[MOSIP-35490] moved required helm and deploy scripts to modular repo

Signed-off-by: techno-467 <[email protected]>
mosip · Dec 4, 2024 · 33f0e3a · 33f0e3a
1 parent 54ae30e
commit 33f0e3a
Show file tree

Hide file tree

Showing 23 changed files with 2,434 additions and 0 deletions.
diff --git a/.github/workflows/chart-lint-publish.yml b/.github/workflows/chart-lint-publish.yml
@@ -0,0 +1,62 @@
+name: Validate / Publish helm charts
+
+on:
+  release:
+    types: [published]
+  pull_request:
+    types: [opened, reopened, synchronize]
+    paths:
+      - 'helm/**'
+  workflow_dispatch:
+    inputs:
+      IGNORE_CHARTS:
+        description: 'Provide list of charts to be ignored separated by pipe(|)'
+        required: false
+        default: '""'
+        type: string
+      CHART_PUBLISH:
+        description: 'Chart publishing to gh-pages branch'
+        required: false
+        default: 'NO'
+        type: string
+        options:
+          - YES
+          - NO
+      INCLUDE_ALL_CHARTS:
+        description: 'Include all charts for Linting/Publishing (YES/NO)'
+        required: false
+        default: 'NO'
+        type: string
+        options:
+          - YES
+          - NO
+  push:
+    branches:
+      - '!release-branch'
+      - '!master'
+      - 1.*
+      - 0.*
+      - develop
+      - MOSIP*
+      - release*
+    paths:
+      - './helm/**'
+
+jobs:
+  chart-lint-publish:
+    uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master
+    with:
+      CHARTS_DIR: ./helm
+      CHARTS_URL: https://mosip.github.io/mosip-helm
+      REPOSITORY: mosip-helm
+      BRANCH: gh-pages
+      INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}"
+      IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}"
+      CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}"
+      LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml"
+      LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml"
+      LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml"
+      LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml"
+    secrets:
+      TOKEN: ${{ secrets.ACTION_PAT }}
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
diff --git a/deploy/README.md b/deploy/README.md
@@ -0,0 +1,139 @@
+# Keycloak
+
+## Introduction
+An organisation may use any OAuth 2.0 compliant Identity Access Management (IAM) system with MOSIP.  Here we provide k8s installation procedure for **Keycloak** which is the default supported IAM with MOSIP.
+
+- It is recommended to have two seperate installations of keycloak;
+  1. One for organisation wide access to Rancher in order to access different clusters there which is already installed [here](../../rancher/keycloak/README.md). It is installed in the rancher cluster the same will be only one throughout the organisation.
+  1. Second installation of keycloak will be in the MOSIP cluster as external dependency for every MOSIP cluster. This will be used by MOSIP modules for authentication and authorization.
+
+## Prerequisites
+The `install.sh` script here assumes that configmap `global` is already there in the default namespace. 
+
+## Install
+* Use the `install.sh` provided in this directory. This will install Keycloak as bitnami helm chart. 
+* To further configure `values.yaml` and for any other info, refer [here](https://github.com/bitnami/charts/tree/master/bitnami/keycloak). 
+```
+$ ./install.sh <kubeconfig file for this cluster>
+```
+* Bitnami keycloak chart here installs postgres too.  If you already have an external postgres DB, point to the same while installing.
+* For postgres persistence the chart uses default storage class available with the cluster.
+* While deleting helm chart note that PVC, PV do not get removed for Statefulset. This also means that passwords will be same as before. Delete them explicity if you need to. CAUTION: all persistent data will be erased if you delete PV.
+* To retain data even after PV deletion use a storage class that supports "Retain".  On AWS, you may install `gp2-retain` storage class given here and specify the same while installing Keycloak helm chart.
+
+## Existing Keycloak
+* In case you have not installed Keycloak by above method, and already have an instance running, make sure Kubernetes configmap and secret is created in namespace `keycloak` as expected in [keycloak-init](https://github.com/mosip/mosip-helm/blob/develop/charts/keycloak-init/values.yaml):
+  ```
+  keycloak:
+    host:
+      existingConfigMap: keycloak-host
+      key: keycloak-host-url
+    admin:
+      userName:
+        existingConfigMap: keycloak-env-vars
+        key: KEYCLOAK_ADMIN_USER
+      secret:
+        existingSecret: keycloak
+        key: admin-password
+  ```
+
+## Secret change
+In case you change admin password directly from console, then update the secret as well:
+```
+$ ./update_secret.sh <admin new password> <kubeconfig file for this cluster>
+```
+You may get the current admin password:
+```
+$ ./get_pwd.sh <kubeconfig file for this cluster>
+```
+
+## Keycloak docker version
+TODO: The keycloak docker version in `values.yaml` is an older version as the version 12.04 (latest bitnami) was crashing for `userinfo` request for client (like mosip-prereg-client). Watch latest bitnami release and upgrade 13+ version when available.
