Skip to content

Getting Started GLUU FLEX using RANCHER on SUSE with Microk8s

Jump to bottom
Mohammad Abudayyeh edited this page Jul 4, 2022 · 8 revisions

Introduction

Gluu Flex is designed to support cloud-native deployments and it is a self-hosted software stack to enable your organization to build a world class digital identity platform to authenticate both people and software.

With Helm charts available out of the box, Gluu Flex can handle the most demanding requirements for concurrency. Thanks to cloud native auto-scaling and zero downtime updates, you can build a robust, multi-datacenter topology. You can take advantage of new cloud databases like Amazon Aurora and Google Spanner.

This guide focuses on setting-up (installation and configuration) of the Gluu Flex using Rancher on Suse (Linux in general). This guide also covers details on securing a web application using Gluu Flex. To secure a web application, this guide uses the mod_auth_openidc Apache module to add Relying Party (RP) functionality to existing Apache reverse proxy. RP implements authentication flows from OpenID Connect specification.

Motivation

The motivation behind this guide is to prepare detailed instructions for easy setup and understanding Gluu Flex. Following these instructions will quickly set up the environment and use it to secure a web application.

Scope

This guide will cover the Gluu Flex installation using Rancher and demonstrate using it for securing a web application.

Audience

This guide is intended as a quick start guide for the new users, it will help with easy setup and configuration of Gluu Flex using Rancher. This guide also covers securing a web application by using Gluu Flex which is an OpenID Connect Provider (OP).

Technical overview

gluucloudnative-jans

gluu-flex-building-blocks

Prerequisites

Installation

Rancher Marketplace

For this quick start, we will use a single node Kubernetes (microk8s).

For a more generic setup, you may use Rancher UI to deploy the setup. For more options please follow this link.

Summary of steps:

  1. Provision a Linux 4 CPU, 16 GB RAM, and 50GB SSD VM with ports 443 ,80 and 5000 open. Save the VM IP address. For development environments, the VM can be set up using VMWare Workstation Player or VirtualBox with a desired SUSE version running inside the VM.

  2. Install snap on SUSE.

  3. Install Microk8s.

  4. Enable Microk8s services dns, storage, registry and ingress.

    microk8s.enable dns registry ingress storage
# set alias for microk8s kubectl
sudo snap alias microk8s.kubectl kubectl
# Place kube config in root location. This is for demo purposes only
microk8s.config > ~/.kube/config

  5. Install Helm.

  6. In preparation for the next step we will generate a self signed certificate for our example domain rancher.my.org.

    kubectl create ns cattle-system
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=rancher.my.org/O=rancher.my.org"
kubectl create secret tls secret --key tls.key --cert tls.crt -n cattle-system

  7. After installing Microk8s, follow instructions to install Rancher.

  8. We will port forward to access the rancher ui publicly

    microk8s.kubectl port-forward deployment/rancher 5000:443 -n cattle-system --address 0.0.0.0

    Keep the port open while you navigate through the UI in the next steps. Once you are finished, you can hit CTRL + C and that will close access to the UI.

  9. Map the ip of your SUSE VM with domain rancher.my.org in /etc/hosts.

    .....
3.65.27.95 rancher.my.org

  10. Open https://rancher.my.org in a browser and log in with the username admin and the password from the previous step. If you are logging into Rancher for the first time, you'll need to enter just the password, and on the next step, Rancher will ask you to reset your current password.

  11. Next you'll see the Rancher home page with a list of existing clusters. By default, the name of the newly created cluster would be local. Click on the cluster name to go to the dashboard.

  12. From the top-left menu expand Apps & Marketplace and click charts.

  13. [OPTIONAL; IF USING SQL] To install a quick setup with MySQl as the backend, you need to either provide the connection parameters to a fresh setup or follow the below instructions for a test setup :

