[PLATFORM][KEYCLOAK] Update Keycloak instructions and Realm import
Update Keycloak installation instructions to use keycloakx
(Quarkus based) and update of REALM import
Move the creation of the keycloak-ui ingress setup from helmchart
to documentation.
Issue-ID: OOM-3267
Change-Id: I3c79b05edd488f60a112590584974ba94a8c71a8
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst
index 4c21217..f25f4e7 100644
--- a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst
+++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst
@@ -358,7 +358,7 @@
- create keycloak namespace::
> kubectl create namespace keycloak
- > kubectl label namespace keycloak istio-injection=enabled
+ > kubectl label namespace keycloak istio-injection=disabled
Install Keycloak-Database
^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -388,7 +388,21 @@
- Install keycloak::
- > helm -n keycloak upgrade -i keycloak codecentric/keycloak --values ./keycloak-server-values.yaml
+ > helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml
The required Ingress entry and REALM will be provided by the ONAP "Platform"
component.
+
+- Create Ingress gateway entry for the keycloak web interface
+ using the configured Ingress <base-url> (here "simpledemo.onap.org")
+ as described in :ref:`oom_customize_overrides`
+
+ .. collapse:: keycloak-ingress.yaml
+
+ .. include:: ../../resources/yaml/keycloak-ingress.yaml
+ :code: yaml
+
+- Add the Ingress entry for Keycloak::
+
+ > kubectl -n keycloak apply -f keycloak-ingress.yaml
+
diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst
index dc206e0..3b198cf 100644
--- a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst
+++ b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst
@@ -36,5 +36,5 @@
.. figure:: ../../resources/images/servicemesh/ServiceMesh.png
:align: center
-For external access we start to establish Authentication via Oauth2-proxy
-and Keycloak which will be completed in the coming release.
+For external access we propose to establish Authentication via Oauth2-proxy
+and Keycloak which is described in this document.
diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
index 4eefdaf..dbb965d 100644
--- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
+++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
@@ -60,7 +60,7 @@
============== ====== ============ ==============
London 1.17.2 v0.6.2 19.0.3-legacy
Montreal 1.19.3 v1.0.0 19.0.3-legacy
- New Delhi 1.19.3 v1.0.0 19.0.3-legacy
+ New Delhi 1.19.3 v1.0.0 22.0.4
============== ====== ============ ==============
.. table:: OOM Software Requirements (optional)
diff --git a/docs/sections/resources/yaml/keycloak-ingress.yaml b/docs/sections/resources/yaml/keycloak-ingress.yaml
new file mode 100644
index 0000000..91fc34f
--- /dev/null
+++ b/docs/sections/resources/yaml/keycloak-ingress.yaml
@@ -0,0 +1,55 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ name: keycloak-ui-http-route
+ namespace: keycloak
+spec:
+ hostnames:
+ - keycloak-ui.simpledemo.onap.org
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: common-gateway
+ namespace: istio-ingress
+ sectionName: https-80
+ rules:
+ Filters:
+ Request Redirect:
+ Port: 443
+ Scheme: https
+ Status Code: 301
+ Type: RequestRedirect
+ Matches:
+ Path:
+ Type: PathPrefix
+ Value: /auth
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ name: keycloak-ui-http-route
+ namespace: keycloak
+spec:
+ hostnames:
+ - keycloak-ui.simpledemo.onap.org
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: common-gateway
+ namespace: istio-ingress
+ sectionName: https-443
+ rules:
+ - backendRefs:
+ - group: ""
+ kind: Service
+ name: keycloak-keycloakx-http
+ port: 80
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /auth
diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml
index 7eaecbe..0160ce8 100644
--- a/docs/sections/resources/yaml/keycloak-server-values.yaml
+++ b/docs/sections/resources/yaml/keycloak-server-values.yaml
@@ -1,53 +1,48 @@
-image:
- # The Keycloak image repository
- repository: quay.io/keycloak/keycloak
- # Overrides the Keycloak image tag whose default is the chart appVersion
- tag: "19.0.3-legacy"
-
-postgresql:
- # If `true`, the Postgresql dependency is enabled
- enabled: false
+---
+command:
+ - "/opt/keycloak/bin/kc.sh"
+ - "--verbose"
+ - "start"
+ - "--http-enabled=true"
+ - "--http-port=8080"
+ - "--hostname-strict=false"
+ - "--hostname-strict-https=false"
+ - "--spi-events-listener-jboss-logging-success-level=info"
+ - "--spi-events-listener-jboss-logging-error-level=warn"
extraEnv: |
- - name: KEYCLOAK_USER
+ - name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: user
- - name: KEYCLOAK_PASSWORD
+ - name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: password
- - name: DB_VENDOR
- value: postgres
- - name: DB_ADDR
- value: keycloak-db-postgresql
- - name: DB_PORT
- value: "5432"
- - name: DB_DATABASE
- value: keycloak
- - name: DB_USER
- value: dbusername
- - name: DB_PASSWORD_FILE
- value: /secrets/db-creds/password
+ - name: JAVA_OPTS_APPEND
+ value: >-
+ -XX:+UseContainerSupport
+ -XX:MaxRAMPercentage=50.0
+ -Djava.awt.headless=true
+ -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
- name: PROXY_ADDRESS_FORWARDING
value: "true"
-extraVolumeMounts: |
- - name: db-creds
- mountPath: /secrets/db-creds
- readOnly: true
+dbchecker:
+ enabled: true
-extraVolumes: |
- - name: db-creds
- secret:
- secretName: keycloak-db-postgresql
+database:
+ vendor: postgres
+ hostname: keycloak-db-postgresql
+ port: 5432
+ username: dbusername
+ password: dbpassword
+ database: keycloak
secrets:
admin-creds:
- annotations:
- my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
stringData:
user: admin
- password: secret
\ No newline at end of file
+ password: secret