sphinxcontrib-spelling
sphinxcontrib-plantuml
sphinx_toolbox>=3.2.0
+six
\ No newline at end of file
- create keycloak namespace::
> kubectl create namespace keycloak
- > kubectl label namespace keycloak istio-injection=enabled
+ > kubectl label namespace keycloak istio-injection=disabled
Install Keycloak-Database
^^^^^^^^^^^^^^^^^^^^^^^^^
- Install keycloak::
- > helm -n keycloak upgrade -i keycloak codecentric/keycloak --values ./keycloak-server-values.yaml
+ > helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml
The required Ingress entry and REALM will be provided by the ONAP "Platform"
component.
+
+- Create Ingress gateway entry for the keycloak web interface
+ using the configured Ingress <base-url> (here "simpledemo.onap.org")
+ as described in :ref:`oom_customize_overrides`
+
+ .. collapse:: keycloak-ingress.yaml
+
+ .. include:: ../../resources/yaml/keycloak-ingress.yaml
+ :code: yaml
+
+- Add the Ingress entry for Keycloak::
+
+ > kubectl -n keycloak apply -f keycloak-ingress.yaml
+
.. figure:: ../../resources/images/servicemesh/ServiceMesh.png
:align: center
-For external access we start to establish Authentication via Oauth2-proxy
-and Keycloak which will be completed in the coming release.
+For external access we propose to establish Authentication via Oauth2-proxy
+and Keycloak which is described in this document.
============== ====== ============ ==============
London 1.17.2 v0.6.2 19.0.3-legacy
Montreal 1.19.3 v1.0.0 19.0.3-legacy
- New Delhi 1.19.3 v1.0.0 19.0.3-legacy
+ New Delhi 1.19.3 v1.0.0 22.0.4
============== ====== ============ ==============
.. table:: OOM Software Requirements (optional)
.. _Kserve setup guide: https://kserve.github.io/website/0.10/admin/kubernetes_deployment/
.. _K8ssandra setup guide: https://docs.k8ssandra.io/install/
.. _Mariadb-Operator setup guide: https://github.com/mariadb-operator/mariadb-operator
+.. _Postgres-Operator setup guide: https://github.com/CrunchyData/postgres-operator
.. _oom_base_optional_addons:
Mariadb-Operator Installation
-----------------------------
-Mariadb-Operator is used to ease the installation and lifecycle management
+Mariadb-Operator is used to ease the installation and lifecycle management of
MariaDB Galera and Replication clusters, including monitoring and backup
For setup the Mariadb-Operator is used, see `Mariadb-Operator setup guide`_
--set metrics.enabled=true --set webhook.certificate.certManager=true
--version=<recommended-version>
+Postgres-Operator Installation
+------------------------------
+
+Postgres-Operator is used to ease the installation and lifecycle management of
+Postgres DB clusters, including monitoring and backup
+
+For setup the Postgres-Operator is used, see `Postgres-Operator setup guide`_
Kserve Installation
-------------------
--- /dev/null
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ name: keycloak-ui-http-route
+ namespace: keycloak
+spec:
+ hostnames:
+ - keycloak-ui.simpledemo.onap.org
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: common-gateway
+ namespace: istio-ingress
+ sectionName: https-80
+ rules:
+ Filters:
+ Request Redirect:
+ Port: 443
+ Scheme: https
+ Status Code: 301
+ Type: RequestRedirect
+ Matches:
+ Path:
+ Type: PathPrefix
+ Value: /auth
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ name: keycloak-ui-http-route
+ namespace: keycloak
+spec:
+ hostnames:
+ - keycloak-ui.simpledemo.onap.org
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: common-gateway
+ namespace: istio-ingress
+ sectionName: https-443
+ rules:
+ - backendRefs:
+ - group: ""
+ kind: Service
+ name: keycloak-keycloakx-http
+ port: 80
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /auth
-image:
- # The Keycloak image repository
- repository: quay.io/keycloak/keycloak
- # Overrides the Keycloak image tag whose default is the chart appVersion
- tag: "19.0.3-legacy"
-
-postgresql:
- # If `true`, the Postgresql dependency is enabled
- enabled: false
+---
+command:
+ - "/opt/keycloak/bin/kc.sh"
+ - "--verbose"
+ - "start"
+ - "--http-enabled=true"
+ - "--http-port=8080"
+ - "--hostname-strict=false"
+ - "--hostname-strict-https=false"
+ - "--spi-events-listener-jboss-logging-success-level=info"
+ - "--spi-events-listener-jboss-logging-error-level=warn"
extraEnv: |
- - name: KEYCLOAK_USER
+ - name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: user
- - name: KEYCLOAK_PASSWORD
+ - name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: password
- - name: DB_VENDOR
- value: postgres
- - name: DB_ADDR
