Installing Soffid on Kubernetes
Guide to show le installation process os Soffid IAM in Kubernetes
- Installing IAM Console
- Installing Sync server
- How to copy to Kubernetes Secrets?
- How to copy Sync Server Kube Conf to Database table?
Installing IAM Console
Guide to install IAM Console on Kubernetes.
Prerequisites
- Kubernetes
- 8GB RAM
- > 10GB disk space
- Supported database installed
Video Tutorial
Linux
Installation
You can use the docker image described at Installing IAM console using Docker. Here you have a sample Kubernets YAML descriptor to deploy it.
Mind that any certificate present in the folder /opt/soffid/iam-console-3/trustedcerts is considered as a trusted certificate. It is important to include the root syncserver certificate or any other certificate the console must connect with.
Another aspect to be aware of is the DNS resolution cache implemented by the java virtual machine. Because pods and service names often change its IP address, it suggested to disable the DNS cache adding the -Dsun.net.inetaddr.ttl=-1 parameter.
apiVersion: v1
kind: Secret
metadata:
name: trusted-certs
data:
syncserver: MIIC+TCCAeGgAwIBAgIGAWwFI+dWMA0GCSqGSIb3DQEBCwUAMDMxDzANBgNVBAMMBlJvb3RDQTEPMA0GA1UECwwGbWFzdGVyMQ8wDQYDVQQKDAZTb2ZmaWQwHhcNMTkwNzE3MTMwMjE0WhcNMjkwNzE4MTMwMjE0WjAzMQ8wDQYDVQQDDAZSb290Q0ExDzANBgNVBAsMBm1hc3RlcjEPMA0GA1UECgwGU29mZmlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRq5/Kq1a/WlI00xzuxj0CDaH/L3G01dN5tXEFMXnm4VgDaaQXEjxGL0HEO47flDWGvJckLxIHSgEtRaHTquLRYLfHwHw3S0CC/DqdYcMZGG7QkCHDfdGunIoRGvWOAYOaV0pSiqBsfXhqG/7R4Ux7kx7mWoRXHnTyWXZl6tlNl9k2fC47foI5uMsblB3bybNnzLw2JvdwC6I8bbzf1j38r98WevdzQMVYxn10CQjLz2ZN7irYpgHzaBPoZlwKNVBhf7Tke9TDWuGO5G2UXTpys3euyTFw82TeetNTydcVK8SpdGKMlN95Cj2pgwzzz9d+qaMbN0tJu2CuGO+TROwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQApbPFO3fMlLOdvgx+O8w7JJyxOJNG+ogV7QH+ipxM6eyCWLI7euJbRSc7skR61Hw0H6Ka+ExFjHOqe0u/ysIg/ITlWTV6olaD8OpT3GKsZqhiQpBO6dKqPs8JcwMt4gBbQ7YxfYefk3OER6PUG9sk8OPMmdeF+jQu1bWijUNPB0qEPio+NWXc+SF0/Ij1DQF2sW9yDb5LvsbgrkQXewvp6eUJPpwHh+pGqNKKuHkwTCfu5cUtNBMAC6CQjjCm6CUy4BYxRcF3zfzjV2nK3zTeshF7wlK95ZMaC8IGYbYwZ86qT/x/PxX/qYOjRftSr6/Y58heYvfXLFM1pceQYVW9v
star_soffid_com: MIIGcDCCBVigAwIBAgIRAOFY+IkZ+FTddCqKixlQEIMwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xOTA2MTgwMDAwMDBaFw0yMTA2MTcyMzU5NTlaMFkxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxFTATBgNVBAMMDCouc29mZmlkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnDKURLcT1XfaMjmIU8QtxdhVe1XG1Oo4LrrEyUVBaAA/5RPcWrvkCIf2Kq6/JTBBxbwvJP1pHAninwTGLam2lNTL2jvlyYXC/oA0hqbRxDCBjkq7e7fj6R2rcFJcAx0jUiyzlfgZmP/QX+ju7KrJ33sR4DPAG47Xnz8XgWJMuXdoSvQ8NeaWNAUjK7Pt3vHB/QD40MAAisXuOq1w11R3MzEJv0nHgNPvxqGvVdHTDX5RwHoVEMEHF7lQY