Kubernetes Installation
This section shows how to setup mID Provider using Helm Chart.
Prerequisites
- Docker
- Kubernetes version 1.17-1.20
- kubectl
- Helm version 3.2.x
- An
imagePullSecretproviding access to the relevantkobil/repositories at Docker Hub. Create a Secret by providing credentials on the command line - Base64 encoded TLS certificate for the corresponding domain name.
Ensure your Prerequisites installation using following commands
Kubernetes
kubectl version --client
Above command will result something like below
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-21T14:51:23Z", GoVersion:"go1.14.3", Compiler:"gc", Platform:"darwin/amd64"}
Helm
helm version
Above command will result something like below
version.BuildInfo{Version:"v3.6+unreleased", GitCommit:"efe2638f87b597403f34009e1029a6f0b44db8f2", GitTreeState:"clean", GoVersion:"go1.16.6"}
Installing the Chart
To install the chart with the release name my-release
$ helm repo add kobil https://charts.kobil.com --username <USERNAME> --password <PASSWORD>
$ helm repo update
Install Redis
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm repo update
$ export REDIS_PASSWORD=<PASS>
$ helm install idp-redis \
--set auth.password=$REDIS_PASSWORD \
bitnami/redis
Install Docker registry pull secrets
$ kubectl create secret docker-registry registry-secret --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword>
Install TLS certificates
$ kubectl create secret tls idp-ingress-tls --cert=path/to/cert/file --key=path/to/key/file
Prepare base64 values for certs/keys/truststores
$ base64 -i <filename>
Install Keycloak
$ helm install -f <path/to/custom/values.yaml> RELEASE-NAME kobil/idp \
--version <CHART_VERSION> \
--set ssms.redis.host=idp-redis-master
Install Ingress Controller
$ helm install RELEASE-NAME ingress-nginx/ingress-nginx \
--set controller.service.externalIPs={"EXTERNAL_IP"} \
--set controller.service.type="ClusterIP"
Uninstalling the Chart
To uninstall/delete the my-release deployment:
$ helm delete my-release
Configuration
| Parameter | Description | Default |
|---|---|---|
global.imagePullSecrets | Global Docker registry secret names as an array | [registry-secret] |
global.logging.level | Global log level affecting multiple services. Possible values are INFO, WARN, DEBUG, ERROR] | INFO |
global.ingress.enabled | Deploy ingress resources | true |
global.ingress.class | Ingress class name used by the ingress controller | nginx |
global.ingress.domain | Domain name for mPower | idp.local |
global.ingress.sslRedirect | Determines if http requests to idp services are automatically redirected to https. | true |
global.idp.adminUser.username | IDP admin username. Used for UI access https://master.api.{{.Values.global.ingress.domain}}/auth and https://master.dashboard.{{.Values.global.ingress.domain}} | admin |
global.idp.adminUser.password | IDP admin password. | password |
ingress.tlsSecret | Name of TLS Secret for domains api.{{.Values.global.ingress.domain}} and *.api.{{.Values.global.ingress.domain}} | ipd-ingress-tls |
ssms.cloudPooler.replicas | Number of replicas for cloud pooler | 1 |
ssms.cloudConnector.replicas | Number of replicas for SSMS connector | 1 |
gateway.replicas | Number of replicas for API gateway | 1 |
appLoginFrontend.enabled | Deploy app login frontend. Used for token based login. | true |
appLoginFrontend.ingress.tlsSecret | Name of TLS Secret for domain applogin.{{.Values.global.ingress.domain}} | mpower-ingress-tls |
appLoginFrontend.replicas | Number of replicas for app login frontend | 1 |
keycloak.umaUseInternalUrl | Controls if UMA tickets are requested from internal or external URL. | false |
keycloak.replicas | Number of replicas for Keycloak | 1 |
keycloak.hpa.enabled | Enable deployment of HPA. | false |
keycloak.hpa.minReplicas | Minimum number of replicas when using HPA | 2 |
keycloak.hpa.maxReplicas | Maximum number of replicas when using HPA | 4 |
keycloak.env.defaultTheme | Theme to use for login pages | kobilv2 |
keycloak.env.welcomeTheme | Theme to use for welcome page | kobil |
keycloak.db.ensurePostgresDB | Autocreate database required for keycloak. Only postgres is supported. Provided user must have sufficient rights. | false |
keycloak.db.vendor | Database type. Supported values are postgres and oracle | postgres |
keycloak.db.host | Database hostname | postgres |
