From fabd77aef531417a55747dac10fcdfa00fd2d0c9 Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Thu, 14 Dec 2023 09:46:07 +0200 Subject: [PATCH 1/5] docs: add network traffic notes --- docs/admin/kubernetes-ops/start-order.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/admin/kubernetes-ops/start-order.md b/docs/admin/kubernetes-ops/start-order.md index 65da5c400de..a814ef8a3be 100644 --- a/docs/admin/kubernetes-ops/start-order.md +++ b/docs/admin/kubernetes-ops/start-order.md @@ -8,4 +8,15 @@ tags: ## Service Start Order -![svg](../../assets/kubernetes-services-start-order.svg) \ No newline at end of file +![svg](../../assets/kubernetes-services-start-order.svg) + +## Network traffic between Jans services + +1. **Database Access:** all Jans services require access to the database. + +2. **Pod-2-Pod Communication:** Jans services communicate with each other as depicted. + + Most of this communication is external. Meaning it goes through the FQDN, instead of using the internal Kubernetes service address. + For example, a service would call the well-known for auth-server `https://FQDN/.well-known/openid-configuration`. + + We recommend to only keep the `.well-known` endpoints public and protect the rest. \ No newline at end of file From b2978f2f13e9d3088197f81177e81e9a7cb9f72c Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Thu, 14 Dec 2023 09:46:07 +0200 Subject: [PATCH 2/5] docs: add network traffic notes Signed-off-by: Amro Misbah --- docs/admin/kubernetes-ops/start-order.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/admin/kubernetes-ops/start-order.md b/docs/admin/kubernetes-ops/start-order.md index 65da5c400de..a814ef8a3be 100644 --- a/docs/admin/kubernetes-ops/start-order.md +++ b/docs/admin/kubernetes-ops/start-order.md @@ -8,4 +8,15 @@ tags: ## Service Start Order -![svg](../../assets/kubernetes-services-start-order.svg) \ No newline at end of file +![svg](../../assets/kubernetes-services-start-order.svg) + +## Network traffic between Jans services + +1. **Database Access:** all Jans services require access to the database. + +2. **Pod-2-Pod Communication:** Jans services communicate with each other as depicted. + + Most of this communication is external. Meaning it goes through the FQDN, instead of using the internal Kubernetes service address. + For example, a service would call the well-known for auth-server `https://FQDN/.well-known/openid-configuration`. + + We recommend to only keep the `.well-known` endpoints public and protect the rest. \ No newline at end of file From 71950820572d7160b79316da4ed74b4ca45a4b00 Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Thu, 14 Dec 2023 13:14:46 +0200 Subject: [PATCH 3/5] docs: add external communication Signed-off-by: Amro Misbah --- docs/admin/kubernetes-ops/start-order.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/admin/kubernetes-ops/start-order.md b/docs/admin/kubernetes-ops/start-order.md index a814ef8a3be..abafb7ab983 100644 --- a/docs/admin/kubernetes-ops/start-order.md +++ b/docs/admin/kubernetes-ops/start-order.md @@ -15,8 +15,8 @@ tags: 1. **Database Access:** all Jans services require access to the database. 2. **Pod-2-Pod Communication:** Jans services communicate with each other as depicted. - - Most of this communication is external. Meaning it goes through the FQDN, instead of using the internal Kubernetes service address. - For example, a service would call the well-known for auth-server `https://FQDN/.well-known/openid-configuration`. - - We recommend to only keep the `.well-known` endpoints public and protect the rest. \ No newline at end of file + +3. **External/Internet Communication**: + - Auth-server: should be publically accessible. + + - Rest of the pods: We recommend to only keep the `.well-known` endpoints public and protect the rest. From 3aa79b984e77b2df525c62d2d88b96404516cca0 Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Tue, 