We need to install the following software:
- Helm + Minikube
- Keycloak
- portal microservices
- RemoteDesktop / Jupyter instances
https://github.com/panosc-portal/helm-charts/tree/master/panosc-portal-demo
https://confluence.panosc.eu/pages/viewpage.action?pageId=10879127
Please follow the instructions line by line!
See https://helm.sh/docs/intro/install/
on Ubuntu:
curl https://baltocdn.com/helm/signing.asc | sudo apt-key add -
sudo apt-get install apt-transport-https --yes
echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt-get update
sudo apt-get install helm
See https://minikube.sigs.k8s.io/docs/start/
on Ubuntu:
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube_latest_amd64.deb
sudo dpkg -i minikube_latest_amd64.deb
Install Kubernetes: https://kubernetes.io/docs/tasks/tools/install-kubectl/
on Ubuntu:
sudo apt-get update && sudo apt-get install -y apt-transport-https gnupg2 curl
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubectl
minikube start
kubectl get po -A
minikube dashboard #(!!! web interface to minikube)
kubectl create deployment hello-minikube --image=k8s.gcr.io/echoserver:1.4
kubectl expose deployment hello-minikube --type=NodePort --port=8080
kubectl port-forward service/hello-minikube 7080:8080
then check http://localhost:7080/whateveritis
Clean up:
kubectl delete service hello-minikube
kubectl delete deployment hello-minikube
Check the output of the command:
kubectl cluster-info
The IP-address it provides will be later referred as Yourk8sMaster
.
Just IP-address is easier to get with minicube ip
Install Keycloak See https://www.keycloak.org/docs/latest/server_installation/#installation
- distribution files (localhost installation)
https://www.keycloak.org/downloads #'keycloak-12.0.4.[zip|tar.gz]'
tar xvzf keycloak-12.0.4.tar.gz
keycloak-12.0.4/bin$ ./standalone.sh # check if it works
keycloak-12.0.4/bin$ ./add-user.sh # add the admin user
A Keycloak user in the Management Realm (= admin) can be added either via the Keycloak web-interface (localhost 8080 port, see below) in the Administration Console (leftmost panel) or from the command line with add-user.sh
, like so:
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a):
Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : panosc
Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.
- The password should be different from the username
- The password should not be one of the following restricted values {root, admin, administrator}
- The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
Password :
WFLYDM0101: Password should have at least 1 digit.
Are you sure you want to use the password entered yes/no? yes
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]:
About to add user 'panosc' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'panosc' to file '/scratch/panosc-dev/keycloak-12.0.4/standalone/configuration/mgmt-users.properties'
Added user 'panosc' to file '/scratch/panosc-dev/keycloak-12.0.4/domain/configuration/mgmt-users.properties'
Added user 'panosc' with groups to file '/scratch/panosc-dev/keycloak-12.0.4/standalone/configuration/mgmt-groups.properties'
Added user 'panosc' with groups to file '/scratch/panosc-dev/keycloak-12.0.4/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no
Only after an admin user (named "panosc" here) has been created by either method, we login to the HAL management console (localhost, port 9990) with exactly these admin credentials and do the following steps with panosc realm etc.
(a) keycloak -
http://127.0.0.1:9990 # HAL Management Console
http://127.0.0.1:8080 # Keycloak (create new keycloak admin user+pass when first connected)
on Keycloak Admin console:
- New realm: panosc
In panosc realm:
- new user:
<USERNAME>
Concretely:
Users -> Add user -> panosc_keycloak : panosc_pwd
user <USERNAME>
:
-
EmailVerification:off (to have immediately a fully enabled account)
-
user credentials: set password
-
temporary:off (to have immediately a fully enabled account)
-
new client: <CLIENT_ID>
-
new client scope: openid add openid as optional client scope to client <CLIENT_ID>
Clients -> Client Scopes -> Optional Client Scopes: button: Add selected
Concretely:
CLIENT_ID = panosc_portal
https://www.appsdeveloperblog.com/keycloak-client-credentials-grant-example/
curl --location --request POST 'http://localhost:8080/auth/realms/panosc/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=<CLIENT_ID>' --data-urlencode 'scope=openid' --data-urlencode 'grant_type=password' --data-urlencode 'username=<USERNAME>' --data-urlencode 'password=<USERPASSWORD>'
Concretely:
curl --location --request POST 'http://localhost:8080/auth/realms/panosc/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=panosc_portal' --data-urlencode 'scope=openid' --data-urlencode 'grant_type=password' --data-urlencode 'username=panosc_keycloak' --data-urlencode 'password=panosc_pwd'
Install socat
if necessary.
