Merge pull request #25 from lalithkota/main

Rancher Keycloak Installation scripts updated. In-a-box scripts updated.
OpenG2P · May 22, 2024 · cbdc51f · cbdc51f
2 parents f2dfa36 + af5521e
commit cbdc51f
Show file tree

Hide file tree

Showing 21 changed files with 316 additions and 5,299 deletions.
diff --git a/kubernetes/istio/istio-gateway-tls.yaml b/kubernetes/istio/istio-gateway-tls.yaml
@@ -10,17 +10,17 @@ spec:
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
       name: https
-      number: 443
-      protocol: HTTPS
+      number: 8443
+      protocol: HTTP2
     tls:
       credentialName: tls-openg2p-ingress
       mode: SIMPLE
diff --git a/kubernetes/istio/istio-gateway.yaml b/kubernetes/istio/istio-gateway.yaml
@@ -10,17 +10,17 @@ spec:
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http-redirect-https
-      number: 81
-      protocol: HTTP
+      name: http2-redirect-https
+      number: 8081
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
@@ -34,14 +34,14 @@ spec:
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http-redirect-https
-      number: 81
-      protocol: HTTP
+      name: http2-redirect-https
+      number: 8081
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
diff --git a/kubernetes/istio/istio-operator-no-external-lb.yaml b/kubernetes/istio/istio-operator-no-external-lb.yaml
@@ -20,6 +20,8 @@ spec:
       enabled: true
       label:
         istio: ingressgateway
+        istio-rancher: ingressgateway
+        istio-keycloak: ingressgateway
       k8s:
         nodeSelector:
           shouldInstallIstioIngress: "true"
@@ -45,16 +47,13 @@ spec:
         service:
           type: ClusterIP
           ports:
-          - port: 15021
-            name: status-port
-            targetPort: 15021
-            protocol: TCP
-          - port: 443
-            targetPort: 8443
-            name: https
-          - port: 80
+          - name: tcp-status-port
+            port: 15021
+          - name: http2
+            port: 80
             targetPort: 8080
-            name: http2
-          - port: 5432
-            targetPort: 5432
-            name: tcp-postgres
+          - name: https
+            port: 443
+            targetPort: 8443
+          - name: tcp-postgres
+            port: 5432
diff --git a/kubernetes/istio/istio-operator-no-ingress.yaml b/kubernetes/istio/istio-operator-no-ingress.yaml
@@ -0,0 +1,20 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  namespace: istio-system
+  name: primary
+spec:
+  profile: default
+  meshConfig:
+    accessLogFile: /dev/stdout
+    enableTracing: true
+    pathNormalization:
+      normalization: MERGE_SLASHES
+    defaultConfig:
+      proxyMetadata:
+        ISTIO_META_IDLE_TIMEOUT: 0s
+      holdApplicationUntilProxyStarts: true
+  components:
+    ingressGateways:
+    - name: istio-ingressgateway
+      enabled: false
diff --git a/kubernetes/istio/istio-operator.yaml b/kubernetes/istio/istio-operator.yaml
@@ -30,20 +30,18 @@ spec:
           ports:
           - name: tcp-status-port
             port: 15021
-            targetPort: 15021
             nodePort: 30521
           - name: http2
             port: 80
             targetPort: 8080
             nodePort: 30080
-          - name: tcp-postgres
-            port: 5432
-            targetPort: 5432
-            nodePort: 30432
-          - name: http-redirect-https
+          - name: http2-redirect-https
             port: 81
             targetPort: 8081
             nodePort: 30081
+          - name: tcp-postgres
+            port: 5432
+            nodePort: 30432
     - name: istio-ingressgateway-public
       enabled: false
       label:
@@ -58,17 +56,12 @@ spec:
           ports:
           - name: tcp-status-port
             port: 15021
-            targetPort: 15021
             nodePort: 31521
           - name: http2
             port: 80
             targetPort: 8080
             nodePort: 31080
-          - name: tcp-postgres
-            port: 5432
-            targetPort: 5432
-            nodePort: 31432
-          - name: http-redirect-https
+          - name: http2-redirect-https
             port: 81
             targetPort: 8081
             nodePort: 31081
diff --git a/kubernetes/keycloak/README.md b/kubernetes/keycloak/README.md
@@ -1,3 +1,11 @@
 ## Keycloak
 
-- Refer to [Keycloak deployment instructions](https://docs.openg2p.org/deployment/external-components-setup/keycloak-deployment)
+This directory contains instructions to install Keycloak.
+This Keycloak is only one per Organization (which is now suggested to be installed as part of [Rancher](../rancher)).
+
+This is NOT to be installed on OpenG2P cluster (except when in box mode).
+
+The client creation and Keycloak init scripts have been removed in favor of the above.
+And relevant keycloak related instructions have been added wherever required.
+
+The older scripts & instructions can be found at this [link](https://github.com/OpenG2P/openg2p-deployment/tree/f2dfa3673ce272a552eafff1496faed68f0575ab/kubernetes/keycloak).
diff --git a/kubernetes/keycloak/copy_secrets.sh b/kubernetes/keycloak/copy_secrets.sh
diff --git a/kubernetes/keycloak/install.sh b/kubernetes/keycloak/install.sh
@@ -1,53 +1,21 @@
 #!/usr/bin/env bash
 
-export SANDBOX_HOSTNAME=${SANDBOX_HOSTNAME:-openg2p.sandbox.net}
-export KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME:-keycloak.$SANDBOX_HOSTNAME}
-export KEYCLOAK_REALM_NAME=${KEYCLOAK_REALM_NAME:-openg2p}
+export KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME:-keycloak.openg2p.net}
+export KEYCLOAK_ISTIO_OPERATOR=${KEYCLOAK_ISTIO_OPERATOR:-true}
+export TLS=${TLS:-false}
+export NS=${NS:-keycloak-system}
 
