Keycloak with PostgreSQL on Kubernetes – Coding
12 minutes learn
On this article we’ll learn to deploy Keycloak with PostgreSQL on Kubernetes. We’ll first do every little thing manually with separate YAMLs after which later with Helm. Our k8s surroundings will run in Kind, which is a straightforward to make use of k8s variant for native expermentation. The sources are situated here.
Keycloak
Keycloak is among the hottest open-source Identification and Entry Administration suppliers. It will possibly run in varied environments, from small retailers as much as big information facilities. Though this text isn’t about IAM’s usually and the way to use them, let’s present a easy definition simply to ensure we’re all on the identical web page.
An IAM is required when there’s a must outline and regulate identities and entry rights inside a company. That’s, when there are totally different events with totally different pursuits and sure assets that ought to or shouldn’t be utilized by sure events in sure methods. And to manage that is virtually at all times a very complicated job, since you want a mechanism that defines teams, roles, memberships, entry rights, authorization flows, and so forth. However you additionally want a mechanism that may delegate entry rights primarily based on person rights. For instance, you need to have the ability to permit a cell app to entry some information on a useful resource that you could already entry straight. Because the app in query isn’t you personally, you’d prefer to by some means “delegate” your entry rights to it, in order that it will probably work along with your information on your behalf.
Merely spoken: in conditions like these it’s important to cope with issues associated to authentication (who you might be), entry rights (what you are able to do), and authorization (what might be achieved in your identify). These questions are the explanation why Keycloak and related techniques exist. They provide us a straightforward to make use of graphical interface the place we are able to configure every little thing that’s wanted to supply safe entry to assets. However not solely this. You can even lengthen Keycloak to match your particular person safety settings. By writing extensions you possibly can inject items of logic into Keycloak that might be executed every time a sure safety characteristic is accessed. However we gained’t cowl writing extensions right here, so I’ll depart it for a possible future article. ????
Our Keycloak occasion might be operating in k8s and might be utilizing a PostgreSQL database which is able to run in k8s as properly. This isn’t necessary as we might additionally present a DB that’s operating exterior of k8s, however right here I needed to indicate how we are able to use PersistentVolumes and PersistentVolumeClaims to create sturdy storage options. However earlier than we run any script in that course, we want a correct k8s surroundings first. Right here we might be utilizing Type.
Type
Type is among the widespread “native kubernetes” environments. You may need heard about minikube, k3s, k3d and related options as properly. Type runs inside Docker and subsequently we should have it put in and operating earlier than we fireplace up Type. The best method is simply to put in Docker Desktop on your OS.
Relying in your OS you’ll use one of the options described within the official Type docs. After the set up we’ll setup a brand new cluster that may run our Keycloak surroundings. Until you could have a particular necessities I’d suggest to make use of the config.yml from the “type” subdirectory within the github repo. Additionally bear in mind that this config.yml incorporates patches wanted to make the deployment accessible from exterior. Please learn the official docs from Type.
type create cluster hbr-cluster --config=config.yml
kubectl cluster-info --context kind-hbr-cluster
In case you see an output just like the one proven above then every little thing was profitable up to now. The final step is the set up of an IngressController, on this case it is going to be NGINX-Ingress.
kubectl apply -f https://uncooked.githubusercontent.com/kubernetes/ingress-nginx/most important/deploy/static/supplier/type/deploy.yaml
Additional data on the general usage of Ingresses might be present in Type’s docs as properly. However for now, we’re all set and may begin with our handbook deployment.
Guide deployments with YAML
In skilled k8s environments you can be largely utilizing instruments like Helm, Kustomize and much like deploy and configure deployments. Nevertheless, for native demos or studying functions the handbook software of YAMLs information remains to be advisable. Kubernetes is complicated and it’s subsequently advisable to study a number of fundamentals first. There are a loads of superb docs on the market and the official one goes into nice lengths to elucidate each side of k8s. You need to positively learn it each day. I choose to enter some time period that pursuits me after which let the official docs information me by way of varied choices.
Out setup incorporates the next elements that might be configured with their respective YAMLs:
That is how the YAMLs appear like within the folder construction:
Namespaces
As we need to preserve these elements of our system grouped collectively we create a brand new Namespace first.
kubectl apply -f 01_namespace.yml
Secrets and techniques
We’ll outline a number of Secrets to keep up passwords and certficates which are wanted to entry our database, admin console of Keycloak, and ship TLS certificates through Ingress. For this we apply the second YAML in a row:
kubectl apply -f 02_secrets.yml
Storage
Our Postgres occasion will save its information somewhere within the k8s cluster. And since k8s treats every little thing as ephemeral (that’s, forgettable in a millisecond) we wish our information to be persistent in order that it stays even after a deployment acquired destroyed or recreated. For this job we’ll use two new k8s lessons: the bodily storage itself, PersistentVolume, and a request of a chunk of storage, PersistentVolumeClaim. Identical to a Pod requests a chunk of a Node’s assets the PersistentVolumeClaim requests a chunk of storage from a PersistentVolume. This manner we separate dealing with of (digital or bodily) {hardware} from the precise utilization. In case you can’t grasp this idea instantly, don’t fear, because it often takes a while. Attempt to consider it the identical method you consider Pods. Identical to a Pod is a unit of computing, so is a PersistentVolumeClaim a unit of storage. Identical to you possibly can run a Node whose computing assets might be cut up up between many Pods, so you possibly can have a PersistentVolume whose storage capability might be cut up up by between many PersistentVolumeClaims.
