The Alfresco Identity Service will become the central component responsible for identity-related capabilities needed by other Alfresco software, such as managing users, groups, roles, profiles, and authentication. Currently it deals just with authentication. This project contains the open-source core of this service.
The Alfresco Identity Service deployment requires:
| Component | Recommended version |
|---|---|
| Docker | 17.0.9.1 |
| Kubernetes | 1.8.4 |
| Kubectl | 1.8.4 |
| Helm | 2.8.2 |
| Kops | 1.8.1 |
Any variation from these technologies and versions may affect the end result. If you do experience any issues please let us know through our Gitter channel.
These instructions illustrate deployment to a Kubernetes cluster on AWS.
Please check the Anaxes Shipyard documentation on running a cluster.
If you are deploying the Identity Service into a cluster with other Alfresco components such as Content Services and Process Services, a VPC and cluster with 5 nodes is recommended. Each node should be a m4.xlarge EC2 instance.
Initialize the Helm Tiller:
helm initAs mentioned as part of the Anaxes Shipyard guidelines, you should deploy into a separate namespace in the cluster to avoid conflicts (create the namespace only if it does not already exist):
export DESIREDNAMESPACE=example
kubectl create namespace $DESIREDNAMESPACEThis environment variable will be used in the deployment steps.
- Install the nginx-ingress-controller into your cluster
This will create a ELB when using AWS and will set a dummy certificate on it.
helm repo update
cat <<EOF > ingressvalues.yaml
controller:
config:
ssl-redirect: "false"
scope:
enabled: true
EOF
helm install stable/nginx-ingress --version=0.14.0 -f ingressvalues.yaml \
--namespace $DESIREDNAMESPACEIf you want your own certificate set here you should create a secret from your cert files:
kubectl create secret tls certsecret --key /tmp/tls.key --cert /tmp/tls.crt \
--namespace $DESIREDNAMESPACE
#Then deploy the ingress with following settings
cat <<EOF > ingressvalues.yaml
controller:
config:
ssl-redirect: "false"
scope:
enabled: true
publishService:
enabled: true
extraArgs:
default-ssl-certificate: $DESIREDNAMESPACE/certsecret
EOF
helm install stable/nginx-ingress --version=0.14.0 -f ingressvalues.yaml \
--namespace $DESIREDNAMESPACEIf you
- created the cluster in AWS using kops
- have a matching SSL/TLS certificate stored in AWS Certificate Manager
- are using a zone in Amazon Route 53
Kubernetes' External DNS can autogenerate a DNS entry for you (a CNAME of the generated ELB) and apply the SSL/TLS certificate to the ELB.
Note: AWS Certificate Manager ARNs are of the form arn:aws:acm:REGION:ACCOUNT:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
Set DOMAIN to the DNS Zone you used when creating the cluster.
ELB_CNAME="${DESIREDNAMESPACE}.${DOMAIN}"
ELB_CERTIFICATE_ARN=$(aws acm list-certificates | \
jq '.CertificateSummaryList[] | select (.DomainName == "'${DOMAIN}'") | .CertificateArn')
cat <<EOF > ingressvalues.yaml
controller:
config:
ssl-redirect: "false"
scope:
enabled: true
publishService:
enabled: true
service:
targetPorts:
http: http
https: http
annotations:
external-dns.alpha.kubernetes.io/hostname: ${ELB_CNAME}
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${ELB_CERTIFICATE_ARN}
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
EOF
helm install stable/nginx-ingress --version=0.14.0 -f ingressvalues.yaml \
--namespace $DESIREDNAMESPACE
- Get the nginx-ingress-controller release name from the previous command and set it as a varible:
export INGRESSRELEASE=knobby-wolf- Wait for the nginx-ingress-controller release to get deployed (When checking status your pod should be READY 1/1):
helm status $INGRESSRELEASE- Get Minikube or ELB IP and set it as a variable for future use:
export ELBADDRESS=$(kubectl get services $INGRESSRELEASE-nginx-ingress-controller --namespace=$DESIREDNAMESPACE -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')To deploy with the default example realm applied:
#Add the helm repo containing the chart
helm repo add alfresco-incubator http://kubernetes-charts.alfresco.com/incubatorhelm install alfresco-incubator/alfresco-identity-service \
--set ingressHostName=$ELBADDRESS \
--namespace $DESIREDNAMESPACEwhich results in default values of:
| Property | Value |
|---|---|
| Admin User Username | admin |
| Admin User Password | admin |
| Admin User Email | admin@app.activiti.com |
| Alfresco Client Redirect URIs | http://localhost* |
(Note that APS expects the email as the user name)
You can override the default redirectUri of http://localhost* for your environment with the client.alfresco.redirectUris property:
helm install alfresco-incubator/alfresco-identity-service \
--set ingressHostName=$ELBADDRESS \
--namespace $DESIREDNAMESPACE \
--set client.alfresco.redirectUris=['\"'http://$DNSNAME*'"\']including multiple redirecUris:
helm install alfresco-incubator/alfresco-identity-service \
--set ingressHostName=$ELBADDRESS \
--namespace $DESIREDNAMESPACE \
--set client.alfresco.redirectUris=['\"'http://$DNSNAME*'"\'',''\"'http://$DNSNAME1*'"\'',''\"'http://$DNSNAME2*'"\']`If you want to deploy your own realm with further customizations, see Customizing the Realm below.
-
You will need a realm file. A sample realm file is provided.
-
Create a secret using your realm json file
!!NOTE The secret name must be realm-secret, and the realm file name must not be alfresco-realm.json.
kubectl create secret generic realm-secret \
--from-file=./realm.json \
--namespace=$DESIREDNAMESPACE- Deploy the identity chart with the new settings:
helm repo add alfresco-incubator https://kubernetes-charts.alfresco.com/incubator
helm install alfresco-incubator/alfresco-identity-service \
--set keycloak.keycloak.extraArgs: "-Dkeycloak.import=/realm/realm.json"
--set ingressHostName=$ELBADDRESS \
--namespace $DESIREDNAMESPACEOnce Keycloak is up and running, login to the Management Console to configure the required realm.
-
Add a realm named "Alfresco"
-
Create an OIDC client named "alfresco" within the Alfresco realm
-
Create a group named "admin"
-
Add a new user with a username of "testuser", email of "test@test.com" and first and last name of "test"
-
Go to the Add Realm page and click the "Select File" button next to the Import label.
-
Choose the sample realm file and click the "Create" button.
We encourage and welcome contributions to this project. For further details please check the contributing file.