Commit 3d8535bf authored by Oleksandr Kosse (EPAM)'s avatar Oleksandr Kosse (EPAM)
Browse files

Merge branch 'GONRG-4429-keycloack-bootstrap' into 'master'

Gonrg 4429 keycloak bootstrap

See merge request !274
parents c59b3bc5 0e76af05
Pipeline #99369 passed with stage
in 2 minutes and 43 seconds
FROM ubuntu:20.04
FROM bitnami/keycloak:16.1.1 as stage
RUN apt-get update && apt-get -y install wget && apt install -yq postgresql-client
FROM ubuntu:20.04
RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc && chmod +x mc && mv mc /usr/bin/mc
RUN apt-get update && \
apt-get -yq install wget curl jq openjdk-8-jdk postgresql-client && \
wget https://dl.min.io/client/mc/release/linux-amd64/mc && \
chmod +x mc && \
mv mc /usr/bin/mc
COPY --from=stage /opt/bitnami/keycloak/bin/client/keycloak-admin-cli-16.1.1.jar /opt/keycloak/keycloak-admin-cli-16.1.1.jar
COPY ./bootstrap_infra_on_prem ./opt
RUN chmod +x /opt/minio.sh /opt/postgresql.sh /opt/autostart.sh
RUN chmod +x /opt/keycloak/keycloak_bootstrap.sh /opt/minio.sh /opt/postgresql.sh /opt/autostart.sh
CMD ["/bin/bash", "-c", "/opt/autostart.sh"]
......@@ -9,5 +9,14 @@ Secrets should come from env files:
MINIO_SECRET_KEY
SERVICE_USER_PASSWORD
DATA_USER_PASSWORD
KEYCLOAK_REALM_NAME
KEYCLOAK_SERVICE_URL
KEYCLOAK_ADMIN_PASSWORD
KEYCLOAK_INDEXER_CLIENT_SECRET
KEYCLOAK_CATALOG_CLIENT_SECRET
KEYCLOAK_CONVERSION_CLIENT_SECRET
KEYCLOAK_SCHEMA_CLIENT_SECRET
KEYCLOAK_LEGAL_CLIENT_SECRET
KEYCLOAK_ENTITELEMENTS_CLIENT_SECRET
```
#!/bin/bash
#!/usr/bin/env bash
set -ex
......@@ -16,6 +16,16 @@ source ./validate-env.sh "POSTGRESQL_PASSWORD"
source ./validate-env.sh "POSTGRESQL_DATABASE"
source ./validate-env.sh "DATA_PARTITION_ID"
source ./validate-env.sh "POSTGRESQL_FILE_LOCATION_KIND"
source ./validate-env.sh "KEYCLOAK_SERVICE_URL"
source ./validate-env.sh "KEYCLOAK_ADMIN_PASSWORD"
source ./validate-env.sh "KEYCLOAK_REALM_NAME"
source ./validate-env.sh "KEYCLOAK_INDEXER_CLIENT_SECRET"
source ./validate-env.sh "KEYCLOAK_CATALOG_CLIENT_SECRET"
source ./validate-env.sh "KEYCLOAK_CONVERSION_CLIENT_SECRET"
source ./validate-env.sh "KEYCLOAK_SCHEMA_CLIENT_SECRET"
source ./validate-env.sh "KEYCLOAK_LEGAL_CLIENT_SECRET"
source ./validate-env.sh "KEYCLOAK_ENTITELEMENTS_CLIENT_SECRET"
./keycloak/keycloak_bootstrap.sh
./minio.sh
./postgresql.sh
#!/bin/sh
case "`uname`" in
CYGWIN*)
CFILE = `cygpath "$0"`
RESOLVED_NAME=`readlink -f "$CFILE"`
;;
Darwin*)
RESOLVED_NAME=`readlink "$0"`
;;
FreeBSD)
RESOLVED_NAME=`readlink -f "$0"`
;;
Linux)
RESOLVED_NAME=`readlink -f "$0"`
;;
esac
if [ "x$RESOLVED_NAME" = "x" ]; then
RESOLVED_NAME="$0"
fi
