# Installing Soffid on Kubernetes Guide to show le installation process os Soffid IAM in Kubernetes # Installing IAM Console Guide to install IAM Console on Kubernetes. ## Prerequisites - Kubernetes - 8GB RAM - > 10GB disk space - [Supported database installed](https://bookstack.soffid.com/books/installation/page/initialize-database-on-kubernetes) ## Video Tutorial ### Linux ## Installation You can use the docker image described at [Installing IAM console using Docker](https://bookstack.soffid.com/books/installation/page/installing-iam-console-ef0 "Installing IAM Console"). Here you have a sample Kubernets YAML descriptor to deploy it. Mind that any certificate present in the folder /opt/soffid/iam-console-4/trustedcerts is considered as a trusted certificate. It is important to include the root syncserver certificate or any other certificate the console must connect with. Another aspect to be aware of is the DNS resolution cache implemented by the java virtual machine. Because pods and service names often change its IP address, it suggested to disable the DNS cache adding the **-Dsun.net.inetaddr.ttl=-1** parameter. ```YAML apiVersion: v1 kind: Secret metadata: name: trusted-certs data: syncserver: MIIC+TCCAeGgAwIBAgIGAWwFI+dWMA0GCSqGSIb3DQEBCwUAMDMxDzANBgNVBAMMBlJvb3RDQTEPMA0GA1UECwwGbWFzdGVyMQ8wDQYDVQQKDAZTb2ZmaWQwHhcNMTkwNzE3MTMwMjE0WhcNMjkwNzE4MTMwMjE0WjAzMQ8wDQYDVQQDDAZSb290Q0ExDzANBgNVBAsMBm1hc3RlcjEPMA0GA1UECgwGU29mZmlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRq5/Kq1a/WlI00xzuxj0CDaH/L3G01dN5tXEFMXnm4VgDaaQXEjxGL0HEO47flDWGvJckLxIHSgEtRaHTquLRYLfHwHw3S0CC/DqdYcMZGG7QkCHDfdGunIoRGvWOAYOaV0pSiqBsfXhqG/7R4Ux7kx7mWoRXHnTyWXZl6tlNl9k2fC47foI5uMsblB3bybNnzLw2JvdwC6I8bbzf1j38r98WevdzQMVYxn10CQjLz2ZN7irYpgHzaBPoZlwKNVBhf7Tke9TDWuGO5G2UXTpys3euyTFw82TeetNTydcVK8SpdGKMlN95Cj2pgwzzz9d+qaMbN0tJu2CuGO+TROwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQApbPFO3fMlLOdvgx+O8w7JJyxOJNG+ogV7QH+ipxM6eyCWLI7euJbRSc7skR61Hw0H6Ka+ExFjHOqe0u/ysIg/ITlWTV6olaD8OpT3GKsZqhiQpBO6dKqPs8JcwMt4gBbQ7YxfYefk3OER6PUG9sk8OPMmdeF+jQu1bWijUNPB0qEPio+NWXc+SF0/Ij1DQF2sW9yDb5LvsbgrkQXewvp6eUJPpwHh+pGqNKKuHkwTCfu5cUtNBMAC6CQjjCm6CUy4BYxRcF3zfzjV2nK3zTeshF7wlK95ZMaC8IGYbYwZ86qT/x/PxX/qYOjRftSr6/Y58heYvfXLFM1pceQYVW9v star_soffid_com: MIIGcDCCBVigAwIBAgIRAOFY+IkZ+FTddCqKixlQEIMwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xOTA2MTgwMDAwMDBaFw0yMTA2MTcyMzU5NTlaMFkxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxFTATBgNVBAMMDCouc29mZmlkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnDKURLcT1XfaMjmIU8QtxdhVe1XG1Oo4LrrEyUVBaAA/5RPcWrvkCIf2Kq6/JTBBxbwvJP1pHAninwTGLam2lNTL2jvlyYXC/oA0hqbRxDCBjkq7e7fj6R2rcFJcAx0jUiyzlfgZmP/QX+ju7KrJ33sR4DPAG47Xnz8XgWJMuXdoSvQ8NeaWNAUjK7Pt3vHB/QD40MAAisXuOq1w11R3MzEJv0nHgNPvxqGvVdHTDX5RwHoVEMEHF7lQY0Mh2oIejQgN+VPOJNJh6vd7HiVUlVLXop8qhjJQgy2DQS2VGTUBObTFTgD81UPKzZgRzlziU3RWimZMVgHjzDn9MmzkcCAwEAAaOCAvowggL2MB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBTPiYczqwQVFTogNEQydqg0WGGnwzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIwYDVR0RBBwwGoIMKi5zb2ZmaWQuY29tggpzb2ZmaWQuY29tMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWtpdk7pAAAEAwBHMEUCIQCyc83CoGLtckCrDEtAph3U/+XMqwkEPwqEgi9bu7xNBgIgKachYG2OED40K9pd9byRWUjy+BeV+5tVeN+I8JD48XoAdQBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWtpdk7+AAAEAwBGMEQCIFqjuu2Q/TTq48nkobC87nRfgE9FQmlUp4PI98U90ygJAiBoFsiy0kz2ZDNz+BeAVjqAj7UsnrNIv8vwG3V7rh6kxgB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABa2l2Tv4AAAQDAEgwRgIhAMLmnVu4rduXSiaC5pfbk6uQsceV6zEx1fgNjQXNupDwAiEAtCh5VG2lC6iWy0chA/PfC5ejmlgBAmHbYLxsr9uiOWwwDQYJKoZIhvcNAQELBQADggEBABqZ8Stnzkk/abCQTMjOhNsSswSZZ74mszAGrd+emh7/VhLeJ29AaoMiCF5j0uphx/t9id5UmKbqwuapo9E1NuAVQqDOV1N0wV4Awa2nEivbDcuDCTMX6VtOK3DnCnE9yLMdD6GF9xcwzsgz5wKXu2Dxwt4vw05KIM+4Myy91sEpifa62+qdzR/Vfbv6SqeL1IzTDyHMzEtBu/4jL189VeSkTVvdKGT1g6eAMHTX562z7jJgTH23c2zolCEj9YPd+KUbt6/OO+Pljsj0MeTzO1QImj2syqCE/O4tYyHOHOdHJcrVSP951nCu0bkH6MBUhFvgk8a6rjI8tcnZCpsdcNU= --- apiVersion: apps/v1 kind: Deployment metadata: name: soffid-console labels: app: soffid type: console spec: replicas: 1 selector: matchLabels: app: soffid type: console template: metadata: labels: app: soffid type: console spec: containers: - name: soffid-console image: soffid/iam-console:4.0.0-beta-8 imagePullPolicy: Always resources: limits: memory: 4Gi requests: memory: 2Gi volumeMounts: - name: trusted-certs-volume mountPath: /opt/soffid/iam-console-4/trustedcerts ports: - containerPort: 8080 env: - name: DB_USER value: soffid - name: DB_PASSWORD value: 5uper5ecret - name: JAVA_OPT value: "-Xmx4048m -Dsun.net.inetaddr.ttl=1" - name: DB_URL value: jdbc:mariadb://mariadb-service:3306/soffid imagePullSecrets: - name: regcred volumes: - name: trusted-certs-volume secret: secretName: trusted-certs --- apiVersion: v1 kind: Service metadata: name: iam-console-service spec: selector: app: soffid type: console type: loadBalancer ports: - name: web protocol: TCP port: 8080 targetPort: 8080 ``` ##### Linux commands Apply the YAML file with the defining Kubernetes resources ```shell kubectl apply -f syncserver.yaml ``` Check deployments ```shell kubectl get deployments ``` Check pods: you can check pods and their status ```shell kubectl get pods ``` View the IAM console log ``` kubectl logs ```