6 Feb 2024 13:42:24 +0200 Subject: [PATCH 4/5] docs: add jans-saml instructions Signed-off-by: Amro Misbah --- docs/admin/kubernetes-ops/jans-saml.md | 39 ++++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 40 insertions(+) create mode 100644 docs/admin/kubernetes-ops/jans-saml.md diff --git a/docs/admin/kubernetes-ops/jans-saml.md b/docs/admin/kubernetes-ops/jans-saml.md new file mode 100644 index 00000000000..cda8b9dfaaf --- /dev/null +++ b/docs/admin/kubernetes-ops/jans-saml.md @@ -0,0 +1,39 @@ +--- +tags: + - administration + - kubernetes + - operations + - jans-saml + - keycloak +--- + +To deploy jans-saml/keycloak, you have to make the following changes in your `values.yaml`: + +```yaml +global: + saml: + enabled: true + ingress: + samlEnabled: true +config: + configmap: + kcDbVendor: mysql + kcDbUsername: keycloak + kcDbPassword: Test1234# + kcDbSchema: keycloak + kcDbUrlHost: mysql.kc.svc.cluster.local + kcDbUrlPort: 3306 + kcDbUrlDatabase: keycloak +``` + +You need a database as a backend for keycloak. + +If you provide a non-root MySQL user to Keycloak, you will encounter the following error and warnings: + +``` +SQLException: XAER_RMERR: Fatal error occurred in the transaction branch - check your data for consistency +WARNING - jans-saml - 2024-02-05 16:54:04,256 - Unable to grant XA_RECOVER_ADMIN privilege to 'keycloak' user; reason=Access denied; you need (at least one of) the GRANT OPTION privilege(s) for this operation +WARNING - jans-saml - 2024-02-05 16:54:04,256 - Got insufficient permission, please try using user with XA_RECOVER_ADMIN privilege and running the following query manually via MySQL client: "GRANT XA_RECOVER_ADMIN ON *.* TO 'keycloak'@'%'; FLUSH PRIVILEGES;" +``` + +To resolve this issue, it's necessary to adhere to the guidance provided in the logs. diff --git a/mkdocs.yml b/mkdocs.yml index 5eb87e7b9c5..dab3cd79e23 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -97,6 +97,7 @@ nav: - Health Check: admin/kubernetes-ops/health-check.md - TUI K8s: admin/kubernetes-ops/tui-k8s.md - Custom Attributes: admin/kubernetes-ops/custom-attributes.md + - Jans SAML/Keycloak: admin/kubernetes-ops/jans-saml.md - VM Operation Guide: - admin/vm-ops/README.md - Upgrade: admin/vm-ops/upgrade.md From a09e1179067bb3a5a20ac1375c1b2cc68ed740c6 Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Fri, 9 Feb 2024 02:50:39 +0200 Subject: [PATCH 5/5] docs: postgres backend option Signed-off-by: Amro Misbah --- docs/admin/kubernetes-ops/jans-saml.md | 31 ++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/docs/admin/kubernetes-ops/jans-saml.md b/docs/admin/kubernetes-ops/jans-saml.md index cda8b9dfaaf..03791cc1c66 100644 --- a/docs/admin/kubernetes-ops/jans-saml.md +++ b/docs/admin/kubernetes-ops/jans-saml.md @@ -7,7 +7,12 @@ tags: - keycloak --- -To deploy jans-saml/keycloak, you have to make the following changes in your `values.yaml`: + +Jans-SAML/Keycloak has the flexibility to be deployed using either MySQL or PostgreSQL as its backend. + +# MySQL + +Make the following changes in your `values.yaml`: ```yaml global: @@ -26,7 +31,6 @@ config: kcDbUrlDatabase: keycloak ``` -You need a database as a backend for keycloak. If you provide a non-root MySQL user to Keycloak, you will encounter the following error and warnings: @@ -37,3 +41,26 @@ WARNING - jans-saml - 2024-02-05 16:54:04,256 - Got insufficient permission, ple ``` To resolve this issue, it's necessary to adhere to the guidance provided in the logs. + + +# PostgreSQL + +Make the following changes in your `values.yaml`: + +```yaml +global: + saml: + enabled: true + ingress: + samlEnabled: true +config: + configmap: + kcDbVendor: postgres + kcDbUsername: keycloak + kcDbPassword: Test1234# + kcDbSchema: public + kcDbUrlHost: postgres.kc.svc.cluster.local + kcDbUrlPort: 5432 + kcDbUrlDatabase: keycloak + kcDbUrlProperties: "" +``` \ No newline at end of file