+
+## Keycloak Init
+To populate base data of MOSIP, run Keycloak Init job:
+```
+$ ./keycloak_init.sh <kubeconfig file for mosip cluster>
+```
+
+## Frontend URL
+- Navigate to keycloak admin console.
+- Navigate to `Mosip` realm.
+- Configure *Frontend URL* property in *Realm Settings* page. Value for the frontend url should be: `https://<mosip-iam-external-host>/auth`. Eg: `https://iam.sandbox.mosip.net/auth`.
+- Save it.
+
+Automated this as part of keycloak-init
+
+## Enable Multi Languages in keycloak
+- Navigate to the keycloak admin console.
+- Navigate to `Mosip` realm.
+- Navigate to `Realms Settings` ----> `Themes`.
+- Enable `Internationalization Enabled`.
+- Set languages in `Supported Locales`.
+- Click on `Save`.
+  ![keycloak-1.png](../../docs/images/keycloak-1.png)
+- Confirm via checking languages in `Mosip` admin login page `https://iam.sandbox.xyz.net/auth/admin/mosip/console/`.
+  ![img.png](../../docs/images/keycloak-2.png)
+
+TODO: Automate this as part of keycloak-init
+
+## EXPORT 
+
+### Export from Jboss keycloak 9.0.0
+
+* Copy `export.sh` to the console machine of the specific environment and run the `export.sh`. <br>
+  Make sure the console has Kubernetes cluster access.
+  ```sh
+  ./export.sh
+  ```
+  ```
+  Provide kubernetes cluster config file path : <k8s-cluster-config-file>
+  Provide keycloak namespace ( Default namespace: default ) : <namespace-of-keycloak>
+  Provide directory location for export files ( Default Location: current directory ) : <path-to-export-keycloak-files>
+  Created Export Directory : <path-to-export-keycloak-files>
+  Provide "No of users per file" ( Default: 1000, Recommended value: total number of users ) : <total-no-of-keycloak-users>
+  ```
+* Press `ctrl+c` once after `Export finished successfully` displayed.
+  ```
+  18:07:06,903 INFO  [org.keycloak.services] (ServerService Thread Pool -- 62) KC-SERVICES0035: Export finished successfully
+  ```
+* Copy exports files from console machine to your local.
+
+### Export from Bitnami keycloak ( Helm/chart Version: 7.1.18 )
+* Set the `KEYCLOAK_EXTRA_ARGS` as an environmental variable in "keycloak" statefulSets to export realm & its users.
+* Set the value for `-Dkeycloak.migration.usersPerFile` ( Recommended value: total number of users ) to the below environmental variable value.
+  ```
+  name: KEYCLOAK_EXTRA_ARGS
+  value: '-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.realmName=mosip -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES -Dkeycloak.migration.usersPerFile=<TOTAL-NUMBER-OF-USERS> -Dkeycloak.migration.file=/'
+  ```
+* Wait till the application is up and running.
+* Keycloak will be exported to location `/opt/bitnami/keycloak/standalone/keycloak-export/`.
+* Copy the `keycloak-export` directory from the above location to your local via the `kubectl cp` command.
+
+## IMPORT
+
+### Import to Bitnami Keycloak ( Helm chart version: 7.1.18 )
+* If already existing keycloak is running, set the environmental variable `KEYCLOAK_EXTRA_ARGS=-Dkeycloak.profile.feature.upload_scripts=enabled` to enable the import feature.
+* Run `install.sh` to deploy keycloak with the import feature enabled.
+  ```sh
+  ./install.sh
+  ```
+
+### Import Realm via Keycloak UI
+* Login to keycloak Admin console, Navigate `Master` realm and Click on `Add Realm`.
+* Click on the `select file` to Import the keycloak realm. Select keycloak exported realm JSON file.
+* Set realm name to `mosip` and click on `create`.
+  ![keycloak-4.png](../../docs/images/keycloak-4.png)
+
+### Import Users via Keycloak UI
+* Login to keycloak Admin console, Navigate to `Mosip` realm.
+* Click on `Import` ---> Select `Exported json file` and click on `Import`.
+  ![keycloak-3.png](../../docs/images/keycloak-3.png)
+
+### IMPORT INIT
+
+* Update realm, roles, clients, & service account client roles details in `import-init-values.yaml`.
