nicolas
/
demo-apimgmt
mirror of https://github.com/nmasse-itix/demo-apimgmt.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

wip

gitops
Nicolas Massé 3 years ago
parent
2c2852e4b4
commit
a9872f5ab1
9 changed files with 398 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .gitignore
  2. 8
      infrastructure.yaml.sample
  3. 31
      infrastructure/templates/3scale.yaml
  4. 34
      infrastructure/templates/_helpers.tpl
  5. 12
      infrastructure/templates/apicurio.yaml
  6. 4
      infrastructure/templates/postgresql.yaml
  7. 13
      infrastructure/templates/project.yaml
  8. 295
      infrastructure/templates/sso.yaml
  9. 9
      openshift-gitops.yaml

2
.gitignore
View File

@ -0,0 +1,2 @@
infrastructure.yaml

8
infrastructure.yaml → infrastructure.yaml.sample
View File

@ -17,6 +17,14 @@ spec:
parameters:
- name: masterKey
value: my-secret-value
- name: googleClientId
value: CHANGEME
- name: googleClientSecret
value: CHANGEME
- name: githubClientId
value: CHANGEME
- name: githubClientSecret
value: CHANGEME
project: default
syncPolicy:
automated:

31
infrastructure/templates/3scale.yaml
View File

@ -10,12 +10,43 @@ spec:
name: 3scale-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
---
apiVersion: v1
kind: Secret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "10"
name: system-database
namespace: {{ .Values.projectName | quote }}
stringData:
URL: "postgresql://3scale:{{ include "3scale-database-password" . }}@postgresql-server:5432/3scale"
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "10"
name: zync
namespace: {{ .Values.projectName | quote }}
stringData:
DATABASE_URL: postgresql://zync:{{ include "zync-database-password" . }}@postgresql-server:5432/zync
ZYNC_DATABASE_PASSWORD: {{ include "zync-database-password" . | quote }}
type: Opaque
---
apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
annotations:
argocd.argoproj.io/sync-wave: "20"
name: 3scale-install
namespace: {{ .Values.projectName | quote }}
spec:
wildcardDomain: {{ .Values.threescale.wildcardDomain | quote }}
resourceRequirementsEnabled: true
externalComponents:
zync:
database: true
system:
database: true

34
infrastructure/templates/_helpers.tpl
View File

@ -0,0 +1,34 @@
{{/* vim: set filetype=mustache: */}}
{{- define "postgresql-admin-password" -}}
{{- trunc 16 (sha256sum (cat .Values.masterKey "postgresql-admin-password")) -}}
{{- end -}}
{{- define "sso-admin-password" -}}
{{- trunc 16 (sha256sum (cat .Values.masterKey "sso-admin-password")) -}}
{{- end -}}
{{- define "sso-database-password" -}}
{{- trunc 16 (sha256sum (cat .Values.masterKey "sso-database-password")) -}}
{{- end -}}
{{- define "apicurio-database-password" -}}
{{- trunc 16 (sha256sum (cat .Values.masterKey "apicurio-database-password")) -}}
{{- end -}}
{{- define "microcks-client-secret" -}}
{{- trunc 16 (sha256sum (cat .Values.masterKey "microcks-client-secret")) -}}
{{- end -}}
{{- define "3scale-database-password" -}}
{{- trunc 16 (sha256sum (cat .Values.masterKey "3scale-database-password")) -}}
{{- end -}}
{{- define "zync-database-password" -}}
{{- trunc 16 (sha256sum (cat .Values.masterKey "zync-database-password")) -}}
{{- end -}}
{{- define "zync-client-secret" -}}
{{- trunc 16 (sha256sum (cat .Values.masterKey "zync-client-secret")) -}}
{{- end -}}

12
infrastructure/templates/apicurio.yaml
View File

@ -19,7 +19,9 @@ spec:
protocol: TCP
targetPort: 8080
selector:
app: apicurio-studio-api
app.kubernetes.io/name: apicurio
app.kubernetes.io/component: apicurio-studio-api
app.kubernetes.io/instance: apicurio-studio-api
sessionAffinity: None
type: ClusterIP
---
@ -44,7 +46,9 @@ spec:
protocol: TCP
targetPort: 8080
selector:
app: apicurio-studio-ws
app.kubernetes.io/name: apicurio
app.kubernetes.io/component: apicurio-studio-ws
app.kubernetes.io/instance: apicurio-studio-ws
sessionAffinity: None
type: ClusterIP
---
@ -66,7 +70,9 @@ spec:
protocol: TCP
targetPort: 8080
selector:
app: apicurio-studio-ui
app.kubernetes.io/name: apicurio
app.kubernetes.io/component: apicurio-studio-ui
app.kubernetes.io/instance: apicurio-studio-ui
sessionAffinity: None
type: ClusterIP
---