-. ../utils/keycloak.sh
-
-NS=keycloak
-
-echo Create $NS namespace
 kubectl create ns $NS
 
-./copy_secrets.sh
-
-# previous version used 14.2.0.
-helm -n $NS install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak --version 18.0.0 -f values.yaml --wait $@
-
-kubectl -n $NS create cm keycloak-host \
-  --from-literal=keycloak-internal-host=keycloak.$NS \
-  --from-literal=keycloak-internal-url=http://keycloak.$NS \
-  --from-literal=keycloak-external-host=$KEYCLOAK_HOSTNAME \
-  --from-literal=keycloak-external-url=https://$KEYCLOAK_HOSTNAME
+helm -n $NS upgrade --install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak \
+    -f values-keycloak.yaml
 
-if [ "$KEYCLOAK_ISTIO_ENABLED" != "false" ]; then
-  envsubst < istio-virtualservice.template.yaml | kubectl apply -n $NS -f -
+if [[ "$KEYCLOAK_ISTIO_OPERATOR" == "true" ]]; then
+    kubectl apply -f istio-operator.yaml
 fi
 
-if [ "$KEYCLOAK_INIT_ENABLED" != "false" ]; then
-  helm -n $NS install keycloak-init ./keycloak-init --wait $@
-
-  export OPENG2P_ADMIN_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_admin_client_secret} | base64 --decode)
-  export OPENG2P_SELFSERVICE_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_selfservice_client_secret} | base64 --decode)
-  export OPENG2P_SERVICEPROVIDER_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_serviceprovider_client_secret} | base64 --decode)
-  export OPENG2P_MINIO_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_minio_client_secret} | base64 --decode)
-  export OPENG2P_KAFKA_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_kafka_client_secret} | base64 --decode)
-  export OPENG2P_OPENSEARCH_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_opensearch_client_secret} | base64 --decode)
-  export OPENG2P_SUPERSET_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_superset_client_secret} | base64 --decode)
-
-  envsubst \
-    '${KEYCLOAK_HOSTNAME}
-    ${OPENG2P_ADMIN_CLIENT_SECRET}
-    ${OPENG2P_SELFSERVICE_CLIENT_SECRET}
-    ${OPENG2P_SERVICEPROVIDER_CLIENT_SECRET}
-    ${OPENG2P_MINIO_CLIENT_SECRET}
-    ${OPENG2P_KAFKA_CLIENT_SECRET}
-    ${OPENG2P_OPENSEARCH_CLIENT_SECRET}
-    ${OPENG2P_SUPERSET_CLIENT_SECRET}' < ${KEYCLOAK_REALM_NAME}-realm.json > /tmp/${KEYCLOAK_REALM_NAME}-realm.json
-
-  keycloak_import_realm \
-    "$(keycloak_get_admin_token)" \
-    "/tmp/${KEYCLOAK_REALM_NAME}-realm.json"
+if [[ "$TLS" == "true" ]]; then
+    envsubst < istio-virtualservice-tls.template.yaml | kubectl -n $NS apply -f -
+else
+    envsubst < istio-virtualservice.template.yaml | kubectl -n $NS apply -f -
 fi
diff --git a/kubernetes/keycloak/istio-operator.yaml b/kubernetes/keycloak/istio-operator.yaml
@@ -0,0 +1,46 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  namespace: istio-system
+  name: keycloak
+spec:
+  profile: default
+  meshConfig:
+    accessLogFile: /dev/stdout
+    enableTracing: true
+    pathNormalization:
+      normalization: MERGE_SLASHES
+    defaultConfig:
+      proxyMetadata:
+        ISTIO_META_IDLE_TIMEOUT: 0s
+      holdApplicationUntilProxyStarts: true
+  components:
+    base:
+      enabled: false
+    ingressGateways:
+    - name: istio-ingressgateway
+      enabled: false
+    - name: istio-ingressgateway-keycloak
+      enabled: true
+      label:
+        istio: ingressgateway-keycloak
+        istio-keycloak: ingressgateway
+      k8s:
+        hpaSpec:
+          minReplicas: 2
+        nodeSelector:
+          shouldInstallIstioIngress: "true"
+        service:
+          type: NodePort
+          ports:
+          - name: tcp-status-port
+            port: 15021
+            nodePort: 31521
+          - name: http2
+            port: 80
+            targetPort: 8080
+            nodePort: 31080
+          - name: http2-redirect-https
+            port: 81
+            targetPort: 8081
+            nodePort: 31081
diff --git a/kubernetes/keycloak/istio-virtualservice-tls.template.yaml b/kubernetes/keycloak/istio-virtualservice-tls.template.yaml
@@ -0,0 +1,45 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: keycloak
+spec:
+  selector:
+    istio-keycloak: ingressgateway
+  servers:
+  - hosts:
+    - ${KEYCLOAK_HOSTNAME}
+    port:
+      name: http2
+      number: 8080
+      protocol: HTTP2
+    tls:
+      httpsRedirect: true
+  - hosts:
+    - ${KEYCLOAK_HOSTNAME}
+    port:
+      name: https
+      number: 8443
+      protocol: HTTPS
+    tls:
+      credentialName: tls-keycloak-ingress
+      mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: keycloak
+spec:
+  gateways:
+  - keycloak
+  hosts:
+  - ${KEYCLOAK_HOSTNAME}
+  http:
+  - route:
+    - destination:
+        host: keycloak
+        port:
+          number: 80
+    headers:
+      request:
+        set:
+          x-forwarded-proto: https