DIRNAME=`dirname "$RESOLVED_NAME"`
java $KC_OPTS -cp $DIRNAME/keycloak-admin-cli-16.1.1.jar org.keycloak.client.admin.cli.KcAdmMain "$@"
#!/usr/bin/env bash
set -ex
# List of service accounts and passwords
cat << EOF > /tmp/ServiceAccounts.json
{
"indexer": "${KEYCLOAK_INDEXER_CLIENT_SECRET}",
"catalog": "${KEYCLOAK_CATALOG_CLIENT_SECRET}",
"conversion": "${KEYCLOAK_CONVERSION_CLIENT_SECRET}",
"schema": "${KEYCLOAK_SCHEMA_CLIENT_SECRET}",
"legal": "${KEYCLOAK_LEGAL_CLIENT_SECRET}",
"entitelements": "${KEYCLOAK_ENTITELEMENTS_CLIENT_SECRET}"
}
EOF
while [ $(curl -s -w "%{http_code}\n" http://$KEYCLOAK_SERVICE_URL/auth -o /dev/null) -eq 503 ]
do
echo "Keycloak is configuring ..." && sleep 1
done
#Create realm
/opt/keycloak/kcadm.sh config credentials --server http://$KEYCLOAK_SERVICE_URL/auth --realm master --user user --password $KEYCLOAK_ADMIN_PASSWORD --config /tmp/key.config
/opt/keycloak/kcadm.sh create realms -s realm=$KEYCLOAK_REALM_NAME -s accessTokenLifespan=3600 -s displayName="$KEYCLOAK_REALM_NAME Realm" -s enabled=true --config /tmp/key.config
# Create service accounts(clients)
SERVICE_ACCOUNTS=( $(cat /tmp/ServiceAccounts.json | jq -r 'keys_unsorted[]') )
SERVICE_PASSWORDS=( $(cat /tmp/ServiceAccounts.json | jq -r 'values[]') )
for i in ${!SERVICE_ACCOUNTS[@]}; do
/opt/keycloak/kcadm.sh create clients -r $KEYCLOAK_REALM_NAME -s clientId="$KEYCLOAK_REALM_NAME-${SERVICE_ACCOUNTS[$i]}" -s secret=${SERVICE_PASSWORDS[$i]} -s authorizationServicesEnabled=true -s standardFlowEnabled=false -s serviceAccountsEnabled=true -s directAccessGrantsEnabled=true -s enabled=true --config /tmp/key.config
/opt/keycloak/kcadm.sh update users/$(/opt/keycloak/kcadm.sh get users -r $KEYCLOAK_REALM_NAME -q username=service-account-$KEYCLOAK_REALM_NAME-${SERVICE_ACCOUNTS[$i]} --config /tmp/key.config | jq -r ".[].id") -r $KEYCLOAK_REALM_NAME -s email=${SERVICE_ACCOUNTS[$i]}@service.local --config /tmp/key.config
done
# OSDU infrastructure onprem Helm Chart
This Chart is intended to replace cloud native solutions like pub/sub, cloud storage, and datastore for onprem solutions.
## Services currently added to the OSDU infra onprem Chart:
## [Services](https://charts.bitnami.com/bitnami) currently added to the OSDU infra onprem Chart:
* MinIO (version 9.2.10)
* RabbitMQ (version 8.24.13)
* Redis (version 6.2.6)
* Redis (version 15.7.4)
* Elasticsearch (version 7.17.0)
* Keycloak (version 16.1.1)
* Airflow
* Keycloak (version 6.1.2)
* Postgresql (version 11.1.1)
* Airflow (version 12.0.1)
## Prerequisites
### GKE Cluster
......@@ -25,82 +26,76 @@ Packages are only needed for installation from local computer.