- value: keycloak-db-postgresql
- - name: DB_PORT
- value: "5432"
- - name: DB_DATABASE
- value: keycloak
- - name: DB_USER
- value: dbusername
- - name: DB_PASSWORD_FILE
- value: /secrets/db-creds/password
+ - name: JAVA_OPTS_APPEND
+ value: >-
+ -XX:+UseContainerSupport
+ -XX:MaxRAMPercentage=50.0
+ -Djava.awt.headless=true
+ -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
- name: PROXY_ADDRESS_FORWARDING
value: "true"
-extraVolumeMounts: |
- - name: db-creds
- mountPath: /secrets/db-creds
- readOnly: true
+dbchecker:
+ enabled: true
-extraVolumes: |
- - name: db-creds
- secret:
- secretName: keycloak-db-postgresql
+database:
+ vendor: postgres
+ hostname: keycloak-db-postgresql
+ port: 5432
+ username: dbusername
+ password: dbpassword
+ database: keycloak
secrets:
admin-creds:
- annotations:
- my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
stringData:
user: admin
- password: secret
\ No newline at end of file
+ password: secret
- containerPort: {{ default $port.plain_port $port.internal_plain_port }}
name: {{ $port.name }}-plain
{{- end }}
+{{- if $port.l4_protocol }}
+ protocol: {{ $port.l4_protocol }}
+{{- end }}
{{- end }}
{{- end -}}
{{- define "common.postgres.secret.primaryPasswordSecretName" -}}
{{- include "common.postgres.secret._secretName" (set . "uidTemplate" "common.postgres.secret.primaryPasswordUID") }}
{{- end -}}
+
+{{/*
+ Create postgres cluster via postgres crunchydata-operator
+*/}}
+{{- define "common.postgresOpInstance" -}}
+{{- $dot := default . .dot -}}
+{{- $global := $dot.Values.global -}}
+{{- $dbinst := include "common.name" $dot -}}
+---
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+ name: {{ $dbinst }}
+ labels:
+ app: {{ $dbinst }}
+ version: "5.5"
+spec:
+ metadata:
+ labels:
+ app: {{ $dbinst }}
+ version: "5.5"
+ {{- if .Values.postgresOperator.imagePostgres }}
+ image: {{ .Values.postgresOperator.imagePostgres | quote }}
+ {{- end }}
+ imagePullSecrets:
+ - name: {{ include "common.namespace" . }}-docker-registry-key
+ postgresVersion: {{ $dot.Values.postgresOperator.postgresVersion }}
+ instances:
+ - name: {{ default "instance1" .Values.postgresOperator.instanceName | quote }}
+ replicas: {{ default 2 .Values.postgresOperator.instanceReplicas }}
+ dataVolumeClaimSpec:
+ {{- if .Values.instanceStorageClassName }}
+ storageClassName: {{ .Values.postgresOperator.instanceStorageClassName | quote }}
+ {{- end }}
+ accessModes:
+ - "ReadWriteOnce"
+ resources:
+ requests:
+ storage: {{ default "1Gi" .Values.postgresOperator.instanceSize | quote }}
+ {{- if or .Values.instanceMemory .Values.postgresOperator.instanceCPU }}
+ resources:
+ limits:
+ cpu: {{ default "" .Values.postgresOperator.instanceCPU | quote }}
+ memory: {{ default "" .Values.postgresOperator.instanceMemory | quote }}
+ {{- end }}
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 1
+ podAffinityTerm:
+ topologyKey: kubernetes.io/hostname
+ labelSelector:
+ matchLabels:
+ postgres-operator.crunchydata.com/cluster: {{ $dbinst }}
+ postgres-operator.crunchydata.com/instance-set: {{ default "instance1" .Values.postgresOperator.instanceName | quote }}
+ proxy:
+ pgBouncer:
+ metadata:
+ labels:
+ app: {{ $dbinst }}
+ version: "5.5"
+ {{- if .Values.postgresOperator.imagePgBouncer }}
+ image: {{ .Values.postgresOperator.imagePgBouncer | quote }}
+ {{- end }}
+ replicas: {{ default 2 .Values.postgresOperator.bouncerReplicas }}
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 1
+ podAffinityTerm:
+ topologyKey: kubernetes.io/hostname
+ labelSelector:
+ matchLabels:
+ postgres-operator.crunchydata.com/cluster: {{ $dbinst }}
+ postgres-operator.crunchydata.com/role: pgbouncer
+ {{- if .Values.postgresOperator.monitoring }}
+ monitoring:
+ pgmonitor:
+ exporter:
+ image: {{ default "" .Values.postgresOperator.imageExporter | quote }}
+ {{- if .Values.postgresOperator.monitoringConfig }}
+{{ toYaml .Values.monitoringConfig | indent 8 }}
+ {{- end }}
+ {{- end }}
+ users:
+ - name: postgres
+{{- end -}}
apiVersion: v2
description: Chart for Postgres init job
name: postgres-init
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: repositoryGenerator
version: ~13.x-0
repository: 'file://../repositoryGenerator'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
- name: serviceAccount
version: ~13.x-0
repository: '@local'
\ No newline at end of file
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
- - name: {{ include "common.name" . }}-readiness
- command:
- - /app/ready.py
- args:
- - --container-name
- - {{ .Values.global.postgres.container.name }}
