-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #25 from lalithkota/main
Rancher Keycloak Installation scripts updated. In-a-box scripts updated.
- Loading branch information
Showing
21 changed files
with
316 additions
and
5,299 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: install.istio.io/v1alpha1 | ||
kind: IstioOperator | ||
metadata: | ||
namespace: istio-system | ||
name: primary | ||
spec: | ||
profile: default | ||
meshConfig: | ||
accessLogFile: /dev/stdout | ||
enableTracing: true | ||
pathNormalization: | ||
normalization: MERGE_SLASHES | ||
defaultConfig: | ||
proxyMetadata: | ||
ISTIO_META_IDLE_TIMEOUT: 0s | ||
holdApplicationUntilProxyStarts: true | ||
components: | ||
ingressGateways: | ||
- name: istio-ingressgateway | ||
enabled: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,11 @@ | ||
## Keycloak | ||
|
||
- Refer to [Keycloak deployment instructions](https://docs.openg2p.org/deployment/external-components-setup/keycloak-deployment) | ||
This directory contains instructions to install Keycloak. | ||
This Keycloak is only one per Organization (which is now suggested to be installed as part of [Rancher](../rancher)). | ||
|
||
This is NOT to be installed on OpenG2P cluster (except when in box mode). | ||
|
||
The client creation and Keycloak init scripts have been removed in favor of the above. | ||
And relevant keycloak related instructions have been added wherever required. | ||
|
||
The older scripts & instructions can be found at this [link](https://github.com/OpenG2P/openg2p-deployment/tree/f2dfa3673ce272a552eafff1496faed68f0575ab/kubernetes/keycloak). |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,53 +1,21 @@ | ||
#!/usr/bin/env bash | ||
|
||
export SANDBOX_HOSTNAME=${SANDBOX_HOSTNAME:-openg2p.sandbox.net} | ||
export KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME:-keycloak.$SANDBOX_HOSTNAME} | ||
export KEYCLOAK_REALM_NAME=${KEYCLOAK_REALM_NAME:-openg2p} | ||
export KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME:-keycloak.openg2p.net} | ||
export KEYCLOAK_ISTIO_OPERATOR=${KEYCLOAK_ISTIO_OPERATOR:-true} | ||
export TLS=${TLS:-false} | ||
export NS=${NS:-keycloak-system} | ||
|
||
. ../utils/keycloak.sh | ||
|
||
NS=keycloak | ||
|
||
echo Create $NS namespace | ||
kubectl create ns $NS | ||
|
||
./copy_secrets.sh | ||
|
||
# previous version used 14.2.0. | ||
helm -n $NS install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak --version 18.0.0 -f values.yaml --wait $@ | ||
|
||
kubectl -n $NS create cm keycloak-host \ | ||
--from-literal=keycloak-internal-host=keycloak.$NS \ | ||
--from-literal=keycloak-internal-url=http://keycloak.$NS \ | ||
--from-literal=keycloak-external-host=$KEYCLOAK_HOSTNAME \ | ||
--from-literal=keycloak-external-url=https://$KEYCLOAK_HOSTNAME | ||
helm -n $NS upgrade --install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak \ | ||
-f values-keycloak.yaml | ||
|
||
if [ "$KEYCLOAK_ISTIO_ENABLED" != "false" ]; then | ||
envsubst < istio-virtualservice.template.yaml | kubectl apply -n $NS -f - | ||
if [[ "$KEYCLOAK_ISTIO_OPERATOR" == "true" ]]; then | ||
kubectl apply -f istio-operator.yaml | ||
fi | ||
|
||
if [ "$KEYCLOAK_INIT_ENABLED" != "false" ]; then | ||
helm -n $NS install keycloak-init ./keycloak-init --wait $@ | ||
|
||
export OPENG2P_ADMIN_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_admin_client_secret} | base64 --decode) | ||
export OPENG2P_SELFSERVICE_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_selfservice_client_secret} | base64 --decode) | ||