**Set variables in values.yaml file using any code editor.**
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
|**airflow.enabled** | If true install Airflow | boolean | true | yes|
|**airflow.externalDatabase.host** | host of the external database | string | airflow-postgresql.default.svc.cluster.local | no |
|**airflow.externalDatabase.user** | user of the external database | string | keycloak | no<sup>1<sup> |
|**airflow.externalDatabase.password** | user's password of the external database | string | - | yes<sup>1<sup>|
|**airflow.externalDatabase.database** | PostgreSQL database for Airflow | string | keycloak | no<sup>1<sup> |
|**airflow.postgresql.enabled** | Deploy and use separate PostgreSQL service for Airflow | boolean | false | no |
|**airflow-postgresql.enabled** | If true install PostgreSQL database for Airflow | boolean | true | yes|
|**airflow-postgresql.global.postgresql.auth.postgresPassword** | Password for "postgres" user | string | - | no |
|**airflow-postgresql.global.postgresql.auth.username** | Airflow PostgreSQL username | string | airflow | no |
|**airflow-postgresql.global.postgresql.auth.password** | Airflow PostgreSQL password | string | - | yes |
|**airflow-postgresql.global.postgresql.auth.database** | Airflow PostgreSQL database | string | airflow | no |
|**bootstrap.infra.image.repository** | Repository of bootstrap image| string | - | yes |
|**bootstrap.infra.image.tag** | Tag of bootstrap image | string | - | yes |
|**bootstrap.infra.secret.dataPartitionId** | Data Partition ID | string | - | yes |
|**bootstrap.infra.secret.keycloakIndexer** | Indexer service account secret in Keycloak| string | - | yes |
|**bootstrap.infra.secret.keycloakCatalog** | Catalog service account secret in Keycloak | string | - | yes |
|**bootstrap.infra.secret.keycloakConversion** | Conversion service account secret in Keycloak | string | - | yes |
|**bootstrap.infra.secret.keycloakSchema** | Schema service account secret in Keycloak | string | - | yes |
|**bootstrap.infra.secret.keycloakLegal** | Legal service account secret in Keycloak | string | - | yes |
|**bootstrap.infra.secret.keycloakEntitelements** | Entitelements service account secret in Keycloak | string | - | yes |
|**bootstrap.infra.secret.postgresqlUser** | User for postgresql bootstrap part | string | postgres | no |
|**bootstrap.infra.secret.postgresqlPort** | Port of PostgreSQL | string | 5432 | no |
|**bootstrap.infra.secret.postgresqlFileLocationKind** | Name of database for File service | string | FileLocationsOsm | yes |
|**elasticsearch.security.elasticPassword** | Password for "elastic" user | string | - | yes|
|**elasticsearch.security.tls.autoGenerated** | Create self-signed TLS certificates | boolean | true | yes|
|**elasticsearch.security.tls.master.existingSecret** | Existing secret containing the certificates for the master nodes in Kubernetes | string | - | no<sup>2<sup>|
|**elasticsearch.security.tls.data.existingSecret** | Existing secret containing the certificates for the data nodes in Kubernetes| string | - | no<sup>2<sup>|
|**elasticsearch.security.tls.coordinating.existingSecret** | Existing secret containing the certificates for the coordinating nodes in Kubernetes | string | - | no<sup>2<sup>|
|**domain.name** | DNS name of OSDU installation | string | "example.com" | yes|
|**domain.tls.enabled** | If true - allow https access | boolean | false | yes|
|**domain.tls.credentialName** | Secret name that contains TLS certificate | string | "ingress-tls" | yes|
|**keycloak.enabled** | If true install Keycloak | boolean | true | yes|
|**keycloak.auth.adminPassword** | Keycloak administrator password for the user | string | - | no |
|**keycloak.keycloakURL** | Defines URL to keycloak ui. | string | keycloak.example.com | yes|
|**keycloak.keycloakRealmName** | Defines realm name. | string | osdu | yes|
|**keycloak.service.type** | Defines type of service to expose Keycloak | string | ClusterIP | yes|
|**keycloak.postgresql.enabled** | Deploy and use separate PostgreSQL service for Keycloak| boolean | false | no |
|**keycloak.externalDatabase.host** | host of the external database | string | keycloak-postgresql.default.svc.cluster.local | no |