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
containers:
- command:
- sh
roles:
- read
+readinessCheck:
+ wait_for:
+ - '{{ .Values.global.postgres.container.name }}'
+
wait_for_job_container:
containers:
- '{{ include "common.name" . }}-update-config'
\ No newline at end of file
apiVersion: v2
description: ONAP Postgres Server
name: postgres
-version: 13.0.0
+version: 13.1.0
dependencies:
- name: common
# limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
apiVersion: v1
kind: ConfigMap
metadata:
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }}
-
+{{- end }}
# # See the License for the specific language governing permissions and
# # limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
{{ include "common.postgres.deployment" (dict "dot" . "pgMode" "primary") }}
+{{- end }}
\ No newline at end of file
# # See the License for the specific language governing permissions and
# # limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
{{ include "common.postgres.deployment" (dict "dot" . "pgMode" "replica") }}
+{{- end }}
\ No newline at end of file
# limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
{{- if default false .Values.metrics.enabled }}
apiVersion: v1
kind: Service
selector:
name: {{ .Values.container.name.primary }}
release: {{ include "common.release" . }}
+{{- end }}
{{- end }}
\ No newline at end of file
# limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
{{- if default false .Values.metrics.enabled }}
apiVersion: v1
kind: Service
selector:
name: {{ .Values.container.name.replica }}
release: {{ include "common.release" . }}
+{{- end }}
{{- end }}
\ No newline at end of file
--- /dev/null
+{{/*
+# Copyright © 2023 Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.global.postgres.useOperator }}
+{{ include "common.postgresOpInstance" . }}
+{{- end }}
\ No newline at end of file
# # See the License for the specific language governing permissions and
# # limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
{{- if include "common.needPV" . -}}
kind: PersistentVolume
path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/primary
{{- end -}}
{{- end -}}
+{{- end }}
\ No newline at end of file
# # See the License for the specific language governing permissions and
# # limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
{{- if include "common.needPV" . -}}
kind: PersistentVolume
persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }}
hostPath:
path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/replica
-{{- end -}}
-{{- end -}}
+{{- end }}
+{{- end }}
+{{- end }}
# limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
{{- else }}
storageClassName: {{ include "common.storageClass" . }}
{{- end }}
-{{- end -}}
+{{- end }}
+{{- end }}
# limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
{{- else }}
storageClassName: {{ include "common.storageClass" . }}
{{- end }}
-{{- end -}}
+{{- end }}
+{{- end }}
\ No newline at end of file
# # See the License for the specific language governing permissions and
# # limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
apiVersion: v1
kind: Service
metadata:
selector:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
+{{- end }}
# # See the License for the specific language governing permissions and
# # limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
apiVersion: v1
kind: Service
metadata:
selector:
name: "{{.Values.container.name.primary}}"
release: {{ include "common.release" . }}
+{{- end }}
# # See the License for the specific language governing permissions and
# # limitations under the License.
*/}}
+{{- if not .Values.global.postgres.useOperator }}
apiVersion: v1
kind: Service
metadata:
selector:
name: "{{.Values.container.name.replica}}"
release: {{ include "common.release" . }}
+{{- end }}
\ No newline at end of file
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-
+{{- if not .Values.global.postgres.useOperator }}
{{- if .Values.metrics.serviceMonitor.enabled }}
{{ include "common.serviceMonitor" . }}
{{- end }}
+{{- end }}
\ No newline at end of file
global:
nodePortPrefix: 302
persistence: {}
+ postgres:
+ # flag to enable the DB creation via mariadb-operator
+ useOperator: false
#################################################################
# Secrets metaconfig
externalSecret: '{{ tpl (default "" .Values.config.pgPrimaryPasswordExternalSecret) . }}'
password: '{{ .Values.config.pgPrimaryPassword }}'
+#################################################################
+# Postgres Operator configuration defaults.