+* run `import-init.sh`
+  ```sh
+  ./import-init.sh
+  ```
diff --git a/deploy/delete.sh b/deploy/delete.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Uninstalls Keycloak
+## Usage: ./delete.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+function deleting_keycloak() {
+  NS=keycloak
+  while true; do
+      read -p "Are you sure you want to delete Keyclaok? This is DANGEROUS! (Y/n) " yn
+      if [ $yn = "Y" ]
+        then
+          helm -n $NS delete keycloak
+          helm -n $NS delete keycloak-init
+          helm -n $NS delete istio-addons
+          break
+        else
+          break
+      fi
+  done
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+deleting_keycloak   # calling function
diff --git a/deploy/export.sh b/deploy/export.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+# Export Keycloak
+## Usage: ./export.sh [kubeconfig]
+
+## script starts from here
+function export_keycloak() {
+  read -p "Provide kubernetes cluster config file path : " K8S_CONFIG
+  if  [ -z "$K8S_CONFIG" ]; then
+    echo "Cluster config file path not provided; EXITING;";
+    exit 1;
+  fi
+  if [ ! -f "$K8S_CONFIG" ]; then
+    echo "Cluster config file $K8S_CONFIG not found; EXITING;";
+    exit 1;
+  fi
+
+  read -p "Provide keycloak namespace ( Default namespace: default ) : " NAMESPACE
+  if [ -z "$NAMESPACE" ]; then
+    NAMESPACE=default
+  fi
+
+  read -p "Provide directory location for export files ( Default Location: current directory ) : " EXPORT_DIR
+  if  [ -z "$EXPORT_DIR" ]; then
+    EXPORT_DIR="keycloak-export"
+  fi
+  mkdir -p $EXPORT_DIR && echo "Created Export Directory : $EXPORT_DIR"
+  if [ ! -d "$EXPORT_DIR" ]; then
+    echo "Directory Location $EXPORT_DIR not found; EXITING;";
+    exit 1;
+  fi
+
+  read -p "Provide \"No of users per file\" ( Default: 1000, Recommended value: total number of users ) : "  USERS_PER_FILE
+  if  [ -z "$USERS_PER_FILE" ]; then
+    USERS_PER_FILE=1000
+  fi
+
+  export KUBECONFIG=$K8S_CONFIG
+
+  echo "  CLUSTER CONFIG FILE : $KUBECONFIG"
+  echo "  NAMESPACE : $NAMESPACE"
+  echo "  EXPORT_DIR : $EXPORT_DIR"
+  echo "  NUMBER OF USERS PER FILE : $USERS_PER_FILE"
+
+  KEYCLOAK_POD_ID=$( kubectl -n $NAMESPACE get pods |awk '( !/init/ && !/postgresql/ ) && /keycloak/{print $1}'  | head -1  2>&1);
+
+  echo "  KEYCLOAK POD ID : $KEYCLOAK_POD_ID"
+
+  kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- mkdir -p /tmp/keycloak-export/;
+
+  echo "$(tput setaf 3)Press \"CTRL+C\" once after \"Export finished successfully\" is displayed !!! $(tput sgr0)"
+
+  kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- /opt/jboss/tools/docker-entrypoint.sh \
+  -Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export \
+  -Dkeycloak.migration.provider=dir \
+  -Dkeycloak.migration.realmName=mosip \
+  -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES \
+  -Dkeycloak.migration.usersPerFile=$USERS_PER_FILE \
+  -Dkeycloak.migration.file=/tmp/keycloak-export/ | grep 'Export finished successfully'
+
+  kubectl -n $NAMESPACE exec -it $KEYCLOAK_POD_ID -- bash -c "cd tmp/keycloak-export/ && tar -czvf /tmp/keycloak-export.zip ." \
+  && echo "Zipped keycloak-export files as keycloak-export.zip inside the keycloak pod !!!"
+
+  kubectl cp $NAMESPACE/$KEYCLOAK_POD_ID:tmp/keycloak-export.zip   $EXPORT_DIR.zip \
+  && echo "Copied keycloal-export zip file from keycloak pod "
+
+  tar -xvzf $EXPORT_DIR.zip -C $EXPORT_DIR \
+  && echo "Unzipped keycloak-export file $EXPORT_DIR"
+
+  echo "Successfully exported keycloak realm data to location : $EXPORT_DIR/mosip-realm.json "
+  echo "Successfully exported keycloak users data to location : $EXPORT_DIR/mosip-users-*.json"
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+export_keycloak   # calling function