|**keycloak.externalDatabase.user** | user of the external database | string | keycloak | yes<sup>3<sup> |
|**keycloak.externalDatabase.password** | user's password of the external database | string | - | yes<sup>3<sup>|
|**keycloak.externalDatabase.database** | PostgreSQL database for Keycloak | string | keycloak | yes<sup>3<sup> |
|**keycloak-postgresql.enabled** | If true install PostgreSQL database for Keycloak | boolean | true | yes|
|**keycloak-postgresql.global.postgresql.auth.postgresPassword** | Password for "postgres" user | string | - | no |
|**keycloak-postgresql.global.postgresql.auth.username** | Keycloak PostgreSQL username | string | keycloak | yes |
|**keycloak-postgresql.global.postgresql.auth.password** | Keycloak PostgreSQL password | string | - | yes |
|**keycloak-postgresql.global.postgresql.auth.database** | Keycloak PostgreSQL database | string | keycloak | yes |
|**minio.enabled** | If true install the MinIO service | boolean | true | yes|
|**minio.auth.rootUser** | MinIO root user name | string | - | yes|
|**minio.auth.rootPassword** | MinIO root user password (at least 8 characters) | string | - | yes|
|**minio.ingress.enabled** | MinIO console (UI) ingress | boolean | true | yes|
|**minio.ingress.hostname** | MinIO console hostname | string | "minio-console.example.com" | yes<sup>1<sup>|
|**minio.ingress.path** | MinIO console path | string | "/*" | yes<sup>1<sup>|
|**rabbitmq.enabled** | If true install the RabbitMQ service | boolean | true | yes|
|**rabbitmq.auth.username** | RabbitMQ user name | string | - | yes|
|**rabbitmq.auth.password** | RabbitMQ user password | string | - | yes|
|**rabbitmq.auth.erlangCookie** | RabbitMQ Erlang cookie | string | - | no<sup>2<sup>|
|**rabbitmq.ingress.enabled** | RabbitMQ ingress | boolean | false | yes|
|**rabbitmq.auth.erlangCookie** | RabbitMQ Erlang cookie | string | - | no<sup>4<sup>|
|**postgresql.enabled** | If true install PostgreSQL | boolean | true | yes|
|**postgresql.global.postgresql.auth.postgresPassword** | Password for "postgres" user | string | - | yes |
|**postgresql.global.postgresql.auth.username** | PostgreSQL username | string | - | no |
|**postgresql.global.postgresql.auth.password** | PostgreSQL password | string | - | no |
|**postgresql.global.postgresql.auth.database** | PostgreSQL database | string | postgres | no |
|**bootstrap.infra.secret.data_partition_id** | Data Partition ID | string | - | yes |
|**bootstrap.infra.secret.postgresqlUser** | User for postgresql bootstrap part | string | postgres | no |
|**bootstrap.infra.secret.postgresqlPort** | Port of PostgreSQL | string | 5432 | no |
|**bootstrap.infra.secret.postgresqlFileLocationKind** | Name of database for File service | string | FileLocationsOsm | yes |
|**bootstrap.infra.image.repository** | Repository of bootstrap image| string | - | yes |
|**bootstrap.infra.image.tag** | Tag of bootstrap image | string | - | yes |
|**keycloak-postgresql.enabled** | If true install PostgreSQL database for Keycloak | boolean | true | yes|
|**keycloak-postgresql.global.postgresql.auth.postgresPassword** | Password for "postgres" user | string | - | no |
|**keycloak-postgresql.global.postgresql.auth.username** | Keycloak PostgreSQL username | string | keycloak | no |
|**keycloak-postgresql.global.postgresql.auth.password** | Keycloak PostgreSQL password | string | - | yes |
|**keycloak-postgresql.global.postgresql.auth.database** | Keycloak PostgreSQL database | string | keycloak | no |
|**airflow-postgresql.enabled** | If true install PostgreSQL database for Airflow | boolean | true | yes|
|**airflow-postgresql.global.postgresql.auth.postgresPassword** | Password for "postgres" user | string | - | no |
|**airflow-postgresql.global.postgresql.auth.username** | Airflow PostgreSQL username | string | airflow | no |
|**airflow-postgresql.global.postgresql.auth.password** | Airflow PostgreSQL password | string | - | yes |
|**airflow-postgresql.global.postgresql.auth.database** | Airflow PostgreSQL database | string | airflow | no |
|**elasticsearch.security.elasticPassword** | Password for "elastic" user | string | - | yes|
|**elasticsearch.security.tls.autoGenerated** | Create self-signed TLS certificates | boolean | true | yes|
