From 723038ed1a0d58dade5c3da643c92f1ff0063005 Mon Sep 17 00:00:00 2001 From: Andreas Geissler Date: Wed, 7 Feb 2024 10:31:05 +0100 Subject: [PATCH] [PLATFORM][KEYCLOAK] Update Keycloak instructions and Realm import Update Keycloak installation instructions to use keycloakx (Quarkus based) and update of REALM import Move the creation of the keycloak-ui ingress setup from helmchart to documentation. Issue-ID: OOM-3267 Change-Id: I3c79b05edd488f60a112590584974ba94a8c71a8 Signed-off-by: Andreas Geissler --- .../infra_guides/oom_infra_base_config_setup.rst | 18 ++++++- .../infra_guides/oom_infra_deployment_options.rst | 4 +- .../oom_infra_deployment_requirements.rst | 2 +- docs/sections/resources/yaml/keycloak-ingress.yaml | 55 +++++++++++++++++++ .../resources/yaml/keycloak-server-values.yaml | 63 ++++++++++------------ kubernetes/platform/Chart.yaml | 2 +- .../platform/components/keycloak-init/Chart.yaml | 4 +- .../components/keycloak-config-cli/Chart.yaml | 4 +- .../components/keycloak-config-cli/values.yaml | 2 +- .../keycloak-init/templates/ingress.yaml | 21 -------- .../platform/components/keycloak-init/values.yaml | 16 ++---- 11 files changed, 113 insertions(+), 78 deletions(-) create mode 100644 docs/sections/resources/yaml/keycloak-ingress.yaml delete mode 100644 kubernetes/platform/components/keycloak-init/templates/ingress.yaml diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst index 4c21217c23..f25f4e716c 100644 --- a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst +++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst @@ -358,7 +358,7 @@ Keycloak Installation - create keycloak namespace:: > kubectl create namespace keycloak - > kubectl label namespace keycloak istio-injection=enabled + > kubectl label namespace keycloak istio-injection=disabled Install Keycloak-Database ^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -388,7 +388,21 @@ Configure Keycloak - Install keycloak:: - > helm -n keycloak upgrade -i keycloak codecentric/keycloak --values ./keycloak-server-values.yaml + > helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml The required Ingress entry and REALM will be provided by the ONAP "Platform" component. + +- Create Ingress gateway entry for the keycloak web interface + using the configured Ingress (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: keycloak-ingress.yaml + + .. include:: ../../resources/yaml/keycloak-ingress.yaml + :code: yaml + +- Add the Ingress entry for Keycloak:: + + > kubectl -n keycloak apply -f keycloak-ingress.yaml + diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst index dc206e0548..3b198cf1d6 100644 --- a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst @@ -36,5 +36,5 @@ Internal traffic encryption will be ensured by using Istio ServiceMesh. .. figure:: ../../resources/images/servicemesh/ServiceMesh.png :align: center -For external access we start to establish Authentication via Oauth2-proxy -and Keycloak which will be completed in the coming release. +For external access we propose to establish Authentication via Oauth2-proxy +and Keycloak which is described in this document. diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst index 4eefdafbf3..dbb965dd86 100644 --- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst @@ -60,7 +60,7 @@ The versions of software that are supported and tested by OOM are as follows: ============== ====== ============ ============== London 1.17.2 v0.6.2 19.0.3-legacy Montreal 1.19.3 v1.0.0 19.0.3-legacy - New Delhi 1.19.3 v1.0.0 19.0.3-legacy + New Delhi 1.19.3 v1.0.0 22.0.4 ============== ====== ============ ============== .. table:: OOM Software Requirements (optional) diff --git a/docs/sections/resources/yaml/keycloak-ingress.yaml b/docs/sections/resources/yaml/keycloak-ingress.yaml new file mode 100644 index 0000000000..91fc34f381 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-ingress.yaml @@ -0,0 +1,55 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-80 + rules: + Filters: + Request Redirect: + Port: 443 + Scheme: https + Status Code: 301 + Type: RequestRedirect + Matches: + Path: + Type: PathPrefix + Value: /auth +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-443 + rules: + - backendRefs: + - group: "" + kind: Service + name: keycloak-keycloakx-http + port: 80 + weight: 1 + matches: + - path: + type: PathPrefix + value: /auth diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml index 7eaecbedfc..0160ce86e8 100644 --- a/docs/sections/resources/yaml/keycloak-server-values.yaml +++ b/docs/sections/resources/yaml/keycloak-server-values.yaml @@ -1,53 +1,48 @@ -image: - # The Keycloak image repository - repository: quay.io/keycloak/keycloak - # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "19.0.3-legacy" - -postgresql: - # If `true`, the Postgresql dependency is enabled - enabled: false +--- +command: + - "/opt/keycloak/bin/kc.sh" + - "--verbose" + - "start" + - "--http-enabled=true" + - "--http-port=8080" + - "--hostname-strict=false" + - "--hostname-strict-https=false" + - "--spi-events-listener-jboss-logging-success-level=info" + - "--spi-events-listener-jboss-logging-error-level=warn" extraEnv: | - - name: KEYCLOAK_USER + - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: {{ include "keycloak.fullname" . }}-admin-creds key: user - - name: KEYCLOAK_PASSWORD + - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: {{ include "keycloak.fullname" . }}-admin-creds key: password - - name: DB_VENDOR - value: postgres - - name: DB_ADDR - value: keycloak-db-postgresql - - name: DB_PORT - value: "5432" - - name: DB_DATABASE - value: keycloak - - name: DB_USER - value: dbusername - - name: DB_PASSWORD_FILE - value: /secrets/db-creds/password + - name: JAVA_OPTS_APPEND + value: >- + -XX:+UseContainerSupport + -XX:MaxRAMPercentage=50.0 + -Djava.awt.headless=true + -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless - name: PROXY_ADDRESS_FORWARDING value: "true" -extraVolumeMounts: | - - name: db-creds - mountPath: /secrets/db-creds - readOnly: true +dbchecker: + enabled: true -extraVolumes: | - - name: db-creds - secret: - secretName: keycloak-db-postgresql +database: + vendor: postgres + hostname: keycloak-db-postgresql + port: 5432 + username: dbusername + password: dbpassword + database: keycloak secrets: admin-creds: - annotations: - my-test-annotation: Test secret for {{ include "keycloak.fullname" . }} stringData: user: admin - password: secret \ No newline at end of file + password: secret diff --git a/kubernetes/platform/Chart.yaml b/kubernetes/platform/Chart.yaml index 19acda10fd..aec56cf9a1 100644 --- a/kubernetes/platform/Chart.yaml +++ b/kubernetes/platform/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP platform components name: platform -version: 13.0.0 +version: 13.0.1 dependencies: - name: oom-cert-service diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/platform/components/keycloak-init/Chart.yaml index b7bde042b2..44ac9f5213 100644 --- a/kubernetes/platform/components/keycloak-init/Chart.yaml +++ b/kubernetes/platform/components/keycloak-init/Chart.yaml @@ -16,7 +16,7 @@ # limitations under the License. # ============LICENSE_END========================================================= apiVersion: v2 -version: 13.0.0 +version: 13.0.1 description: ONAP Realm creation and configuration name: keycloak-init sources: @@ -31,5 +31,5 @@ dependencies: version: ~13.x-0 repository: '@local' - name: onap-keycloak-config-cli - version: 5.6.1 + version: 5.10.0 repository: 'file://components/keycloak-config-cli' diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml index e4c4619d2a..abcf889834 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: onap-keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 5.6.1 -appVersion: 5.6.1 +version: 5.10.0 +appVersion: 5.10.0 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml index 14870e6542..46c67dd220 100644 --- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml @@ -23,7 +23,7 @@ nameOverride: "" image: repository: adorsys/keycloak-config-cli - tag: "{{ .Chart.AppVersion }}-19.0.3" + tag: "{{ .Chart.AppVersion }}-22.0.4" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/kubernetes/platform/components/keycloak-init/templates/ingress.yaml b/kubernetes/platform/components/keycloak-init/templates/ingress.yaml deleted file mode 100644 index 6ca7ceccd3..0000000000 --- a/kubernetes/platform/components/keycloak-init/templates/ingress.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2022 Deutsche Telekom -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.ingress" . }} \ No newline at end of file diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml index 9fbaedcf67..a33ef2c932 100644 --- a/kubernetes/platform/components/keycloak-init/values.yaml +++ b/kubernetes/platform/components/keycloak-init/values.yaml @@ -23,26 +23,18 @@ KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/" PORTAL_URL: "https://portal-ui.simpledemo.onap.org" onap-keycloak-config-cli: + image: + pullSecrets: + - name: onap-docker-registry-key #existingSecret: "keycloak-keycloakx-admin-creds" env: - KEYCLOAK_URL: http://keycloak-http.keycloak.svc.cluster.local/auth/ + KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/ KEYCLOAK_SSLVERIFY: "false" KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" secrets: KEYCLOAK_PASSWORD: secret existingConfigSecret: "keycloak-config-cli-config-realms" -ingress: - service: - - baseaddr: "keycloak-ui" - name: "keycloak-http.keycloak.svc.cluster.local" - path: "/auth" - port: 80 - # If `true`, an Ingress is created - enabled: false - config: - ssl: "redirect" - serviceAccount: nameOverride: keycloak-init roles: -- 2.16.6