From d671078acadded77cebdaa49bc6a449cca7982c1 Mon Sep 17 00:00:00 2001 From: Jens Reimann Date: Mon, 25 Nov 2024 10:43:19 +0100 Subject: [PATCH] chore: updates and AWS managed deployment --- README.md | 28 +++++++++---- values-ocp-aws.yaml | 98 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+), 8 deletions(-) create mode 100644 values-ocp-aws.yaml diff --git a/README.md b/README.md index 10dd318..d195ccb 100644 --- a/README.md +++ b/README.md @@ -24,22 +24,23 @@ Use it as default: kubectl config set-context --current --namespace=trustify ``` -Evaluate the application domain: +Evaluate the application domain and namespace: ```bash +NAMESPACE=trustify APP_DOMAIN=.$(minikube ip).nip.io ``` Install the infrastructure services: ```bash -helm upgrade --install --dependency-update -n trustify infrastructure charts/trustify-infrastructure --values values-minikube.yaml --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN +helm upgrade --install --dependency-update -n $NAMESPACE infrastructure charts/trustify-infrastructure --values values-minikube.yaml --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN ``` Then deploy the application: ```bash -helm upgrade --install -n trustify trustify charts/trustify --values values-minikube.yaml --set-string appDomain=$APP_DOMAIN +helm upgrade --install -n $NAMESPACE trustify charts/trustify --values values-minikube.yaml --set-string appDomain=$APP_DOMAIN ``` ### Kind @@ -71,16 +72,17 @@ Create a new namespace: oc new-project trustify ``` -Evaluate the application domain: +Evaluate the application domain and namespace: ```bash -APP_DOMAIN=-trustify.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}') +NAMESPACE=trustify +APP_DOMAIN=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}') ``` Provide the trust anchor: ```bash -oc get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d > tls.crt +oc get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d > tls.crt oc create configmap crc-trust-anchor --from-file=tls.crt -n trustify rm tls.crt ``` @@ -88,13 +90,23 @@ rm tls.crt Deploy the infrastructure: ```bash -helm upgrade --install --dependency-update -n trustify infrastructure charts/trustify-infrastructure --values values-ocp-no-aws.yaml --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN +helm upgrade --install --dependency-update -n $NAMESPACE infrastructure charts/trustify-infrastructure --values values-ocp-no-aws.yaml --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN ``` Deploy the application: ```bash -helm upgrade --install -n trustify trustify charts/trustify --values values-ocp-no-aws.yaml --set-string appDomain=$APP_DOMAIN --values values-crc.yaml +helm upgrade --install -n $NAMESPACE trustify charts/trustify --values values-ocp-no-aws.yaml --set-string appDomain=$APP_DOMAIN --values values-crc.yaml +``` + +## OpenShift with AWS resources + +Instead of using Keycloak and the filesystem storage, it is also possible to use AWS Cognito and S3. + +Deploy only the application: + +```bash +helm upgrade --install -n $NAMESPACE trustify charts/trustify --values values-ocp-aws.yaml --set-string appDomain=$APP_DOMAIN ``` ## From a released chart diff --git a/values-ocp-aws.yaml b/values-ocp-aws.yaml new file mode 100644 index 0000000..9749a1f --- /dev/null +++ b/values-ocp-aws.yaml @@ -0,0 +1,98 @@ +appDomain: change-me # <1> + +ingress: + className: openshift-default + +authenticator: + type: cognito + cognitoDomainUrl: # <3> + +storage: + s3: + region: # <2> + bucket: trustify-jreimann + accessKey: + valueFrom: + secretKeyRef: + name: storage-credentials + key: aws_access_key_id + secretKey: + valueFrom: + secretKeyRef: + name: storage-credentials + key: aws_secret_access_key + +database: + host: + valueFrom: + secretKeyRef: + name: postgresql-credentials + key: db.host + port: + valueFrom: + secretKeyRef: + name: postgresql-credentials + key: db.port + name: + valueFrom: + secretKeyRef: + name: postgresql-credentials + key: db.name + username: + valueFrom: + secretKeyRef: + name: postgresql-credentials + key: db.user + password: + valueFrom: + secretKeyRef: + name: postgresql-credentials + key: db.port + +createDatabase: + name: + valueFrom: + secretKeyRef: + name: postgresql-admin-credentials + key: db.name + username: + valueFrom: + secretKeyRef: + name: postgresql-admin-credentials + key: db.user + password: + valueFrom: + secretKeyRef: + name: postgresql-admin-credentials + key: db.password + +migrateDatabase: + username: + valueFrom: + secretKeyRef: + name: postgresql-admin-credentials + key: db.user + password: + valueFrom: + secretKeyRef: + name: postgresql-admin-credentials + key: db.password + +modules: + createDatabase: + enabled: true + migrateDatabase: + enabled: true + +oidc: + issuerUrl: # <4> + clients: + frontend: + clientId: # <5> + cli: + clientId: # <6> + clientSecret: + valueFrom: + secretKeyRef: + name: oidc-cli + key: client-secret