|**elasticsearch.security.tls.master.existingSecret** | Existing secret containing the certificates for the master nodes in Kubernetes | string | - | no<sup>3<sup>|
|**elasticsearch.security.tls.data.existingSecret** | Existing secret containing the certificates for the data nodes in Kubernetes| string | - | no<sup>3<sup>|
|**elasticsearch.security.tls.coordinating.existingSecret** | Existing secret containing the certificates for the coordinating nodes in Kubernetes | string | - | no<sup>3<sup>|
|**keycloak.enabled** | If true install Keycloak | boolean | true | yes|
|**keycloak.service.type** | Defines type of service to expose Keycloak | string | LoadBalancer | yes|
|**keycloak.auth.adminUser** | Keycloak administrator user | string | user | no |
|**keycloak.auth.adminPassword** | Keycloak administrator password for the new user | string | - | no |
|**keycloak.ingress.enabled** | Keycloak UI ingress | boolean | true | yes|
|**keycloak.ingress.hostname** | Keycloak console hostname | string | "keycloak.example.com" | yes<sup>4<sup>|
|**keycloak.ingress.path** | Keycloak console path | string | "/*" | yes<sup>4<sup>|
|**keycloak.postgresql.enabled** | Deploy and use separate PostgreSQL service for Keycloak| boolean | false | no |
|**keycloak.externalDatabase.host** | host of the external database | string | keycloak-postgresql.default.svc.cluster.local | no |
|**keycloak.externalDatabase.user** | user of the external database | string | keycloak | no<sup>5<sup> |
|**keycloak.externalDatabase.password** | user's password of the external database | string | - | yes<sup>5<sup>|
|**keycloak.externalDatabase.database** | PostgreSQL database for Keycloak | string | keycloak | no<sup>5<sup> |
|**airflow.enabled** | If true install Airflow | boolean | true | yes|
|**airflow.ingress.enabled** | Airflow UI ingress | boolean | true | yes|
|**airflow.ingress.web.host** | Airflow console hostname | string | "airflow.example.com" | yes<sup>6<sup>|
|**airflow.postgresql.enabled** | Deploy and use separate PostgreSQL service for Airflow | boolean | false | no |
|**airflow.externalDatabase.host** | host of the external database | string | airflow-postgresql.default.svc.cluster.local | no |
|**airflow.externalDatabase.user** | user of the external database | string | keycloak | no<sup>7<sup> |
|**airflow.externalDatabase.password** | user's password of the external database | string | - | yes<sup>7<sup>|
|**airflow.externalDatabase.database** | PostgreSQL database for Airflow | string | keycloak | no<sup>7<sup> |
> 1: If minio.ingress.enabled=false this variable is not required.
>
> 2: RabbitMQ Erlang cookie to determine whether different nodes are allowed to communicate with each other. It is not required for installing (will be generated a random 32 character long alphanumeric string), **but needed for upgrading**. If no value was set, you can use following command to obtain Erlang cookie:
>
> `kubectl get secret osdu-gcp-onprem-rabbitmq -o jsonpath="{.data.rabbitmq-erlang-cookie}" | base64 --decode`
> 1: Use the same user, password and database as Airflow PostgreSQL.
>
> 3: If elasticsearch.security.tls.autoGenerated=false, this variable is required.
> 2: If elasticsearch.security.tls.autoGenerated=false, this variable is required.
>
> 4: If keycloak.ingress.enabled=false this variable is not required.
> 3: Use the same user, password and database as `keycloak-postgresql.global.auth.username`, `keycloak-postgresql.global.auth.password`, `keycloak-postgresql.global.auth.database`.
>
> 5: Use the same user, password and database as Keycloak PostgreSQL.
> 4: RabbitMQ Erlang cookie to determine whether different nodes are allowed to communicate with each other. It is not required for installing (will be generated a random 32 character long alphanumeric string), **but needed for upgrading**. If no value was set, you can use following command to obtain Erlang cookie:
>
> 6: If keycloak.ingress.enabled=false this variable is not required.
> `kubectl get secret osdu-gcp-onprem-rabbitmq -o jsonpath="{.data.rabbitmq-erlang-cookie}" | base64 --decode`
>
> 7: Use the same user, password and database as Airflow PostgreSQL.