0Mh2oIejQgN+VPOJNJh6vd7HiVUlVLXop8qhjJQgy2DQS2VGTUBObTFTgD81UPKzZgRzlziU3RWimZMVgHjzDn9MmzkcCAwEAAaOCAvowggL2MB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBTPiYczqwQVFTogNEQydqg0WGGnwzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIwYDVR0RBBwwGoIMKi5zb2ZmaWQuY29tggpzb2ZmaWQuY29tMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWtpdk7pAAAEAwBHMEUCIQCyc83CoGLtckCrDEtAph3U/+XMqwkEPwqEgi9bu7xNBgIgKachYG2OED40K9pd9byRWUjy+BeV+5tVeN+I8JD48XoAdQBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWtpdk7+AAAEAwBGMEQCIFqjuu2Q/TTq48nkobC87nRfgE9FQmlUp4PI98U90ygJAiBoFsiy0kz2ZDNz+BeAVjqAj7UsnrNIv8vwG3V7rh6kxgB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABa2l2Tv4AAAQDAEgwRgIhAMLmnVu4rduXSiaC5pfbk6uQsceV6zEx1fgNjQXNupDwAiEAtCh5VG2lC6iWy0chA/PfC5ejmlgBAmHbYLxsr9uiOWwwDQYJKoZIhvcNAQELBQADggEBABqZ8Stnzkk/abCQTMjOhNsSswSZZ74mszAGrd+emh7/VhLeJ29AaoMiCF5j0uphx/t9id5UmKbqwuapo9E1NuAVQqDOV1N0wV4Awa2nEivbDcuDCTMX6VtOK3DnCnE9yLMdD6GF9xcwzsgz5wKXu2Dxwt4vw05KIM+4Myy91sEpifa62+qdzR/Vfbv6SqeL1IzTDyHMzEtBu/4jL189VeSkTVvdKGT1g6eAMHTX562z7jJgTH23c2zolCEj9YPd+KUbt6/OO+Pljsj0MeTzO1QImj2syqCE/O4tYyHOHOdHJcrVSP951nCu0bkH6MBUhFvgk8a6rjI8tcnZCpsdcNU=
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: soffid-console
labels:
app: soffid
type: console
spec:
replicas: 1
selector:
matchLabels:
app: soffid
type: console
template:
metadata:
labels:
app: soffid
type: console
spec:
containers:
- name: soffid-console
image: soffid/iam-console:3.0.0
imagePullPolicy: Always
resources:
limits:
memory: 4Gi
requests:
memory: 2Gi
volumeMounts:
- name: trusted-certs-volume
mountPath: /opt/soffid/iam-console-3/trustedcerts
ports:
- containerPort: 8080
env:
- name: DB_USER
value: soffid
- name: DB_PASSWORD
value: 5uper5ecret
- name: JAVA_OPT
value: "-Xmx4048m -Dsun.net.inetaddr.ttl=1"
- name: DB_URL
value: jdbc:mariadb://mariadb-service:3306/soffid
imagePullSecrets:
- name: regcred
volumes:
- name: trusted-certs-volume
secret:
secretName: trusted-certs
---
apiVersion: v1
kind: Service
metadata:
name: iam-console-service
spec:
selector:
app: soffid
type: console
type: loadBalancer
ports:
- name: web
protocol: TCP
port: 8080
targetPort: 8080
Linux commands
Apply the YAML file with the defining Kubernetes resources
kubectl apply -f syncserver.yaml
Check deployments
kubectl get deployments
Check pods: you can check pods and their status
kubectl get pods
View the IAM console log
kubectl logs <your-pod-iamconsole-name>
When the console is created, the password for the user admin will be changeit and it will be valid for 24 hours.
Now you can connect to Soffid Console http://<Node-Ip>:<publish-port>/soffid The first thing you must do is to change the admin user password.
