From 0404946a39a09bd11356451eedba403cd478acd9 Mon Sep 17 00:00:00 2001 From: Jens Reimann Date: Wed, 20 Nov 2024 15:20:36 +0100 Subject: [PATCH] feat: add CRC deployment --- README.md | 48 ++++++++++++++++++----- values-crc.yaml | 12 ++++++ values-ocp-no-aws.yaml | 87 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 138 insertions(+), 9 deletions(-) create mode 100644 values-crc.yaml create mode 100644 values-ocp-no-aws.yaml diff --git a/README.md b/README.md index 3ae44fe..10dd318 100644 --- a/README.md +++ b/README.md @@ -24,17 +24,21 @@ Use it as default: kubectl config set-context --current --namespace=trustify ``` -Install the infrastructure services: +Evaluate the application domain: ```bash APP_DOMAIN=.$(minikube ip).nip.io +``` + +Install the infrastructure services: + +```bash helm upgrade --install --dependency-update -n trustify infrastructure charts/trustify-infrastructure --values values-minikube.yaml --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN ``` Then deploy the application: ```bash -APP_DOMAIN=.$(minikube ip).nip.io helm upgrade --install -n trustify trustify charts/trustify --values values-minikube.yaml --set-string appDomain=$APP_DOMAIN ``` @@ -47,24 +51,50 @@ kind create cluster --config kind/config.yaml kubectl apply -f https://kind.sigs.k8s.io/examples/ingress/deploy-ingress-nginx.yaml ``` +The rest works like the `minikube` approach. The `APP_DOMAIN` is different though: + +```bash +APP_DOMAIN=.$(kubectl get node kind-control-plane -o jsonpath='{.status.addresses[?(@.type == "InternalIP")].address}' | awk '// { print $1 }').nip.io +``` + +### CRC + +Create a new cluster: + +```bash +crc start --cpus 8 --memory 32768 --disk-size 80 +``` + Create a new namespace: ```bash -kubectl create ns trustify +oc new-project trustify ``` -Use it as default: +Evaluate the application domain: ```bash -kubectl config set-context --current --namespace=trustify +APP_DOMAIN=-trustify.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}') ``` -Install the infrastructure services: +Provide the trust anchor: ```bash -APP_DOMAIN=.$(kubectl get node kind-control-plane -o jsonpath='{.status.addresses[?(@.type == "InternalIP")].address}' | awk '// { print $1 }').nip.io -helm upgrade --install --dependency-update -n trustify infrastructure charts/trustify-infrastructure --values values-minikube.yaml --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN -helm upgrade --install -n trustify trustify charts/trustify --values values-minikube.yaml --set-string appDomain=$APP_DOMAIN +oc get secret -n openshift-ingress router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d > tls.crt +oc create configmap crc-trust-anchor --from-file=tls.crt -n trustify +rm tls.crt +``` + +Deploy the infrastructure: + +```bash +helm upgrade --install --dependency-update -n trustify infrastructure charts/trustify-infrastructure --values values-ocp-no-aws.yaml --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN +``` + +Deploy the application: + +```bash +helm upgrade --install -n trustify trustify charts/trustify --values values-ocp-no-aws.yaml --set-string appDomain=$APP_DOMAIN --values values-crc.yaml ``` ## From a released chart diff --git a/values-crc.yaml b/values-crc.yaml new file mode 100644 index 0000000..b9783e3 --- /dev/null +++ b/values-crc.yaml @@ -0,0 +1,12 @@ +tls: + additionalTrustAnchor: /etc/trust-anchor/tls.crt + +extraVolumes: + - name: trust-anchor + configMap: + name: crc-trust-anchor + +extraVolumeMounts: + - name: trust-anchor + readOnly: true + mountPath: /etc/trust-anchor diff --git a/values-ocp-no-aws.yaml b/values-ocp-no-aws.yaml new file mode 100644 index 0000000..21d2b5a --- /dev/null +++ b/values-ocp-no-aws.yaml @@ -0,0 +1,87 @@ +appDomain: change-me + +ingress: + className: openshift-default + +storage: + filesystem: + size: 32Gi + +database: + host: infrastructure-postgresql + port: "5432" + name: trustify + username: trustify + password: trustify1234 + +createDatabase: + name: postgres + username: postgres + password: + valueFrom: + secretKeyRef: + name: infrastructure-postgresql + key: postgres-password + +migrateDatabase: + username: postgres + password: + valueFrom: + secretKeyRef: + name: infrastructure-postgresql + key: postgres-password + +modules: + createDatabase: + enabled: true + migrateDatabase: + enabled: true + +## Infrastructure Charts + +keycloak: + enabled: true + production: true + proxy: reencrypt + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false + auth: + adminUser: admin + adminPassword: admin123456 # notsecret + tls: + enabled: true + existingSecret: sso-tls + usePem: true + service: + annotations: + service.beta.openshift.io/serving-cert-secret-name: sso-tls + ingress: + enabled: true + ingressClassName: openshift-default + servicePort: https + annotations: + route.openshift.io/termination: reencrypt + postgresql: + primary: + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false + +postgresql: + enabled: false # see remark in Chart.yaml + +oidc: + clients: + frontend: { } + walker: + clientSecret: + value: 5460cc91-4e20-4edd-881c-b15b169f8a79 # notsecret + testingUser: + clientSecret: + value: 0e6bf990-43b4-4efb-95d7-b24f2b94a525 # notsecret + testingManager: + clientSecret: + value: ca48053c-3b82-4650-a98d-4cace7f2d567 # notsecret