4
infrastructure/templates/postgresql.yaml
View File

@ -181,7 +181,7 @@ spec:
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 90
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
@ -201,7 +201,7 @@ spec:
-c 'SELECT 1'
failureThreshold: 3
periodSeconds: 10
initialDelaySeconds: 90
initialDelaySeconds: 30
successThreshold: 1
timeoutSeconds: 10
resources: {}

13
infrastructure/templates/project.yaml
View File

@ -29,8 +29,11 @@ metadata:
namespace: {{ .Values.projectName | quote }}
type: Opaque
data:
postgresql-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "postgresql-admin-password")) | b64enc | quote }}
sso-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-admin-password")) | b64enc | quote }}
sso-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-database-password")) | b64enc | quote }}
apicurio-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-apicurio-password")) | b64enc | quote }}
microcks-client-secret: {{ trunc 16 (sha256sum (cat .Values.masterKey "microcks-client-secret")) | b64enc | quote }}
postgresql-admin-password: {{ include "postgresql-admin-password" . | b64enc | quote }}
sso-admin-password: {{ include "sso-admin-password" . | b64enc | quote }}
sso-database-password: {{ include "sso-database-password" . | b64enc | quote }}
apicurio-database-password: {{ include "apicurio-database-password" . | b64enc | quote }}
microcks-client-secret: {{ include "microcks-client-secret" . | b64enc | quote }}
3scale-database-password: {{ include "3scale-database-password" . | b64enc | quote }}
zync-database-password: {{ include "zync-database-password" . | b64enc | quote }}
zync-client-secret: {{ include "zync-client-secret" . | b64enc | quote }}