Next Step: Installing Sync server
Installing Sync server
Guide to install Sync server on Kubernetes.
Prerequisites
Soffid IAM sync server requires the following requirements:
Video Tutorial
Linux
Installation
You can use the docker image described at Installing Sync server using Docker. Here you have a sample Kubernets YAML descriptor to deploy it.
# Secrets to store syncserver configuration
apiVersion: v1
kind: Secret
metadata:
name: syncserver
type: Opaque
data:
config: c3Nva20=
---
# Service account for sync server
apiVersion: v1
kind: ServiceAccount
metadata:
name: syncserver
---
# Role to access the sync server
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: syncserver
rules:
- verbs:
- get
- update
apiGroups:
- ''
resources:
- deployments
- pods/attach
- secrets
- secrets/syncserver
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: syncserver
namespace: default
subjects:
- kind: ServiceAccount
name: syncserver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: syncserver
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: syncserver01
labels:
app: soffid
type: syncserver
spec:
replicas: 1
selector:
matchLabels:
app: soffid
type: syncserver
template:
metadata:
labels:
app: soffid
type: syncserver
spec:
serviceAccountName: syncserver
containers:
- name: syncserver
image: soffid/iam-sync:3.0.0
ports:
- containerPort: 760
name: syncserver-port
readinessProbe:
initialDelaySeconds: 5
failureThreshold: 1
httpGet:
path: /diag
scheme: HTTPS
port: 760
livenessProbe:
initialDelaySeconds: 5
timeoutSeconds: 3
failureThreshold: 3
httpGet:
path: /diag
scheme: HTTPS
port: 760
env:
- name: DB_USER
value: soffid
- name: DB_PASSWORD
value: 5uper5ecret
- name: SOFFID_HOSTNAME
value: syncserver01.cloud.soffid.com
- name: SOFFID_MAIN
value: "yes"
- name: KUBERNETES_CONFIGURATION_SECRET
value: "syncserver"
- name: DB_URL
value: jdbc:mariadb://mariadb-service/soffid
---
apiVersion: v1
kind: Service
metadata:
name: syncserver
spec:
externalTrafficPolicy: Local
type: LoadBalancer
selector:
app: soffid
type: syncserver
ports:
- name: syncserver
protocol: TCP
port: 760
targetPort: 760
Linux commands
Apply the YAML file with the defining Kubernetes resources
kubectl apply -f syncserver.yaml
Check deployments
kubectl get deployments
Chek pods: you can check pods and their status
kubectl get pods
View Sync server log
kubectl logs <your-pod-syncserver-name>
Now you can connect to the IAM console http://<Node-Ip>:<publish-port>/soffid and chek if Console and Syncserver are connected.
How to copy to Kubernetes Secrets?
When making any manual changes to the Sync server configuration files, it will be necessary to copy these changes to the Kubernetes secrets.
Command example:
java -cp "/opt/soffid/iam-sync/bin/bootstrap.jar" com.soffid.iam.sync.bootstrap.KubernetesSaver
Soffid version 3.x upgrade automatically the certificates when the certificate end date is close and no manual actions are required.
How to copy Sync Server Kube Conf to Database table?
When you install soffid Sync server in kubernetes, a properties file is generated. If this file is not saved in a permanent storage, it could be lost during the Syns Server upgrade process.
Here you are the steps to copy your Kube config to a data base table
1.-
unset KUBERNETES_CONFIGURATION_SECRET
2.-
export DB_CONFIGURATION_TABLE=syncserver
3.-
java -cp "/opt/soffid/iam-sync/bin/bootstrap.jar:/opt/soffid/iam-sync/lib/mariadb-java-client-1.8.0.jar:/opt/soffid/iam-sync/lib/ojdbc10-19.18.0.0.jar:/opt/soffid/iam-sync/lib/postgresql-42.2.5.jre7.jar:/opt/soffid/iam-sync/lib/sqljdbc4-3.0.jar" com.soffid.iam.sync.bootstrap.KubernetesSaver