### **Be careful!** Helm installs services to the current kube config context
**Switch to the required kube config context**
......@@ -113,11 +108,12 @@ To provision this Chart, run the following from within this directory:
This command verifies that the required charts, as expressed in 'Chart.yaml',
are present in 'charts/' and are at an acceptable version. It will pull down
the latest charts that satisfy the dependencies, and clean up old dependencies.
- `helm install osdu-gcp-onprem . --wait`
Installs a Helm chart.
As a result you will get provisioned infrastructure.
### Obtain minIO console ip address
- `helm upgrade --install osdu-onprem . --wait`
Installs a Helm chart.As a result you will get provisioned infrastructure.
~### Obtain minIO console ip address~
- `kubectl get ingress osdu-gcp-onprem-minio -o jsonpath={.status.loadBalancer.ingress}` if after executing the command you did not see the ip address, try to execute it a little later.
MinIO is available under path `IP_ADDRESS/api/minio`.
......@@ -132,7 +128,7 @@ As a result you will get provisioned infrastructure.
### Check connection to PostgreSQL
Extract the password of the Database and save it as an environmental variable if you didn't provide any value to the postgresql.global.postgresql.postgresqlPassword variable.
- `export POSTGRES_PASSWORD=$(kubectl get secret --namespace default postgresql-db -o jsonpath="{.data.postgresql-password}" | base64 --decode)`
- `export POSTGRES_PASSWORD=$(kubectl get secrets osdu-gcp-onprem-infra-job-secret --namespace <namespace> -o jsonpath="{.data.POSTGRESQL_PASSWORD}" | base64 -d)`
Check connection to PostgreSQL from test pod.
- `kubectl run postgresql-test-client --rm --tty -i --restart='Never' --namespace default --image docker.io/bitnami/postgresql:11.11.0-debian-10-r31 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql-db -U postgres -d postgres -p 5432`
......@@ -155,18 +151,16 @@ Example of output message after previous command if you use default variables.
### Check connection to Keycloak
Used Keycloak chart deploys its own PostgreSQL database.
Currently, to expose Keycloak it's own ingress is used. To get ip of ingress of ingress use:
`kubectl get ingress osdu-gcp-onprem-keycloak -o jsonpath={.status.loadBalancer.ingress}`
In case of available Istio Ingress Gateway - Keycloak is reachable via path `<ingress_gateway_url>/api/keycloak`.
Used Keycloak chart deploys external PostgreSQL database.
Currently, to expose Keycloak istio ingress is used. To get ip use:
`kubectl -n istio-gateway get svc istio-ingressgateway -o jsonpath={.status.loadBalancer.ingress[].ip}`
To access Keycloak through port-forwarding (when service type is ClusterIP) use:
```sh
$ export SERVICE_PORT=$(kubectl get --namespace <namespace> -o jsonpath="{.spec.ports[0].port}" services keycloak)
$ kubectl port-forward --namespace <namespace> svc/keycloak ${SERVICE_PORT}:${SERVICE_PORT} &
$ echo "http://127.0.0.1:${SERVICE_PORT}/auth"
$ SERVICE_PORT=$(kubectl get --namespace <namespace> -o jsonpath="{.spec.ports[0].port}" services osdu-gcp-onprem-keyc)
$ kubectl port-forward --namespace <namespace> svc/osdu-gcp-onprem-keyc :${SERVICE_PORT}
curl http://127.0.0.1:<port from output>/auth
```
To get Keycloak admin user password run:
`kubectl get secret --namespace <namespace> keycloak -o jsonpath="{.data.admin-password}" | base64 --decode`
`kubectl get secrets osdu-gcp-onprem-infra-job-secret --namespace <namespace> -o jsonpath="{.data.KEYCLOAK_ADMIN_PASSWORD}" | base64 --decode`