+# Example: https://github.com/CrunchyData/postgres-operator-examples/tree/main/helm/postgres
+#################################################################
+postgresOperator:
+ postgresVersion: 16
+ # Possibility to override images
+ #imagePostgres:
+ #imagePgBouncer:
+ #imageExporter:
+ #imagePgBackRest:
+ instanceName: instance1
+ instanceReplicas: 2
+ #instanceStorageClassName:
+ instanceSize: 1Gi
+ #instanceCPU:
+ #instanceMemory:
+ bouncerReplicas: 2
+ monitoring: true
+ #monitoringConfig: {}
+
#################################################################
# Application configuration defaults.
#################################################################
#============LICENSE_START========================================================
# ================================================================================
-# Copyright (c) 2020 J. F. Lucas. All rights reserved.
+# Copyright (c) 2020, 2024 J. F. Lucas. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property.
appVersion: "NewDelhi"
description: DCAE Microservices
name: dcaegen2-services
-version: 13.0.1
+version: 13.0.2
dependencies:
- name: common
# Copyright (c) 2021 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Copyright (c) 2024 J. F. Lucas. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "NewDelhi"
description: DCAE SNMPTrap Collector
name: dcae-snmptrap-collector
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: common
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.7
+image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.8
pullPolicy: Always
# Log directory where logging sidecar should look for log files
dns_cache_ttl_seconds: 60
services_calls: {}
snmptrapd:
- version: '2.0.4'
+ version: '2.0.8'
title: ONAP SNMP Trap Receiver
sw_interval_in_seconds: 60
streams_publishes:
dmaap_info:
topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP
type: message_router
- aaf_password: null
- aaf_username: null
+ aaf_password: ""
+ aaf_username: ""
files:
runtime_base_dir: "/opt/app/snmptrap"
log_dir: logs
apiVersion: v2
description: ONAP platform components
name: platform
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: oom-cert-service
# limitations under the License.
# ============LICENSE_END=========================================================
apiVersion: v2
-version: 13.0.0
+version: 13.0.1
description: ONAP Realm creation and configuration
name: keycloak-init
sources:
version: ~13.x-0
repository: '@local'
- name: onap-keycloak-config-cli
- version: 5.6.1
+ version: 5.10.0
repository: 'file://components/keycloak-config-cli'
name: onap-keycloak-config-cli
description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
home: https://github.com/adorsys/keycloak-config-cli
-version: 5.6.1
-appVersion: 5.6.1
+version: 5.10.0
+appVersion: 5.10.0
maintainers:
- name: jkroepke
email: joe@adorsys.de
image:
repository: adorsys/keycloak-config-cli
- tag: "{{ .Chart.AppVersion }}-19.0.3"
+ tag: "{{ .Chart.AppVersion }}-22.0.4"
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
+++ /dev/null
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Deutsche Telekom
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.ingress" . }}
\ No newline at end of file
PORTAL_URL: "https://portal-ui.simpledemo.onap.org"
onap-keycloak-config-cli:
+ image:
+ pullSecrets:
+ - name: onap-docker-registry-key
#existingSecret: "keycloak-keycloakx-admin-creds"
env:
- KEYCLOAK_URL: http://keycloak-http.keycloak.svc.cluster.local/auth/
+ KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/
KEYCLOAK_SSLVERIFY: "false"
KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
secrets:
KEYCLOAK_PASSWORD: secret
existingConfigSecret: "keycloak-config-cli-config-realms"
-ingress:
- service:
- - baseaddr: "keycloak-ui"
- name: "keycloak-http.keycloak.svc.cluster.local"
- path: "/auth"
- port: 80
- # If `true`, an Ingress is created
- enabled: false
- config:
- ssl: "redirect"
-
serviceAccount:
nameOverride: keycloak-init
roles: