Tiller:

helm init

K8s Cluster Namespace

As mentioned as part of the Anaxes Shipyard guidelines, you should deploy into a separate namespace in the cluster to avoid conflicts (create the namespace only if it does not already exist):

export DESIREDNAMESPACE=example
kubectl create namespace $DESIREDNAMESPACE

This environment variable will be used in the deployment steps.

Deploying the Identity Services Chart

  1. In order to deploy this chart you have to deploy the Alfresco Infrastructure chart which will deploy the identity service too.

Using the following command only the identity service and the nginx-ingress will be deployed:

helm repo add alfresco-incubator https://kubernetes-charts.alfresco.com/incubator
helm repo add alfresco-stable https://kubernetes-charts.alfresco.com/stable


helm install alfresco-incubator/alfresco-infrastructure --version 3.0.0-SNAPSHOT \
  --set alfresco-infrastructure.activemq.enabled=false \
  --set alfresco-infrastructure.nginx-ingress.enabled=true \
  --set alfresco-infrastructure.alfresco-identity-service.enabled=true \
  --namespace $DESIREDNAMESPACE
  1. Get the release name from the previous command and set it as a varible:
export RELEASENAME=knobby-wolf
  1. Wait for the release to get deployed (When checking status your pods should be READY 1/1):
helm status $RELEASENAME
  1. Get Minikube or ELB IP and set it as a variable for future use:
export ELBADDRESS=$(kubectl get services $RELEASENAME-nginx-ingress-controller --namespace=$DESIREDNAMESPACE -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

The deployment

This is deployed with the default example realm applied which results in default values of:

Property Value
Admin User Username admin
Admin User Password admin
Admin User Email admin@app.activiti.com
Alfresco Client Redirect URIs http://localhost*

(Note that APS expects the email as the user name)

Changing Alfresco Client redirectUris

You can override the default redirectUri of http://localhost* for your environment with the alfresco-identity-service.client.alfresco.redirectUris property:

helm install alfresco-incubator/alfresco-infrastructure --version 3.0.0-SNAPSHOT \
  --set alfresco-infrastructure.activemq.enabled=false \
  --set alfresco-infrastructure.nginx-ingress.enabled=true \
  --set alfresco-infrastructure.alfresco-identity-service.enabled=true \
  --set alfresco-identity-service.client.alfresco.redirectUris=['\"'http://$DNSNAME*'"\'] \
  --namespace $DESIREDNAMESPACE

including multiple redirectUris:

helm install alfresco-incubator/alfresco-infrastructure --version 3.0.0-SNAPSHOT \
  --set alfresco-infrastructure.activemq.enabled=false \
  --set alfresco-infrastructure.nginx-ingress.enabled=true \
  --set alfresco-infrastructure.alfresco-identity-service.enabled=true \
  --set alfresco-identity-service.redirectUris=['\"'http://$DNSNAME*'"\'',''\"'http://$DNSNAME1*'"\'',''\"'http://$DNSNAME2*'"\']` \
  --namespace $DESIREDNAMESPACE

If you want to deploy your own realm with further customizations, see Customizing the Realm below.

Customizing the Realm

Customizing the Realm During Deployment

  1. You will need a realm file. A sample realm file is provided.

  2. Create a secret using your realm json file

!!NOTE The secret name must be realm-secret, and the realm file name must not be alfresco-realm.json.

kubectl create secret generic realm-secret \
  --from-file=./realm.json \
  --namespace=$DESIREDNAMESPACE
  1. Deploy the identity chart with the new settings:
helm repo add alfresco-incubator https://kubernetes-charts.alfresco.com/incubator

helm install alfresco-incubator/alfresco-infrastructure --version 3.0.0-SNAPSHOT \
  --set alfresco-infrastructure.activemq.enabled=false \
  --set alfresco-infrastructure.nginx-ingress.enabled=true \
  --set alfresco-infrastructure.alfresco-identity-service.enabled=true \
  --set alfresco-infrastructure.alfresco-identity-service.keycloak.keycloak.extraArgs="-Dkeycloak.import=/realm/realm.json" \
  --namespace $DESIREDNAMESPACE

Once Keycloak is up and running, login to the Management Console to configure the required realm.

Manually

  1. Add a realm named "Alfresco"

  2. Create an OIDC client named "alfresco" within the Alfresco realm

  3. Create a group named "admin"

  4. Add a new user with a username of "testuser", email of "test@test.com" and first and last name of "test"

Using the Sample Realm File

  1. Go to the Add Realm page and click the "Select File" button next to the Import label.

  2. Choose the sample realm file and click the "Create" button.

Contributing to Identity Service

We encourage and welcome contributions to this project. For further details please check the contributing file.