Deploy Keycloak via k3s on the management plane

[reqa]

We should deploy Keycloak via k3s on the management plane.

This is basically a concrete example of #249.

Definition of Ready:

• [ ] User Story is small enough to be finished within one sprint
• [ ] User Story is clear and understood by the whole team
• [ ] Acceptance criteria are defined
• [ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

• [ ] All acceptance criteria are met
• [ ] Changes have been reviewed
• [ ] CI tests have run successfully
• [ ] Documentation has been updated
• [ ] Release Notes have been updated

[JuanPTM]

This is currently working on the testbed. The deployment has been done using CloudNative-PG and codecentric Keycloakx.

[reqa]

@berendt I guess this would be two ansible roles, one for postgresql deployment and an updated one for keycloak (see https://input.scs.community/2023-scs-sig-iam ). Should they also be put into osism/ansible-collection-services and be consumed by ansible-playbooks/playbooks/infrastructure-keycloak.yml ?

[garloff]

k3s now runs on control nodes and management node, we can deploy it on multiple nodes now. Next steps:

• [x] Make keycloak accessible via a DNS name
• [x] Use a proxy/load-balancer (metal-lb) to make this robust against node failure
• [x] TLS termination (at service, not LB)
• [x] Adjust documentation

[reqa]

Manual progress:

• Assigned static IP (192.168.16.100) to LoadBalancer service for keycloak (via metallb)
• http access works, but https gets stuck, proably due to default keycloakx proxy mode edge. I shall try with passthrough.

[reqa]

This looks interesting: https://github.com/helm/charts/issues/10192#issuecomment-647481786

[reqa]

Current deployment steps:

# 1. Deploy CloudNativePG operator:
helm repo add cnpg https://cloudnative-pg.github.io/charts
helm upgrade --install cnpg  --namespace cnpg-system --create-namespace cnpg/cloudnative-pg

# 2. Create DB for Keycloak
kubectl create namespace keycloak
kubectl apply -f pg.yaml --namespace keycloak

# 3. Deploy Keycloak
helm repo add codecentric https://codecentric.github.io/helm-charts
helm install keycloakx codecentric/keycloakx --namespace keycloak --values keycloakx-with-service-loadBalancer.yaml

The yaml files we used for the PoC:

• pg.yaml.txt
• keycloakx-with-service-loadBalancer.yaml.txt

[reqa]

@berendt

• You pointed to https://github.com/osism/testbed/tree/main/environments/kubernetes as example. By analogy we could place a Helm chart for Keycloak there.
• What's your idea how to make it easily available/deployable for non-testbed installations?
• Once we have that^^, probably an additional Helm chart in the testbed repo is redundant.

[reqa]

My proposal would be to simply adjust https://github.com/osism/ansible-collection-services/tree/main/roles/keycloak to deploy to k3s using a combination of https://docs.ansible.com/ansible/latest/collections/kubernetes/core/helm_module.html and https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_module.html .

That way we could create a cloudnativepg role there and let keycloak depend on that.

[reqa]

Current state: https://github.com/reqa/ansible-collection-services/commits/reqa/issue-507/

All theoretical, untested. The credential handling+passing to k3s still needs to be fixed. I'm using the traefik_certificates from the secrets.yml generated in the control/ownca.

[reqa]

Works now with

• https://github.com/osism/ansible-collection-services/pull/1321
• https://github.com/osism/testbed/pull/2065