    • Since Rancher UI currently doesn't have a MySQL chart. Hence, we will install it manually.
    • Open a kubectl shell from the top right navigationl menue >_.
    • Run helm repo add bitnami https://charts.bitnami.com/bitnami
    • Run helm repo update
    • Run kubectl create ns gluu
    • Pass in a custom password for the database. Here we used Test1234#. The admin user will be left as root. Notice we are installing in the gluu namespace. Run helm install my-release --set auth.rootPassword=Test1234#,auth.database=jans bitnami/mysql -n gluu
    • Once mysql is up and running. Head to the Apps & Marketplace --> Charts and search for Gluu
    • Click on Install on the right side of the window.
    • Place gluu as the Namespace then click on Next on the right side of the window.
    • On the Edit Options tab which is the first one highlighted click on Persistence.
    • only change SQL database host uri to my-release-mysql.gluu.svc.cluster.local, SQL database username to root and SQL password to the password you chose when you installed mysql. For us that would be Test1234#.
    • Click on the next section labeled NGINX and enable all the endpoints.
    • Enable Casa and the Admin UI. Navigate to Optional Services and check the Enable casa and boolean flag to enable admin UI boxes.
    • You may also customize the settings for the Flex installation like. Specifically Optional Services from where you can enable different services like ClientApi and Jackrabbit.
    • Click on Install on the bottom right of the window

  14. [OPTIONAL; IF USING OPENDJ]:

    • Head to the Apps & Marketplace --> Charts and search for Gluu
    • Click on Install on the right side of the window.
    • Place gluu as the Namespace then click on Next on the right side of the window. Note that to install the app into a new namespace enter it's name in the Namespace field and select it.
    • On the Edit Options tab which is the first one highlighted click on Persistence.
    • Change the Gluu Persistence backend to ldap and Enable installation of OpenDJ.
    • Enable Casa and the Admin UI. Navigate to Optional Services and check the Enable casa and boolean flag to enable admin UI boxes.
    • You may also customize the settings for the Flex installation. Specifically Optional Services from where you can enable different services.
    • Click on Install on the bottom right of the window

  15. NOTE: To enable Casa and Admin Ui after having deployed the first time, go to the rancher UI -> Apps -> Installed Apps -> gluu -> Click on the 3 dots on the right, Upgrade -> Optional Services and check the Enable casa and boolean flag to enable admin UI boxes and click Update.

Connecting to the Setup.

The running deployment and services of different gluu flex components like casa, admin ui, scim, auth server, etc can be viewed by navigating through the Rancher UI. Go to workloads and see the running pods, Go under service discovery and checkout the ingresses and services. All should be in a healthy and running state.

  1. In order to access the setup from a browser or another VM, we need to change the ingress class annotation from kubernetes.io/ingress.class: nginx to kubernetes.io/ingress.class: public E.g For the specific component you want to access publicly in the browser;

    • Navigate to through the rancher UI to Service Discovery -> Ingresses
    • Choose the name of the ingress for a component that points to a certain target / url e.g gluu-nginx-ingress-fido2-configuration for fido
    • Click on the three dots in the top right corner
    • Click on Edit Yaml
    • On line 6, change the kubernetes.io/ingress.class annotation value from nginx to public
    • Click Save.

  2. In order to access the setup from a browser or another VM the ip of the SUSE vm need to get mapped inside /etc/hosts with the domain chosen for gluu. Make sure to remove the previous mapping done for your rancher ui access.

.....
#3.65.27.95 rancher.my.org
3.65.27.95 demoexample.gluu.org
  1. Go to the browser and try accessing some gluu flex endpoints like https://demoexample.gluu.org/.well-known/fido2-configuration that we worked with in this example. You should get a similar response like the one below;

{"version":"1.1","issuer":"https://demoexample.gluu.org","attestation":{"base_path":"https://demoexample.gluu.org/jans-fido2/restv1/attestation","options_enpoint":"https://demoexample.gluu.org/jans-fido2/restv1/attestation/options","result_enpoint":"https://demoexample.gluu.org/jans-fido2/restv1/attestation/result"},"assertion":{"base_path":"https://demoexample.gluu.org/jans-fido2/restv1/assertion","options_enpoint":"https://demoexample.gluu.org/jans-fido2/restv1/assertion/options","result_enpoint":"https://demoexample.gluu.org/jans-fido2/restv1/assertion/result"}}

Kindly note that you can also access those endpoints via curl command.

  1. Even though it's tedious, you can do the same for every ingress of each component that you want to access publicly from the browser.
Clone this wiki locally