export OPENG2P_SERVICEPROVIDER_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_serviceprovider_client_secret} | base64 --decode) | ||
export OPENG2P_MINIO_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_minio_client_secret} | base64 --decode) | ||
export OPENG2P_KAFKA_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_kafka_client_secret} | base64 --decode) | ||
export OPENG2P_OPENSEARCH_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_opensearch_client_secret} | base64 --decode) | ||
export OPENG2P_SUPERSET_CLIENT_SECRET=$(kubectl -n $NS get secret keycloak-client-secrets -o jsonpath={.data.openg2p_superset_client_secret} | base64 --decode) | ||
|
||
envsubst \ | ||
'${KEYCLOAK_HOSTNAME} | ||
${OPENG2P_ADMIN_CLIENT_SECRET} | ||
${OPENG2P_SELFSERVICE_CLIENT_SECRET} | ||
${OPENG2P_SERVICEPROVIDER_CLIENT_SECRET} | ||
${OPENG2P_MINIO_CLIENT_SECRET} | ||
${OPENG2P_KAFKA_CLIENT_SECRET} | ||
${OPENG2P_OPENSEARCH_CLIENT_SECRET} | ||
${OPENG2P_SUPERSET_CLIENT_SECRET}' < ${KEYCLOAK_REALM_NAME}-realm.json > /tmp/${KEYCLOAK_REALM_NAME}-realm.json | ||
|
||
keycloak_import_realm \ | ||
"$(keycloak_get_admin_token)" \ | ||
"/tmp/${KEYCLOAK_REALM_NAME}-realm.json" | ||
if [[ "$TLS" == "true" ]]; then | ||
envsubst < istio-virtualservice-tls.template.yaml | kubectl -n $NS apply -f - | ||
else | ||
envsubst < istio-virtualservice.template.yaml | kubectl -n $NS apply -f - | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
apiVersion: install.istio.io/v1alpha1 | ||
kind: IstioOperator | ||
metadata: | ||
namespace: istio-system | ||
name: keycloak | ||
spec: | ||
profile: default | ||
meshConfig: | ||
accessLogFile: /dev/stdout | ||
enableTracing: true | ||
pathNormalization: | ||
normalization: MERGE_SLASHES | ||
defaultConfig: | ||
proxyMetadata: | ||
ISTIO_META_IDLE_TIMEOUT: 0s | ||
holdApplicationUntilProxyStarts: true | ||
components: | ||
base: | ||
enabled: false | ||
ingressGateways: | ||
- name: istio-ingressgateway | ||
enabled: false | ||
- name: istio-ingressgateway-keycloak | ||
enabled: true | ||
label: | ||
istio: ingressgateway-keycloak | ||
istio-keycloak: ingressgateway | ||
k8s: | ||
hpaSpec: | ||
minReplicas: 2 | ||
nodeSelector: | ||
shouldInstallIstioIngress: "true" | ||
service: | ||
type: NodePort | ||
ports: | ||
- name: tcp-status-port | ||
port: 15021 | ||
nodePort: 31521 | ||
- name: http2 | ||
port: 80 | ||
targetPort: 8080 | ||
nodePort: 31080 | ||
- name: http2-redirect-https | ||
port: 81 | ||
targetPort: 8081 | ||
nodePort: 31081 |
45 changes: 45 additions & 0 deletions
45
kubernetes/keycloak/istio-virtualservice-tls.template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
apiVersion: networking.istio.io/v1beta1 | ||
kind: Gateway | ||
metadata: | ||
name: keycloak | ||
spec: | ||
selector: | ||
istio-keycloak: ingressgateway | ||
servers: | ||
- hosts: | ||
- ${KEYCLOAK_HOSTNAME} | ||
port: | ||
name: http2 | ||
number: 8080 | ||
protocol: HTTP2 | ||
tls: | ||
httpsRedirect: true | ||
- hosts: | ||
- ${KEYCLOAK_HOSTNAME} | ||
port: | ||
name: https | ||
number: 8443 | ||
protocol: HTTPS | ||
tls: | ||
credentialName: tls-keycloak-ingress | ||
mode: SIMPLE | ||
--- | ||
apiVersion: networking.istio.io/v1beta1 | ||
kind: VirtualService | ||
metadata: | ||
name: keycloak | ||
spec: | ||
gateways: | ||
- keycloak | ||
hosts: | ||
- ${KEYCLOAK_HOSTNAME} | ||
http: | ||
- route: | ||
- destination: | ||
host: keycloak | ||
port: | ||
number: 80 | ||
headers: | ||
request: | ||
set: | ||
x-forwarded-proto: https |
Oops, something went wrong.