When the console is created, the password for the user *admin* will be *changeit* and it will be valid for 24 hours.

Now you can connect to Soffid Console [http://<Node-Ip>:<publish-port>/soffid](http://) The first thing you must do is to change the admin user password.

Next Step: [Installing Sync server](https://bookstack.soffid.com/books/installation/page/installing-sync-server-8f1 "Installing Sync server")

# Installing Sync server Guide to install Sync server on Kubernetes. ## Prerequisites Soffid IAM sync server requires the following requirements: - [Supported database installed](https://bookstack.soffid.com/books/installation/page/initialize-database "Initialize database") - [Soffid Console Installed](https://bookstack.soffid.com/books/installation/page/installing-iam-console-c16 "Installing IAM Console") ## Video Tutorial ### Linux ## Installation You can use the docker image described at [Installing Sync server using Docker](https://bookstack.soffid.com/books/installation/page/installing-sync-server-b3e "Installing Sync server"). Here you have a sample Kubernets YAML descriptor to deploy it. ```YAML # Secrets to store syncserver configuration apiVersion: v1 kind: Secret metadata: name: syncserver type: Opaque data: config: c3Nva20= --- # Service account for sync server apiVersion: v1 kind: ServiceAccount metadata: name: syncserver --- # Role to access the sync server kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: syncserver rules: - verbs: - get - update apiGroups: - '' resources: - deployments - pods/attach - secrets - secrets/syncserver --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: syncserver namespace: default subjects: - kind: ServiceAccount name: syncserver roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: syncserver --- apiVersion: apps/v1 kind: Deployment metadata: name: syncserver01 labels: app: soffid type: syncserver spec: replicas: 1 selector: matchLabels: app: soffid type: syncserver template: metadata: labels: app: soffid type: syncserver spec: serviceAccountName: syncserver containers: - name: syncserver image: soffid/iam-sync:4.0.0-beta-2 ports: - containerPort: 760 name: syncserver-port readinessProbe: initialDelaySeconds: 5 failureThreshold: 1 httpGet: path: /diag scheme: HTTPS port: 760 livenessProbe: initialDelaySeconds: 5 timeoutSeconds: 3 failureThreshold: 3 httpGet: path: /diag scheme: HTTPS port: 760 env: - name: DB_USER value: soffid - name: DB_PASSWORD value: 5uper5ecret - name: SOFFID_HOSTNAME value: syncserver01.cloud.soffid.com - name: SOFFID_MAIN value: "yes" - name: KUBERNETES_CONFIGURATION_SECRET value: "syncserver" - name: DB_URL value: jdbc:mariadb://mariadb-service/soffid --- apiVersion: v1 kind: Service metadata: name: syncserver spec: externalTrafficPolicy: Local type: LoadBalancer selector: app: soffid type: syncserver ports: - name: syncserver protocol: TCP port: 760 targetPort: 760 ``` If the syncserver pod is not available in 5 seconds, probably it will restart constantly and it will not be available. To solve this, change the sample Kubernetes YAML descriptor showed above like this: ``` livenessProbe: failureThreshold: 3 httpGet: path: /diag port: 761 scheme: HTTP initialDelaySeconds: 360 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 3 name: syncserver ports: - containerPort: 760 name: syncserver-port protocol: TCP readinessProbe: failureThreshold: 1 httpGet: path: /diag port: 761 scheme: HTTP initialDelaySeconds: 300 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 ``` #### Linux commands Apply the YAML file with the defining Kubernetes resources ```shell kubectl apply -f syncserver.yaml ``` Check deployments ```shell kubectl get deployments ``` Chek pods: you can check pods and their status ```shell kubectl get pods ``` View Sync server log ```shell kubectl logs ```

Now you can connect to the IAM console [http://<Node-Ip>:<publish-port>/soffid](http://%3Cnode-ip%3E%3Cpublish-port%3E/) and chek if Console and Syncserver are connected.

# How to copy to Kubernetes Secrets? When making any manual changes to the Sync server configuration files, it will be necessary to copy these changes to the Kubernetes secrets. **Command example**: ``` java -cp "/opt/soffid/iam-sync/bin/bootstrap.jar" com.soffid.iam.sync.bootstrap.KubernetesSaver ```

Since Soffid version 3.x, the certificates are automatically updated when the certificate end date is close and no manual actions are required.

# How to copy Sync Server Kube Conf to Database table? When you install soffid Sync server in kubernetes, a properties file is generated. If this file is not saved in a permanent storage, it could be lost during the Syns Server upgrade process. Here you are the steps to copy your Kube config to a data base table 1.- ```shell unset KUBERNETES_CONFIGURATION_SECRET ``` 2.- ```shell export DB_CONFIGURATION_TABLE=syncserver ``` 3.- ```shell java -cp "/opt/soffid/iam-sync/bin/bootstrap.jar:/opt/soffid/iam-sync/lib/mariadb-java-client-1.8.0.jar:/opt/soffid/iam-sync/lib/ojdbc10-19.18.0.0.jar:/opt/soffid/iam-sync/lib/postgresql-42.2.5.jre7.jar:/opt/soffid/iam-sync/lib/sqljdbc4-3.0.jar" com.soffid.iam.sync.bootstrap.KubernetesSaver ```