295
infrastructure/templates/sso.yaml
View File

@ -193,3 +193,298 @@ spec:
- name: sso-x509-jgroups-volume
secret:
secretName: sso-x509-jgroups-secret
---
apiVersion: v1
kind: ConfigMap
metadata:
annotations:
argocd.argoproj.io/sync-wave: "30"
labels:
app.kubernetes.io/name: sso
app.kubernetes.io/version: '7.6.0.GA'
app.kubernetes.io/component: kcadm
app.kubernetes.io/instance: keycloak-config-job
name: sso-configuration
namespace: {{ .Values.projectName | quote }}
data:
configure-sso.sh: |
#!/bin/bash
set -Eeuo pipefail
mkdir -p /tmp/bin
curl -sLo /tmp/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
chmod 755 /tmp/bin/jq
export PATH="/tmp/bin:/opt/jboss/keycloak/bin:$PATH"
echo "========================================================================"
echo " Connecting to Red Hat SSO"
echo "========================================================================"
echo
while ! curl -sfo /dev/null "https://$SSO_HOSTNAME/auth/realms/master/.well-known/openid-configuration"; do
echo "Red Hat SSO not ready..."
sleep 5
done
kcadm.sh config credentials --server "https://$SSO_HOSTNAME/auth" --realm master --user "$SSO_ADMIN_USERNAME" --client admin-cli --password "$SSO_ADMIN_PASSWORD"
echo
echo "========================================================================"
echo " Configuring Microcks"
echo "========================================================================"
echo
if ! kcadm.sh get realms/microcks &>/dev/null; then
echo "Creating the Microcks realm..."
curl -so /tmp/microcks-realm.json https://raw.githubusercontent.com/microcks/microcks/master/install/docker-compose/keycloak-realm/microcks-realm-sample.json
kcadm.sh create realms -f /tmp/microcks-realm.json
fi
export CLIENT_ID="$(kcadm.sh get clients -r microcks -q clientId=microcks-app-js|jq -r '.[0].id')"
echo "client microcks-app-js has id $CLIENT_ID"
kcadm.sh update "clients/$CLIENT_ID" -r microcks -s "redirectUris=[\"https://$MICROCKS_HOSTNAME/*\"]"
if ! kcadm.sh get identity-provider/instances -r microcks | jq -r .[].alias | grep -qx google; then
kcadm.sh create identity-provider/instances -r microcks -f - <<EOF
{
"alias" : "google",
"providerId" : "google",
"enabled" : true,
"updateProfileFirstLoginMode" : "on",
"trustEmail" : true,
"storeToken" : false,
"addReadTokenRoleOnCreate" : false,
"authenticateByDefault" : false,
"linkOnly" : false,
"firstBrokerLoginFlowAlias" : "first broker login",
"config" : {
"hostedDomain" : "$GOOGLE_HOSTED_DOMAIN",
"userIp" : "true",
"clientSecret" : "$GOOGLE_CLIENT_SECRET",
"clientId" : "$GOOGLE_CLIENT_ID",
"useJwksUrl" : "true"
}
}
EOF
fi
IDP_REDIRECTOR_ID=$(kcadm.sh get authentication/flows/browser/executions -r microcks |jq -r '.[]|select(.providerId == "identity-provider-redirector").id')
echo "IDP redirector id is: $IDP_REDIRECTOR_ID"
kcadm.sh create authentication/executions/$IDP_REDIRECTOR_ID/config -r microcks -f - <<EOF
{
"alias" : "google-auth",
"config" : {
"defaultProvider" : "google"
}
}
EOF
MICROCKS_ID="$(kcadm.sh get clients -r microcks -q clientId=microcks-serviceaccount|jq -r '.[0].id')"
echo "client microcks-serviceaccount has id $MICROCKS_ID"
kcadm.sh update "clients/$MICROCKS_ID" -r microcks -s "secret=$MICROCKS_CLIENT_SECRET"
echo
echo "========================================================================"
echo " Configuring Apicurio"
echo "========================================================================"
echo
if ! kcadm.sh get realms/apicurio &>/dev/null; then
echo "Creating the Apicurio realm..."
curl -so /tmp/apicurio-realm-template.json https://raw.githubusercontent.com/Apicurio/apicurio-studio/master/distro/openshift/auth/realm.json
sed "s|APICURIO_UI_URL|https://$APICURIO_UI_HOSTNAME|g" /tmp/apicurio-realm-template.json > /tmp/apicurio-realm.json
kcadm.sh create realms -f /tmp/apicurio-realm.json
fi
if ! kcadm.sh get identity-provider/instances -r apicurio | jq -r .[].alias | grep -qx google; then
kcadm.sh create identity-provider/instances -r apicurio -f - <<EOF
{
"alias" : "google",
"providerId" : "google",
"enabled" : true,
"updateProfileFirstLoginMode" : "on",
"trustEmail" : true,
"storeToken" : false,
"addReadTokenRoleOnCreate" : false,
"authenticateByDefault" : false,
"linkOnly" : false,
"firstBrokerLoginFlowAlias" : "first broker login",
"config" : {
"hostedDomain" : "$GOOGLE_HOSTED_DOMAIN",
"userIp" : "true",
"clientSecret" : "$GOOGLE_CLIENT_SECRET",
"clientId" : "$GOOGLE_CLIENT_ID",
"useJwksUrl" : "true"
}
}
EOF
fi
IDP_REDIRECTOR_ID=$(kcadm.sh get authentication/flows/browser/executions -r apicurio |jq -r '.[]|select(.providerId == "identity-provider-redirector").id')
echo "IDP redirector id is: $IDP_REDIRECTOR_ID"
kcadm.sh create "authentication/executions/$IDP_REDIRECTOR_ID/config" -r apicurio -f - <<EOF
{
"alias" : "google-auth",
"config" : {
"defaultProvider" : "google"
}
}
EOF
kcadm.sh update realms/apicurio -s accountTheme=rh-sso -s adminTheme=rh-sso -s emailTheme=rh-sso -s loginTheme=rh-sso
if ! kcadm.sh get identity-provider/instances -r apicurio | jq -r .[].alias | grep -qx github; then
kcadm.sh create identity-provider/instances -r apicurio -f - <<EOF
{
"alias" : "github",
"providerId" : "github",
"enabled" : true,
"updateProfileFirstLoginMode" : "on",
"trustEmail" : true,
"storeToken" : true,
"addReadTokenRoleOnCreate" : true,
"authenticateByDefault" : false,
"linkOnly" : false,
"firstBrokerLoginFlowAlias" : "first broker login",
"config" : {
"clientSecret" : "$GITHUB_CLIENT_SECRET",
"clientId" : "$GITHUB_CLIENT_ID",
"defaultScope" : "read:org,repo,user:email",
"useJwksUrl" : "true"
}
}
EOF
fi
echo
echo "========================================================================"
echo " Configuring 3scale"
echo "========================================================================"
echo
if ! kcadm.sh get realms/3scale &>/dev/null; then
echo "Creating the 3scale realm..."
kcadm.sh create realms -s realm=3scale -s enabled=true
kcadm.sh create clients -r 3scale -s 'clientId=zync' -s 'standardFlowEnabled=false' -s 'directAccessGrantsEnabled=false' -s 'serviceAccountsEnabled=true' -s 'clientAuthenticatorType=client-secret' -s "secret=$ZYNC_CLIENT_SECRET"
ZYNC_CLIENT_ID="$(kcadm.sh get clients -r 3scale -q clientId=zync |jq -r '.[0].id')"
RM_CLIENT_ID="$(kcadm.sh get clients -r 3scale -q clientId=realm-management |jq -r '.[0].id')"
ZYNC_USER_ID="$(kcadm.sh get clients/$ZYNC_CLIENT_ID/service-account-user -r 3scale |jq -r '.id')"
kcadm.sh get "clients/$RM_CLIENT_ID/roles" -q name=manage-clients -r 3scale |jq -r '[ .[] | select(.name == "manage-clients") ]' | kcadm.sh create "users/$ZYNC_USER_ID/role-mappings/clients/$RM_CLIENT_ID" -r 3scale -f -
fi
exit 0
---
apiVersion: v1
kind: Secret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "30"
labels:
app.kubernetes.io/name: sso
app.kubernetes.io/version: '7.6.0.GA'
app.kubernetes.io/component: kcadm
app.kubernetes.io/instance: keycloak-config-job
name: sso-configuration
namespace: {{ .Values.projectName | quote }}
type: Opaque
data:
googleClientId: {{ .Values.googleClientId | b64enc | quote }}
googleClientSecret: {{ .Values.googleClientSecret | b64enc | quote }}
githubClientId: {{ .Values.githubClientId | b64enc | quote }}
githubClientSecret: {{ .Values.githubClientSecret | b64enc | quote }}
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
argocd.argoproj.io/sync-wave: "30"
labels:
app.kubernetes.io/name: sso
app.kubernetes.io/version: '7.6.0.GA'
app.kubernetes.io/component: kcadm
app.kubernetes.io/instance: keycloak-config-job
name: sso-configuration
namespace: {{ .Values.projectName | quote }}
spec:
backoffLimit: 30
template:
metadata:
labels:
app.kubernetes.io/name: sso
app.kubernetes.io/version: '7.6.0.GA'
app.kubernetes.io/component: kcadm
app.kubernetes.io/instance: keycloak-config-job
spec:
containers:
- name: kcadm
command:
- /entrypoint/configure-sso.sh
args: []
image: quay.io/keycloak/keycloak:18.0.2-legacy
imagePullPolicy: IfNotPresent
env:
- name: SSO_HOSTNAME
value: {{ .Values.sso.hostname | quote }}
- name: MICROCKS_HOSTNAME
value: {{ .Values.microcks.hostname | quote }}
- name: APICURIO_UI_HOSTNAME
value: {{ .Values.apicurio.uiHostname | quote }}
- name: SSO_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: demo-seed
key: sso-admin-password
- name: SSO_ADMIN_USERNAME
value: admin
- name: GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: sso-configuration
key: googleClientId
- name: GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: sso-configuration
key: googleClientSecret
- name: GITHUB_CLIENT_ID
valueFrom:
secretKeyRef:
name: sso-configuration
key: githubClientId
- name: GITHUB_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: sso-configuration
key: githubClientSecret
- name: ZYNC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: demo-seed
key: zync-client-secret
- name: MICROCKS_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: demo-seed
key: zync-client-secret
- name: USER
value: kcadm
- name: HOME
value: /tmp
volumeMounts:
- mountPath: /entrypoint
name: sso-configuration-script
readOnly: true
restartPolicy: OnFailure
terminationGracePeriodSeconds: 30
volumes:
- name: sso-configuration-script
configMap:
name: sso-configuration
defaultMode: 0755

9
openshift-gitops.yaml
View File

@ -6,6 +6,9 @@ rules:
- apiGroups: [""]
resources: ["secrets","services","pvc"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["statefulsets","deployments"]
verbs: ["*"]
- apiGroups: ["project.openshift.io"]
resources: ["projects"]
verbs: ["*"]
@ -27,6 +30,12 @@ rules:
- apiGroups: ["keycloak.org"]
resources: ["keycloaks"]
verbs: ["*"]
- apiGroups: ["microcks.github.io"]
resources: ["microcksinstalls"]
verbs: ["*"]
- apiGroups: ["apps.3scale.net"]
resources: ["apimanagers"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1

Write Preview
Loading…
Cancel
Save