keycloak.db.port | Database port | 5432 |
keycloak.db.database | Database name | iam_db |
keycloak.db.user | Database user | postgres |
keycloak.db.password | Database password | password |
keycloak.themes | Additional themes as an array. | nil |
Default values.yaml file for idp installation that can be modified/overridden
nameOverride: ""
fullnameOverride: ""
global:
imagePullSecrets:
- registry-secret
ingress:
enabled: true
class: nginx
domain: idp.local
sslRedirect: true
logging:
level: INFO
idp:
adminUser:
username: "admin"
password: "password"
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
disableSSL: "true"
enableTenant: "true"
enableTlsClientAuth: false
gateway:
replicas: 1
image: bitnami/nginx:1.20.1
startupProbe:
periodSeconds: 10
failureThreshold: 40
livenessProbe:
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 3
timeoutSeconds: 5
readinessProbe:
initialDelaySeconds: 25
periodSeconds: 10
failureThreshold: 3
timeoutSeconds: 5
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "2Gi"
cpu: "1"
keys:
dhparam: ""
sslCrt: ""
sslKey: ""
caCrt: ""
ssms:
truststore: ""
cloudPooler:
logging:
#Supported values are: ALL, INFO, WARN, ERROR
level: INFO
replicas: 1
image: kobilsystems.azurecr.io/idp/ssms-pooler:2.2.0
livenessProbe:
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 1
timeoutSeconds: 5
resources:
requests:
memory: "200Mi"
cpu: "50m"
limits:
memory: "2Gi"
cpu: "1"
cloudConnector:
logging:
#Supported values are: ALL, INFO, WARN, ERROR
level: INFO
replicas: 1
image: kobilsystems.azurecr.io/idp/ssms-connector:2.2.0
livenessProbe:
initialDelaySeconds: 40
periodSeconds: 15
failureThreshold: 2
timeoutSeconds: 5
resources:
requests:
memory: "550Mi"
cpu: "50m"
limits:
memory: "3Gi"
cpu: "1"
keystore: ""
svc:
hostname: ssms-services
mgt:
hostname: ssms-management
redis:
host: idp-redis
port: 6379
password: "password"
appLoginFrontend:
enabled: true
replicas: 1
ingress:
tlsSecret: applogin-ingress-tls
hostLabel: applogin
image: kobilsystems.azurecr.io/idp/preface:1.1.1
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "2Gi"
cpu: "1"
defaultTenantName: ''
profileSubdomain: "profile"
keycloak:
# Controls if UMA tickets are requested from internal or external URL.
# Using internal URL improves performance, since requests don't go
# through reverse proxy. Before setting to true, ensure that setting
# `issuerUrls: https://{realm}.{{ .Values.ingress.hostLabel }}.{{ .Values.global.ingress.domain }}/auth/realms/{realm}`
# is applied in MASTER realm settings. E.g. `issuerUrls: https://{realm}.api.example.com/auth/realms/{realm}`
umaUseInternalUrl: false
terminationGracePeriodSeconds: 60
logging:
#Supported values are ALL, DEBUG, ERROR, FATAL, INFO, OFF, TRACE and WARN.
level: INFO
replicas: 1
#Supported values are jdbc,dns
jgroupsDiscoveryProtocol: "jdbc"
image: kobilsystems.azurecr.io/idp/core:1.28.2
resources:
requests:
memory: "1600Mi"
cpu: "800m"
limits:
memory: "2Gi"
cpu: "1"
init:
image: kobilsystems.azurecr.io/idp/themes:1.0.2
clients:
admin:
id: admin-cli
env:
defaultTheme: "kobil"
duplicateUserCheck: "false"
welcomeTheme: "kobil"
loginTokenLength2FA: "8"
# Possible values are id, name, digitaniumUserId
defaultUserId: "id"
mPayUrl: ""
db:
ensurePostgresDB: false
host: "hostname"
database: "iam_db"
password: "password"
port: "5432"
user: "postgres"
vendor: "postgres"
keystore: ""
basepath: auth
livenessProbe:
initialDelaySeconds: 300
timeoutSeconds: 5
readinessProbe:
initialDelaySeconds: 30
timeoutSeconds: 1
hpa:
enabled: false
minReplicas: 2
maxReplicas: 4
cpu:
averageUtilization: 95
scaleUp:
stabilizationWindowSeconds: 0
periodSeconds: 300
scaleDown:
stabilizationWindowSeconds: 300
periodSeconds: 300
tuning:
io:
worker:
ioThreads: 128
taskKeepalive: 120000
taskMaxThreads: 2048
bufferPool:
bufferSize: 16384
buffersPerSlice: 128
directBuffers: true
datasources:
dataSource:
statisticsEnabled: true
minPoolSize: 10
maxPoolSize: 50
poolPrefill: false
poolUseStrictMin: false
idleTimeoutMinutes: 30
cache:
# https://www.keycloak.org/docs/latest/server_installation/#cache
# https://www.keycloak.org/docs/latest/server_installation/#cache-configuration
# ownersCount caches- sessions, loginFailures, clientSessions, offlineSessions, offlineClientSessions, actionTokens
# ownersAuthSessionCount caches- authenticationSessions
ownersCount: 2
ownersAuthSessionCount: 1
ingress:
tlsSecret: idp-ingress-tls
hostLabel: api