feat(deploy): added OpenShift4 deployment files

angular 8-rc2, Profile code pruning, hosted keycloak on OpenShift4

Author: xmlking

.deploy/keycloak/README.md

@@ -74,9 +74,12 @@ PROXY_ADDRESS_FORWARDING="true"
 
 Refer https://stackoverflow.com/questions/53550321/keycloak-gatekeeper-aud-claim-and-client-id-do-not-match
 
-1. add `ngxapi_audience` **Client Scopes** at Realm `ngx` with Audience mapper name: `ngxapi_audience_mapper`, Mapper Type --> `audience` and adding `ngxapi` Client under `Included Client Audience`.
-2. for `ngxweb` client, add `ngxapi_audience` at **Client Scopes** tab
-3. for `ngxapi` client, add `ngxapi_audience` at **Client Scopes** tab (for Swagger API Docs)
+1. add `ngxapi-audience` **Client Scopes** at Realm `ngx` with Audience mapper name: `ngxapi-audience-mapper`, Mapper Type --> `audience` and adding `ngxapi` Client under `Included Client Audience`.
+2. for `ngxweb` client, add `ngxapi-audience` at **Client Scopes** tab
+3. for `ngxapi` client, add `ngxapi-audience` at **Client Scopes** tab (for Swagger API Docs)
+
+Refer https://www.kodnito.com/posts/microprofile-jwt-with-keycloak/
+4. Click on Clients and find the `ngxweb/ngxapi` and click on **Mappers** tab and click on **Add Builtin** button and add the **groups** mapper to the client. 
 
 ---
 
@@ -110,6 +113,15 @@ kubectl cp $POD_NAME:/tmp/sumo /Developer/Work/SPA/ngx-starter-kit/.deploy/keycl
 ```
 
 ---
+## MicroProfile JWT with Keycloak
+
+**how to secure API/services using MicroProfile JWT and Keycloak?**
+
+Follow [blog](https://kodnito.com/posts/microprofile-jwt-with-keycloak/)
+You find the public key here https://keycloak.traefik.k8s/auth/realms/ngx/
+
+---
+
 
 ## Troubleshooting
 

.deploy/keycloak/helm/README.md

@@ -2,14 +2,19 @@
 
 Deploying `KeyCloak` to `Kubernetes` via `Helm`
 
+we will be using charts from [codecentric](https://github.com/codecentric/helm-charts) Repo.
+
 ### With Tiller
 
 ```bash
 cd .deploy/keycloak/helm
 
+# add KeyCloak Charts Repo
+helm repo add codecentric https://codecentric.github.io/helm-charts
+
 # To install the chart with the release name `keycloak`
 # --dry-run --debug flags help you to see before you really deploy
-helm install --name=keycloak --namespace=default -f values-dev.yaml stable/keycloak
+helm install --name keycloak --namespace=default -f values-dev.yaml codecentric/keycloak
 
 # verify deployment
 helm ls
@@ -25,7 +30,7 @@ echo | openssl s_client -showcerts -connect keycloak.traefik.k8s:443 2>/dev/null
 
 
 # To update
-helm upgrade --namespace=default -f values-dev.yaml keycloak stable/keycloak
+helm upgrade --namespace=default -f values-dev.yaml keycloak codecentric/keycloak
 
 # To uninstall/delete the `keycloak` deployment
 helm delete keycloak
@@ -40,9 +45,9 @@ kubectl scale statefulset keycloak --replicas=0
 ```bash
 cd .deploy/keycloak/helm
 
-helm fetch stable/keycloak
+helm fetch codecentric/keycloak
 
-helm template ./keycloak-4.7.0.tgz \
+helm template ./keycloak-4.11.1.tgz \
 --name keycloak \
 --namespace default \
 --values values-dev.yaml \

.deploy/keycloak/helm/values-dev.yaml

@@ -2,6 +2,9 @@ test:
   enabled: false
 
 keycloak:
+  image:
+    repository: jboss/keycloak
+    tag: 6.0.1
   username: admin
   password: admin123
   persistence:

.deploy/keycloak/helm/values-os.yaml

@@ -0,0 +1,19 @@
+test:
+  enabled: false
+
+keycloak:
+  image:
+    repository: jboss/keycloak
+    tag: 6.0.1
+  username: admin
+  password: species
+  securityContext: {}
+  resources:
+    limits:
+      memory: 1G
+    requests:
+      memory: 512M
+  ingress:
+    enabled: true
+    hosts:
+      - keycloak-ngx.apps.us-west-1.online-starter.openshift.com

.deploy/keycloak/helm/values-prod.yaml

@@ -1,10 +1,10 @@
 resources:
   limits:
     cpu: 4
-    memory: "4096Mi"
+    memory: '4096Mi'
   requests:
     cpu: 2
-    memory: "2048Mi"
+    memory: '2048Mi'
 
 livenessProbe:
   initialDelaySeconds: 200
@@ -19,6 +19,7 @@ test:
 keycloak:
   image:
     repository: jboss/keycloak
+    tag: 6.0.1
   username: admin
   password: admin123
   persistence:

.deploy/keycloak/helm/values.yaml

@@ -11,7 +11,7 @@ keycloak:
 
   image:
     repository: jboss/keycloak
-    tag: 5.0.0
+    tag: 6.0.1
     pullPolicy: IfNotPresent
 
     ## Optionally specify an array of imagePullSecrets.
@@ -50,17 +50,17 @@ keycloak:
     #     command: ["/bin/sh", "-c", "ls"]
 
   ## Additional arguments to start command e.g. -Dkeycloak.import= to load a realm
-  extraArgs: ""
+  extraArgs: ''
 
   ## Username for the initial Keycloak admin user
   username: keycloak
 
   ## Password for the initial Keycloak admin user. Applicable only if existingSecret is not set.
   ## If not set, a random 10 characters password will be used
-  password: ""
+  password: ''
 
   # Specifies an existing secret to be used for the admin password
-  existingSecret: ""
+  existingSecret: ''
 
   # The key in the existing secret that stores the password
   existingSecretKey: password
@@ -108,7 +108,7 @@ keycloak:
             topologyKey: failure-domain.beta.kubernetes.io/zone
 
   nodeSelector: {}
-  priorityClassName: ""
+  priorityClassName: ''
   tolerations: []
 
   ## Additional pod labels
@@ -125,7 +125,8 @@ keycloak:
     initialDelaySeconds: 30
     timeoutSeconds: 1
 
-  resources: {}
+  resources:
+    {}
     # limits:
     #   cpu: "100m"
     #   memory: "1024Mi"
@@ -161,7 +162,8 @@ keycloak:
   ## Add additional ports, eg. for custom admin console
   extraPorts: |
 
-  podDisruptionBudget: {}
+  podDisruptionBudget:
+    {}
     # maxUnavailable: 1
     # minAvailable: 1
 
@@ -190,11 +192,15 @@ keycloak:
     enabled: false
     path: /
 
-    annotations: {}
+    annotations:
+      {}
       # kubernetes.io/ingress.class: nginx
       # kubernetes.io/tls-acme: "true"
       # ingress.kubernetes.io/affinity: cookie
 
+    labels: {}
+    # key: value
+
     ## List of hosts for the ingress
     hosts:
       - keycloak.example.com
@@ -216,7 +222,7 @@ keycloak:
     ## The following values only apply if "deployPostgres" is set to "false"
 
     # Specifies an existing secret to be used for the database password
-    existingSecret: ""
+    existingSecret: ''
 
     # The key in the existing secret that stores the password
     existingSecretKey: password
@@ -227,7 +233,7 @@ keycloak:
     dbUser: keycloak
 
     # Only used if no existing secret is specified. In this case a new secret is created
-    dbPassword: ""
+    dbPassword: ''
 
 postgresql:
   ### PostgreSQL User to create.
@@ -237,7 +243,7 @@ postgresql:
   ## PostgreSQL Password for the new user.
   ## If not set, a random 10 characters password will be used.
   ##
-  postgresPassword: ""
+  postgresPassword: ''
 
   ## PostgreSQL Database to create.
   ##

.deploy/keycloak/manual/04-keycloak-deployment.yaml

@@ -31,7 +31,7 @@ spec:
               echo 'PostgreSQL OK ✓'
       containers:
         - name: keycloak
-          image: jboss/keycloak:4.8.3.Final
+          image: jboss/keycloak:6.0.1
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

.deploy/keycloak/openshift/README.md

@@ -1,8 +1,4 @@
-# Postgres on OpenShift
-
-Deploying `Postgres` to `OpenShift` via `Helm`
-
-### Deploying to OpenShift
+### KeyCloak on OpenShift
 
 > Deploy KeyCloak to OpenShift
 

.deploy/keycloak/openshift/keycloak-openshift.yaml

@@ -101,24 +101,6 @@ items:
                     name: keycloak-secrets
                 - configMapRef:
                     name: keycloak-config
-#              env:
-#                - name: POD_NAMESPACE
-#                  valueFrom:
-#                    fieldRef:
-#                      apiVersion: v1
-#                      fieldPath: metadata.namespace
-#                - name: PROXY_ADDRESS_FORWARDING
-#                  value: "true"
-#                - name: KEYCLOAK_USER
-#                  valueFrom:
-#                    configMapKeyRef:
-#                      name: keycloak-config
-#                      key: KEYCLOAK_USER
-#                - name: KEYCLOAK_PASSWORD
-#                  valueFrom:
-#                    secretKeyRef:
-#                      name: keycloak-secrets
-#                      key: KEYCLOAK_PASSWORD
               livenessProbe:
                 httpGet:
                   path: /auth/realms/master

.deploy/keycloak/openshift4/README.md

@@ -0,0 +1,14 @@
+### KeyCloak on OpenShift 4.1
+
+> Deploy KeyCloak to OpenShift
+
+All files here are generated with Helm:
+
+```bash
+cd .deploy/keycloak/helm
+
+helm fetch codecentric/keycloak
+helm template ./keycloak-4.11.1.tgz --name keycloak --namespace default --values values-os.yaml --output-dir generated
+```
+
+After generation, remove `securityContext` block from `statefulset.yaml`