kubectl apply -f 03_storage.yml
PostgresSQL
The following in line is the set up of the database. We’ve got already outlined the storage parameters in order that our database can entry the wanted capacities. And to make it accessible from exterior we’ll outline a Service that gives a ClusterIP. Later we’ll see how we are able to use this Service to speak on to the database.
kubectl apply -f 04_postgres.yml
Keycloak
Now it’s time to put in Keycloak itself. This deployment is a little more complicated than others as a result of it not solely configures Keycloak but additionally connects with the database and executes readiness and liveness probes.
kubectl apply -f 05_keycloak.yml
Ingress
And since we wish our Keycloak to be accessible from exterior we want a correct Ingress. Right here we’re utilizing NGINX-Ingress, however you possibly can substitute it with some other that helps HTTP.
kubectl apply -f 06_ingress.yml
Kubernetes Dashboard
It is suggested to put in Kubernetes Dashboard because it supplies a pleasant web-based UI for managing k8s situations. This repo incorporates scripts situated in “kube_dashboard” folder that may set up deployments and setup ClusterRoleBindings and ServiceAccounts.
You solely must execute kubectl proxy in a separate shell afterwards to make it accessible from exterior.
To login into the UI you’d want a sound token. Use the script get_token.sh from the identical folder to generate one, then copy/paste in into the online type as proven beneath.
You’ll then be capable of show and configure k8s.
Automated deployment with Helm
A extra comfy and higher configurable possibility is doing the entire above with Helm, with only a single command. As this isn’t a Helm tutorial I gained’t be explaining it intimately. Helm is a instrument for managing k8s installations. Consider it as some form of “npm for k8s”. Identical to you should use npm to put in any NodeJS package deal for Node the identical you’ll be able to do with Helm for Kubernetes. And identical to npm packages are organized in a sure method so are Helm’s “charts” too. A chart incorporates guidelines and settings that management how k8s deployments are executed. And identical to some other package deal administration instrument Helm can also reference different charts to deploy them multi function go. There may be some minimal configuration that should be current in each Helm chart, however other than that you’re free to configure charts as you want.
Any Helm chart incorporates a Chart.yaml file that defines it.
It additionally incorporates a folder “templates” that incorporates varied YAMLs that might be used to use modifications to the k8s system. The one file that we preserve from default chart definition is _helpers.tpl. All different information are our personal.
To create a brand new chart we use: helm create CHART_NAME
Nevertheless, as we have already got a preconfigured chart in our repo there isn’t a want to try this. Simply in case you might be about to create a totally new chart you’ll then must execute the above command.
There may be additionally a YAML known as values.yaml that incorporates variables that might be inserted into YAMLs from “templates” folder. As a substitute of placing hard-coded values into each YAML, like I did within the handbook variant, we use values.yaml to outline variables that then might be referenced all through the set up of the deployment. That is an instance of 01_namespace.yml from the Helm chart:
The worth for key identify is referencing .Values.namespace. That is how we insert values into template YAMLs. The double curly braces are necessary and you must needless to say numerical values ought to by no means be quoted until you need to current them as strings. Within the above instance we’re referencing a string so the quotes are high quality. If this was a numerical worth we’d be writing it with out quotes. There are different methods to cope with information sorts which yow will discover within the Best Practices section in the official Helm docs.
Beneath is the content material of our values.yaml the place we outline values for use in our varied YAMLs. We’re free to outline any form of variable, however it’s endorsed to group them in keeping with their class and context. Additionally attempt to be in keeping with naming. So, you probably have “secrets and techniques.postgres.identify” then you definitely also needs to have “secrets and techniques.keycloak.identify” and many others.
Earlier than we attempt to set up our chart let’s do a dry-run first, lets? Simply to see if every little thing’s OK.
helm template keycloak-k8s-local keycloak-k8s-local
You need to get an output like this.
If there’s nothing for Helm to complain in regards to the consequence might be a YAML file that incorporates all parts from separate YAMLs.
Now it’s time to deploy the system! For this we invoke the set up command by referencing the chart identify and giving the identify of the deployment.
helm set up keycloak-k8s-local keycloak-k8s-local
That’s it. That’s all it takes for Helm to deploy every little thing we did manually earlier than. To uninstall the system you’d simply must challenge an uninstall command referencing the identify of the Helm deployment.
helm uninstall keycloak-k8s-local
And as promised, right here’s how one can join with the Postgres database inside your k8s surroundings. First, you must question the identify of the Pod that runs the database.
kubectl get pods -n hbr-keycloak
Copy the total identify of the Pod whose identify begins with “postgres”. Then use it as argument when executing this command:
kubectl exec -it $POD_NAME -n hbr-keycloak -- psql -h localhost -U postgres --password -p 5432 keycloak
You’ll then need to enter the password of your postgres. In the end, you must be capable of enter the psql shell.
Keycloak Admin Console
Lastly, we have now arrived at a whole Keycloak system. Our deployment might be accessed by opening the https://localhost URL. The potential certificates warning might be ignored as we deployed a self-signed certificates in our Secrets and techniques object. To logon use “admin” as each person identify and password.
That’s it for now! Within the upcoming article we’ll be speaking about Knative and the way to make k8s simpler to make use of.