Skip to content

Commit

Permalink
feat(deploy): added OpenShift4 deployment files
Browse files Browse the repository at this point in the history 
angular 8-rc2, Profile code pruning, hosted keycloak on OpenShift4
  • Loading branch information
@xmlking
xmlking committed May 8, 2019
1 parent eff9ad5 commit bca7f73
Show file tree
Hide file tree
Showing 31 changed files with 1,627 additions and 1,005 deletions.
18 changes: 15 additions & 3 deletions .deploy/keycloak/README.md
View file
Expand Up @@ -74,9 +74,12 @@ PROXY_ADDRESS_FORWARDING="true"

Refer https://stackoverflow.com/questions/53550321/keycloak-gatekeeper-aud-claim-and-client-id-do-not-match

1. add `ngxapi_audience` **Client Scopes** at Realm `ngx` with Audience mapper name: `ngxapi_audience_mapper`, Mapper Type --> `audience` and adding `ngxapi` Client under `Included Client Audience`.
2. for `ngxweb` client, add `ngxapi_audience` at **Client Scopes** tab
3. for `ngxapi` client, add `ngxapi_audience` at **Client Scopes** tab (for Swagger API Docs)
1. add `ngxapi-audience` **Client Scopes** at Realm `ngx` with Audience mapper name: `ngxapi-audience-mapper`, Mapper Type --> `audience` and adding `ngxapi` Client under `Included Client Audience`.
2. for `ngxweb` client, add `ngxapi-audience` at **Client Scopes** tab
3. for `ngxapi` client, add `ngxapi-audience` at **Client Scopes** tab (for Swagger API Docs)

Refer https://www.kodnito.com/posts/microprofile-jwt-with-keycloak/
4. Click on Clients and find the `ngxweb/ngxapi` and click on **Mappers** tab and click on **Add Builtin** button and add the **groups** mapper to the client.

---

Expand Down Expand Up @@ -110,6 +113,15 @@ kubectl cp $POD_NAME:/tmp/sumo /Developer/Work/SPA/ngx-starter-kit/.deploy/keycl
```

---
## MicroProfile JWT with Keycloak

**how to secure API/services using MicroProfile JWT and Keycloak?**

Follow [blog](https://kodnito.com/posts/microprofile-jwt-with-keycloak/)
You find the public key here https://keycloak.traefik.k8s/auth/realms/ngx/

---


## Troubleshooting

Expand Down
13 changes: 9 additions & 4 deletions .deploy/keycloak/helm/README.md
View file
Expand Up @@ -2,14 +2,19 @@

Deploying `KeyCloak` to `Kubernetes` via `Helm`

we will be using charts from [codecentric](https://github.com/codecentric/helm-charts) Repo.

### With Tiller

```bash
cd .deploy/keycloak/helm

# add KeyCloak Charts Repo
helm repo add codecentric https://codecentric.github.io/helm-charts

# To install the chart with the release name `keycloak`
# --dry-run --debug flags help you to see before you really deploy
helm install --name=keycloak --namespace=default -f values-dev.yaml stable/keycloak
helm install --name keycloak --namespace=default -f values-dev.yaml codecentric/keycloak

# verify deployment
helm ls
Expand All @@ -25,7 +30,7 @@ echo | openssl s_client -showcerts -connect keycloak.traefik.k8s:443 2>/dev/null


# To update
helm upgrade --namespace=default -f values-dev.yaml keycloak stable/keycloak
helm upgrade --namespace=default -f values-dev.yaml keycloak codecentric/keycloak