socat tcp-listen:8090,reuseaddr,fork tcp:localhost:8080 &
ifconfig # check for <KEYCLOAK_EXTERNAL_IP>
curl --location --request POST 'http://<KEYCLOAK_EXTERNAL_IP>:8090/auth/realms/panosc/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=<CLIENT_ID>' --data-urlencode 'scope=openid' --data-urlencode 'grant_type=password' --data-urlencode 'username=' --data-urlencode 'password='
<-YourLoginField-> or username is set here by default to 'preferred_username' (check in keycloak: Client Scopes > profile > Mappers > username > TokenClaimName) also by copying the id_token generated above to https://jwt.ms/#id_token=...
shall look similar to:
clone:
git clone https://github.com/panosc-portal/api-service-client-cli
git clone https://github.com/panosc-portal/api-service
git clone https://github.com/panosc-portal/account-service-client-cli
git clone https://github.com/panosc-portal/cloud-service-client-cli
git clone https://github.com/panosc-portal/cloud-service
git clone https://github.com/panosc-portal/cloud-provider-client-cli
git clone https://github.com/panosc-portal/frontend
git clone https://github.com/panosc-portal/account-service
git clone https://github.com/panosc-portal/cloud-provider-kubernetes
git clone https://github.com/panosc-portal/simple-notebook-client
git clone https://github.com/panosc-portal/desktop-service-web-test-client
git clone https://github.com/panosc-portal/desktop-service
git clone https://github.com/panosc-portal/microservices-integration-test
git clone https://github.com/panosc-portal/helm-charts
git clone https://github.com/panosc-portal/remote-desktop-test-image
git clone https://github.com/panosc-portal/notebook-service-web-test-client
git clone https://github.com/panosc-portal/notebook-service
helm repo add panosc-portal https://panosc-portal.github.io/helm-charts/
helm repo update
kubectl create namespace panosc-portal #<YourExistentNamespace>
The installation command template:
helm install <YourReleaseName> panosc-portal/panosc-portal-demo \
--set global.kubernetesMasterHostname=<Yourk8sMaster> \
--set account-service.idp.url=<YourOpenIDDiscoveryEndpoint> \ #<KEYCLOAK_EXTERNAL_IP>
--set account-service.idp.clientId=<YourClientID> \
--set account-service.idp.loginField=<YourLoginField> \
-n <YourExistentNamespace>
eg:
helm install panosc-portal panosc-portal/panosc-portal-demo \
--set global.kubernetesMasterHostname=192.168.49.2 \
--set account-service.idp.url=http://131.169.212.94:8090/auth/realms/panosc/.well-known/openid-configuration \
--set account-service.idp.clientId=PanoscPortal \
--set account-service.idp.loginField=preferred_username \
-n panosc-portal
Now wait until the portal is up and running (check on minikube dashboard)
See https://github.com/nodesource/distributions/blob/master/README.md
on Ubuntu / Debian
curl -sL https://deb.nodesource.com/setup_15.x | sudo -E bash -
sudo apt-get install -y nodejs
on RedHat
curl -fsSL https://rpm.nodesource.com/setup_15.x | bash -
# remove an version if any: yum remove nodejs -y
yum install nodejs -y
Go to the api-service-client-cli
repo and install Node components:
cd api-service-client-cli
npm install
In the same api-service-client-cli
folder create a file config.json
with the following content
{
"idp": {
"url": "http://<KEYCLOAK_EXTERNAL_IP>:8090/auth/realms/panosc/protocol/openid-connect/token",
"clientId": "<CLIENT_ID>"
}
}
allow connecting external (local) client to kubernetes api service on the default port 3000 (check namespace!):
kubectl port-forward -n <YourExistentNamespace> service/api-service 3000:3000
bin/run user-instance:list #provide <USERNAME> and <USERPASSWORD> if requested for obtaining a token
bin/run user-instance:add #(select e.g plan jupyer_small and name it jupytersmall)