......@@ -17,3 +17,12 @@ data:
POSTGRESQL_DATABASE: "{{ .Values.postgresql.global.postgresql.auth.database | b64enc }}"
DATA_PARTITION_ID: "{{ .Values.bootstrap.infra.secret.dataPartitionId | b64enc }}"
POSTGRESQL_FILE_LOCATION_KIND: "{{ .Values.bootstrap.infra.secret.postgresqlFileLocationKind | b64enc }}"
KEYCLOAK_REALM_NAME: "{{ .Values.keycloak.keycloakRealmName | b64enc }}"
KEYCLOAK_SERVICE_URL: "{{ .Values.keycloak.keycloakURL | b64enc }}"
KEYCLOAK_ADMIN_PASSWORD: "{{ .Values.keycloak.auth.adminPassword | b64enc }}"
KEYCLOAK_INDEXER_CLIENT_SECRET: "{{ .Values.bootstrap.infra.secret.keycloakIndexer | b64enc }}"
KEYCLOAK_CATALOG_CLIENT_SECRET: "{{ .Values.bootstrap.infra.secret.keycloakCatalog | b64enc }}"
KEYCLOAK_CONVERSION_CLIENT_SECRET: "{{ .Values.bootstrap.infra.secret.keycloakConversion | b64enc }}"
KEYCLOAK_SCHEMA_CLIENT_SECRET: "{{ .Values.bootstrap.infra.secret.keycloakSchema | b64enc }}"
KEYCLOAK_LEGAL_CLIENT_SECRET: "{{ .Values.bootstrap.infra.secret.keycloakLegal | b64enc }}"
KEYCLOAK_ENTITELEMENTS_CLIENT_SECRET: "{{ .Values.bootstrap.infra.secret.keycloakEntitelements | b64enc }}"
{{- if .Values.keycloak.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: "{{ .Release.Name }}-keycloak"
namespace: {{ .Release.Namespace }}
spec:
hosts:
- "keycloak.{{ .Values.domain.name }}"
gateways:
- "{{ .Values.istio.gateway }}"
http:
- match:
- uri:
prefix: "/"
route:
- destination:
port:
number: 80
host: "keycloak"
{{- end }}
{{- if .Values.keycloak.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: "{{ .Release.Name }}-keycloak"
namespace: {{ .Release.Namespace }}
spec:
hosts:
- "keycloak.{{ .Values.domain.name }}"
gateways:
- "{{ .Values.istio.gateway }}"
http:
- match:
- uri:
prefix: "/"
route:
- destination:
port:
number: 80
host: "keycloak"
{{- end }}
......@@ -74,18 +74,6 @@ postgresql:
ingress:
enabled: false
keycloak-postgresql:
enabled: true
fullnameOverride: "keycloak-postgresql"
global:
postgresql:
auth:
postgresPassword: ""
username: "keycloak"
password: ""
database: "keycloak"
replicaCount: 1
airflow-postgresql:
enabled: true
fullnameOverride: "airflow-postgresql"
......@@ -124,14 +112,12 @@ elasticsearch:
keycloak:
enabled: true
fullnameOverride: "keycloak"
service:
type: ClusterIP
auth:
adminPassword: ""
ingress:
enabled: true
hostname: "keycloak.example.com"
path: "/*"
keycloakURL: "keycloak.example.com" # internal dns example osdu-onprem-keycloak.default.svc.cluster.local
keycloakRealmName: "osdu"
service:
type: ClusterIP
postgresql:
enabled: false
externalDatabase:
......@@ -139,6 +125,18 @@ keycloak:
user: "keycloak"
password: ""
database: "keycloak"
keycloak-postgresql:
enabled: true
fullnameOverride: "keycloak-postgresql"
global:
postgresql:
auth:
postgresPassword: ""
username: "keycloak"
password: ""
database: "keycloak"
replicaCount: 1
airflow:
enabled: true
......@@ -153,13 +151,19 @@ airflow:
bootstrap:
infra:
secret:
dataPartitionId: ""
minioHost: "" # example http://osdu-minio
minioPort: "9000"
minioAccessKey: ""
minioSecretKey: ""
minioServiceUserPassword: ""
minioDataUserPassword: ""
dataPartitionId: ""
keycloakIndexer: ""
keycloakCatalog: ""
keycloakConversion: ""
keycloakSchema: ""
keycloakLegal: ""
keycloakEntitelements: ""
postgresqlUser: "postgres"
postgresqlPort: "5432"
postgresqlFileLocationKind: "FileLocationsOsm" # use instead of file_locations_osm in application-anthos.properties in file service
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment