Infrastructure
Trustify requires some infrastructure services for its installation. The services required are:
-
OIDC provider
-
PostgreSQL database instance
-
Storage, either:
-
Filesystem
-
S3 compatible
-
Those services have to be provided by the user before the installation is being performed. Some information, like access credentials, must be provided during the installation of Trustify.
There are different ways to set up such services. However, it is up to the user to provide those services and set them up.
The following sections provide a few examples on how they can be provided in different ways. Keep in mind, those are just examples, and you can modify them to suit your needs, or choose a different approach in providing those services.
Self-managed Kubernetes
A simple approach is to use Keycloak as an OIDC provider, a PostgreSQL container, and a persistent volume claim for the filesystem storage.
To set this up, it is possible to just use existing Helm charts for Keycloak and PostgreSQL. We do provide an opinionated infrastructure Helm chart for this case at: https://github.com/trustification/trustify-helm-charts/tree/main/charts/trustify-infrastructure
You can install this using:
NAMESPACE=trustify
APP_DOMAIN=public.cluster.domain
helm upgrade --install -n $NAMESPACE --repo https://trustification.io/trustify-helm-charts/ infrastructure trustify-infrastructure --values <values-file> --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN
For this, you will need to provide a Helm "values" file. Which is a YAML file, providing additional information for the Helm chart.
An example file, for Minikube, is:
keycloak:
enabled: true
production: false
auth:
adminUser: admin
adminPassword: admin123456 # notsecret, replace
tls:
enabled: false
service: {}
ingress:
enabled: true
servicePort: http
oidc:
clients:
frontend: {}
cli:
clientSecret:
value: 5460cc91-4e20-4edd-881c-b15b169f8a79 # notsecret, replace
AWS services
It also is possible to use AWS managed services. The following AWS services can be used:
-
OIDC provider: AWS Cognito
-
PostgreSQL database instance: AWS RDS
-
Storage: AWS S3
Manual setup
You can create the AWS resources manually, either through the AWS console or using the AWS CLI.
Terraform with OpenShift
Trustify also provides an example Terraform setup, which is intended to quickly deploy an opinionated set of services. The Terraform scripts will create the AWS resources, as well as create Kubernetes resources with information from the Terraform creation process, so that the Helm charts can pick up this information.
Main module
To use the Terraform scripts, you will need to create a wrapper/main module, referencing this trustify
module.
The following example file needs to be adapted to your needs. Example values have to be replaced with values that suit your deployment. |
provider "aws" {
region = "<your region>" (1)
profile = "<your aws cli profile>" (2)
}
provider "kubernetes" {
config_path = "<path to kubeconfig>" (3)
config_context = "<name of the kubectl context>" (4)
}
variable "app-domain" {
type = string
}
module "trustification" {
source = "./trustify" (5)
cluster-vpc-id = "<your cluster vpc>" (6)
availability-zone = "<your availability zone inside your region>" (7)
namespace = "trustify"
admin-email = "<your e-mail address>" (8)
sso-domain = "<a free cognito console domain name>" (9)
console-url = "https://server${var.app-domain}"
}
1 | The AWS region you want to create the resources in |
2 | The name of the AWS CLI profile you want to use |
3 | The location to the "kubeconfig" file, required for accessing the Kubernetes cluster |
4 | The name of the Kubernetes client context (in the kubeconfig ) to use |
5 | The location of the trustify Terraform module |
6 | The VPC ID of the OpenShift cluster, used to allow access to the RDS database |
7 | The availability zone the RDS instance should be created in. Must be valid for the AWS region. |
8 | The e-mail of the admin user, which will get frontend access to Trustification |
9 | An AWS Cognito domain prefix. It is globally unique and has to be still available. |
Creating the resources
First, initialize the OpenTofu instance. This will set up the required providers and does not yet create any resources:
tofu init
The following commands require the environment variable APP_DOMAIN
to be set.
You can do this using the following command:
NAMESPACE=trustify
APP_DOMAIN=-$NAMESPACE.$(kubectl -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')
Then, check if the resources can be created. This does not yet create the resources:
tofu plan --var app-domain=$APP_DOMAIN
This will show you the resources which will get created and check if the creation is expected to be successful.
If this worked fine, proceed with actually creating the resources:
tofu apply --var app-domain=$APP_DOMAIN
This will also create some resources in the Kubernetes cluster, including the credentials to the AWS accounts created for accessing the created AWS resources.
Running the Helm chart
Prepare a "values" files, named values-ocp-aws.yaml
:
ingress:
className: openshift-default
authenticator:
type: cognito
storage:
type: s3
region:
valueFrom:
configMapKeyRef:
name: aws-storage
key: region
bucket: trustify
accessKey:
valueFrom:
secretKeyRef:
name: storage-credentials
key: aws_access_key_id
secretKey:
valueFrom:
secretKeyRef:
name: storage-credentials
key: aws_secret_access_key
database:
host:
valueFrom:
secretKeyRef:
name: postgresql-credentials
key: db.host
port:
valueFrom:
secretKeyRef:
name: postgresql-credentials
key: db.port
name:
valueFrom:
secretKeyRef:
name: postgresql-credentials
key: db.name
username:
valueFrom:
secretKeyRef:
name: postgresql-credentials
key: db.user
password:
valueFrom:
secretKeyRef:
name: postgresql-credentials
key: db.port
createDatabase:
name:
valueFrom:
secretKeyRef:
name: postgresql-admin-credentials
key: db.name
username:
valueFrom:
secretKeyRef:
name: postgresql-admin-credentials
key: db.user
password:
valueFrom:
secretKeyRef:
name: postgresql-admin-credentials
key: db.password
migrateDatabase:
username:
valueFrom:
secretKeyRef:
name: postgresql-admin-credentials
key: db.user
password:
valueFrom:
secretKeyRef:
name: postgresql-admin-credentials
key: db.password
modules:
createDatabase:
enabled: true
migrateDatabase:
enabled: true
oidc:
issuerUrl:
valueFrom:
configMapKeyRef:
name: aws-oidc
key: issuer-url
clients:
frontend:
clientId:
valueFrom:
secretKeyRef:
name: oidc-frontend
key: client-id
cli:
clientId:
valueFrom:
secretKeyRef:
name: oidc-cli
key: client-id
clientSecret:
valueFrom:
secretKeyRef:
name: oidc-cli
key: client-secret
You can now run the Helm chart using the following command:
helm upgrade --install --repo https://trustification.io/trustify-helm-charts/ --devel -n $NAMESPACE trustify charts/trustify --values values-ocp-aws.yaml --set-string appDomain=$APP_DOMAIN
The --devel flag is currently necessary as the Helm chart has a pre-release version.
|