# To uninstall/delete the `keycloak` deployment
helm delete keycloak
Expand All @@ -40,9 +45,9 @@ kubectl scale statefulset keycloak --replicas=0
```bash
cd .deploy/keycloak/helm

helm fetch stable/keycloak
helm fetch codecentric/keycloak

helm template ./keycloak-4.7.0.tgz \
helm template ./keycloak-4.11.1.tgz \
--name keycloak \
--namespace default \
--values values-dev.yaml \
Expand Down
3 changes: 3 additions & 0 deletions .deploy/keycloak/helm/values-dev.yaml
View file
Expand Up @@ -2,6 +2,9 @@ test:
enabled: false

keycloak:
image:
repository: jboss/keycloak
tag: 6.0.1
username: admin
password: admin123
persistence:
Expand Down
19 changes: 19 additions & 0 deletions .deploy/keycloak/helm/values-os.yaml
View file
@@ -0,0 +1,19 @@
test:
enabled: false

keycloak:
image:
repository: jboss/keycloak
tag: 6.0.1
username: admin
password: species
securityContext: {}
resources:
limits:
memory: 1G
requests:
memory: 512M
ingress:
enabled: true
hosts:
- keycloak-ngx.apps.us-west-1.online-starter.openshift.com
5 changes: 3 additions & 2 deletions .deploy/keycloak/helm/values-prod.yaml
View file
@@ -1,10 +1,10 @@
resources:
limits:
cpu: 4
memory: "4096Mi"
memory: '4096Mi'
requests:
cpu: 2
memory: "2048Mi"
memory: '2048Mi'

livenessProbe:
initialDelaySeconds: 200
Expand All @@ -19,6 +19,7 @@ test:
keycloak:
image:
repository: jboss/keycloak
tag: 6.0.1
username: admin
password: admin123
persistence:
Expand Down
28 changes: 17 additions & 11 deletions .deploy/keycloak/helm/values.yaml
View file
Expand Up @@ -11,7 +11,7 @@ keycloak:

image:
repository: jboss/keycloak
tag: 5.0.0
tag: 6.0.1
pullPolicy: IfNotPresent

## Optionally specify an array of imagePullSecrets.
Expand Down Expand Up @@ -50,17 +50,17 @@ keycloak:
# command: ["/bin/sh", "-c", "ls"]
## Additional arguments to start command e.g. -Dkeycloak.import= to load a realm
extraArgs: ""
extraArgs: ''

## Username for the initial Keycloak admin user
username: keycloak

## Password for the initial Keycloak admin user. Applicable only if existingSecret is not set.
## If not set, a random 10 characters password will be used
password: ""
password: ''

# Specifies an existing secret to be used for the admin password
existingSecret: ""
existingSecret: ''

# The key in the existing secret that stores the password
existingSecretKey: password
Expand Down Expand Up @@ -108,7 +108,7 @@ keycloak:
topologyKey: failure-domain.beta.kubernetes.io/zone
nodeSelector: {}
priorityClassName: ""
priorityClassName: ''
tolerations: []

## Additional pod labels
Expand All @@ -125,7 +125,8 @@ keycloak:
initialDelaySeconds: 30
timeoutSeconds: 1

resources: {}
resources:
{}
# limits:
# cpu: "100m"
# memory: "1024Mi"
Expand Down Expand Up @@ -161,7 +162,8 @@ keycloak:
## Add additional ports, eg. for custom admin console
extraPorts: |
podDisruptionBudget: {}
podDisruptionBudget:
{}
# maxUnavailable: 1
# minAvailable: 1

Expand Down Expand Up @@ -190,11 +192,15 @@ keycloak:
enabled: false
path: /

annotations: {}
annotations:
{}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# ingress.kubernetes.io/affinity: cookie

labels: {}
# key: value

## List of hosts for the ingress
hosts:
- keycloak.example.com
Expand All @@ -216,7 +222,7 @@ keycloak:
## The following values only apply if "deployPostgres" is set to "false"

# Specifies an existing secret to be used for the database password
existingSecret: ""
existingSecret: ''

# The key in the existing secret that stores the password
existingSecretKey: password
Expand All @@ -227,7 +233,7 @@ keycloak:
dbUser: keycloak

# Only used if no existing secret is specified. In this case a new secret is created
dbPassword: ""
dbPassword: ''

postgresql:
### PostgreSQL User to create.
Expand All @@ -237,7 +243,7 @@ postgresql:
## PostgreSQL Password for the new user.
## If not set, a random 10 characters password will be used.
##
postgresPassword: ""
postgresPassword: ''

## PostgreSQL Database to create.
##
Expand Down
2 changes: 1 addition & 1 deletion .deploy/keycloak/manual/04-keycloak-deployment.yaml
View file
Expand Up @@ -31,7 +31,7 @@ spec:
echo 'PostgreSQL OK ✓'
containers:
- name: keycloak
image: jboss/keycloak:4.8.3.Final
image: jboss/keycloak:6.0.1
imagePullPolicy: IfNotPresent
ports:
- name: http
Expand Down
6 changes: 1 addition & 5 deletions .deploy/keycloak/openshift/README.md
View file
@@ -1,8 +1,4 @@
# Postgres on OpenShift

Deploying `Postgres` to `OpenShift` via `Helm`

### Deploying to OpenShift
### KeyCloak on OpenShift

> Deploy KeyCloak to OpenShift
Expand Down
18 changes: 0 additions & 18 deletions .deploy/keycloak/openshift/keycloak-openshift.yaml
View file
Expand Up @@ -101,24 +101,6 @@ items:
name: keycloak-secrets
- configMapRef:
name: keycloak-config
# env:
# - name: POD_NAMESPACE
# valueFrom:
# fieldRef:
# apiVersion: v1
# fieldPath: metadata.namespace
# - name: PROXY_ADDRESS_FORWARDING
# value: "true"
# - name: KEYCLOAK_USER
# valueFrom:
# configMapKeyRef:
# name: keycloak-config
# key: KEYCLOAK_USER
# - name: KEYCLOAK_PASSWORD
# valueFrom:
# secretKeyRef:
# name: keycloak-secrets
# key: KEYCLOAK_PASSWORD
livenessProbe:
httpGet:
path: /auth/realms/master
Expand Down
14 changes: 14 additions & 0 deletions .deploy/keycloak/openshift4/README.md
View file
@@ -0,0 +1,14 @@
### KeyCloak on OpenShift 4.1

> Deploy KeyCloak to OpenShift
All files here are generated with Helm:

```bash
cd .deploy/keycloak/helm

helm fetch codecentric/keycloak
helm template ./keycloak-4.11.1.tgz --name keycloak --namespace default --values values-os.yaml --output-dir generated
```

After generation, remove `securityContext` block from `statefulset.yaml`
64 changes: 64 additions & 0 deletions .deploy/keycloak/openshift4/configmap.yaml
View file
@@ -0,0 +1,64 @@
---
# Source: keycloak/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak
labels:
app: keycloak
chart: keycloak-4.11.1
release: "keycloak"
heritage: "Tiller"
data:
keycloak.sh: |
#!/usr/bin/env bash
set -eu
/opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/keycloak.cli
exec /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0 -c standalone.xml
exit "$?"
keycloak.cli: |
embed-server --std-out=echo
batch
## Sets the node identifier to the node name (= pod name). Node identifiers have to be unique. They can have a
## maximum length of 23 characters. Thus, the chart's fullname template truncates its length accordingly.
/subsystem=transactions:write-attribute(name=node-identifier, value=${jboss.node.name})
# Allow log level to be configured via environment variable
/subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO})
/subsystem=logging/root-logger=ROOT:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO})
# Add dedicated eventsListener config element to allow configuring elements.
/subsystem=keycloak-server/spi=eventsListener:add()
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true)
# Propagate success events to INFO instead of DEBUG, to expose successful logins for log analysis
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info)
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)
# Configure datasource to use explicit query timeout in seconds
/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=query-timeout,value=${env.DB_QUERY_TIMEOUT:300})
# Configure datasource to connection before use
/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=validate-on-match,value=${env.DB_VALIDATE_ON_MATCH:true})
# Configure datasource to try all other connections before failing
/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=use-fast-fail,value=${env.DB_USE_CAST_FAIL:false})
run-batch
stop-embedded-server
22 changes: 22 additions & 0 deletions .deploy/keycloak/openshift4/headless-service.yaml
View file
@@ -0,0 +1,22 @@
---
# Source: keycloak/templates/headless-service.yaml
apiVersion: v1
kind: Service
metadata:
name: keycloak-headless
labels:
app: keycloak
chart: keycloak-4.11.1
release: "keycloak"
heritage: "Tiller"
spec:
type: ClusterIP
clusterIP: None
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
selector:
app: keycloak
release: "keycloak"
21 changes: 21 additions & 0 deletions .deploy/keycloak/openshift4/http-service.yaml
View file
@@ -0,0 +1,21 @@
---
# Source: keycloak/templates/http-service.yaml
apiVersion: v1
kind: Service
metadata:
name: keycloak-http
labels:
app: keycloak
chart: keycloak-4.11.1
release: "keycloak"
heritage: "Tiller"
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
selector:
app: keycloak
release: "keycloak"

0 comments on commit bca7f73

Please sign in to comment.