Установка в среде контейнеризации#
Использование среды контейнеризации для оркестрации KeyCloak.SE позволяет гибко управлять конфигурацией, производить масштабирование в зависимости от нагрузки, а также устанавливать сопутствующие приложения.
Для установки данного приложения можно воспользоваться данным скриптом. При необходимости значения переменных можно изменить вручную или использовать ansible template.
1.1. Для запуска данного скрипта необходимо подключиться к OpenShift через консоль:
oc login --insecure-skip-tls-verify <OPENSHIFT_HOST> -u <OPENSHIFT_LOGIN> -p <OPENSHIFT_PASSWORD>
1.2. Перейти на нужный namespase:
oc project "<NAMESPASE_NAME>"
1.3. Запустите установку скрипта:
oc process -f kcse-quarkus-template.yml \
-p KCSE_IMAGE=<registry-example.ru/kcse:latest> \
-p KEYCLOAK_ADMIN=admin \
-p KEYCLOAK_ADMIN_PASSWORD=<PASSWORD_EXAMPLE> \
-p KC_DB_URL_HOST=<db-host-example.ru> \
-p KC_DB_USERNAME=<db_user> \
-p KC_DB_URL_DATABASE=<db_name> \
-p KC_DB_SCHEMA=public \
-p KC_DB_PASSWORD=<DB_PASSWORD_EXAMPLE> \
-p HOSTNAME=<kcse-quarkus-namespace-example.apps.openshift-cluster.ru> \
-p NAMESPACE=<namespace-example> | oc apply -f -
Содержимое файла kcse-quarkus-template.yml:
kind: Template
apiVersion: template.openshift.io/v1
metadata:
name: kcse-quarkus
annotations:
description: An example template for trying out Keycloak on OpenShift
tags: kcse-quarkus
objects:
- apiVersion: v1
kind: Secret
metadata:
name: tls-secret
data:
tls.crt: '${KC_HTTPS_CERTIFICATE_FILE}'
tls.key: '${KC_HTTPS_CERTIFICATE_KEY_FILE}'
type: kubernetes.io/tls
- apiVersion: v1
kind: Secret
metadata:
name: db-secret
stringData:
username: '${KC_DB_USERNAME}' # postgres
password: '${KC_DB_PASSWORD}' # keycloak
type: Opaque
- apiVersion: v1
kind: Service
metadata:
annotations:
description: The web server's http port.
labels:
application: '${APPLICATION_NAME}'
name: '${APPLICATION_NAME}'
spec:
ports:
- name: 8080-tcp
port: 8080
targetPort: 8080
protocol: TCP
- name: 8443-tcp
port: 8443
targetPort: 8443
protocol: TCP
selector:
app: '${APPLICATION_NAME}'
- apiVersion: v1
id: '${APPLICATION_NAME}'
kind: Route
metadata:
annotations:
description: Route for application's service.
labels:
application: '${APPLICATION_NAME}'
name: '${APPLICATION_NAME}'
spec:
host: '${HOSTNAME}'
port:
targetPort: 8443-tcp
tls:
termination: passthrough
insecureEdgeTerminationPolicy: None
to:
name: '${APPLICATION_NAME}'
- apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: '${APPLICATION_NAME}'
name: '${APPLICATION_NAME}'
spec:
replicas: 1
selector:
matchLabels:
app: '${APPLICATION_NAME}'
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: '${APPLICATION_NAME}'
name: '${APPLICATION_NAME}'
spec:
imagePullSecrets:
- name: docker-registry
containers:
- env:
- name: KC_DB
value: '${KC_DB}'
- name: KC_DB_URL
value: '${KC_DB_URL}'
- name: KC_DB_URL_PORT
value: '${KC_DB_URL_PORT}'
- name: KC_DB_URL_PROPERTIES
value: '${KC_DB_URL_PROPERTIES}'
- name: KC_DB_URL_HOST
value: '${KC_DB_URL_HOST}'
- name: KC_DB_URL_DATABASE
value: '${KC_DB_URL_DATABASE}'
- name: KC_DB_USERNAME
# value: '${KC_DB_USERNAME}'
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: KC_DB_PASSWORD
# value: '${KC_DB_PASSWORD}'
valueFrom:
secretKeyRef:
name: db-secret
key: password
- name: KC_DB_SCHEMA
value: '${KC_DB_SCHEMA}'
- name: KC_DB_POOL_MAX_SIZE
value: '${KC_DB_POOL_MAX_SIZE}'
- name: KEYCLOAK_ADMIN
value: '${KEYCLOAK_ADMIN}'
- name: KEYCLOAK_ADMIN_PASSWORD
value: '${KEYCLOAK_ADMIN_PASSWORD}'
- name: KCSE_SMS_SERVICE_ADDR
value: '${KCSE_SMS_SERVICE_ADDR}'
- name: KCSE_SMS_AUTH_SERVICE_ADDR
value: '${KCSE_SMS_AUTH_SERVICE_ADDR}'
- name: KCSE_SMS_AUTH_CLIENT_ID
value: '${KCSE_SMS_AUTH_CLIENT_ID}'
- name: KCSE_SMS_AUTH_CLIENT_SECRET
value: '${KCSE_SMS_AUTH_CLIENT_SECRET}'
- name: KCSE_AUDIT_REST_PROXY_URL
value: '${KCSE_AUDIT_REST_PROXY_URL}'
- name: KCSE_AUDIT_REST_METAMODEL_NAME
value: '${KCSE_AUDIT_REST_METAMODEL_NAME}'
- name: KCSE_AUDIT_REST_METAMODEL_VERSION
value: '${KCSE_AUDIT_REST_METAMODEL_NAME}'
- name: KCSE_AUDIT_REST_ASYNC_LIMIT
value: '${KCSE_AUDIT_REST_ASYNC_LIMIT}'
- name: KCSE_AUDIT_PROPERTY_NAMES
value: '${KCSE_AUDIT_PROPERTY_NAMES}'
- name: KCSE_AUDIT_BOOTSTRAP_SERVER
value: '${KCSE_AUDIT_BOOTSTRAP_SERVER}'
- name: KCSE_AUDIT_BUFFER
value: '${KCSE_AUDIT_BUFFER}'
- name: KCSE_AUDIT_MOCKMODE
value: '${KCSE_AUDIT_MOCKMODE}'
- name: KCSE_AUDIT_MODE
value: '${KCSE_AUDIT_MODE}'
- name: KCSE_AUDIT_NODE
value: '${KCSE_AUDIT_NODE}'
- name: KCSE_AUDIT_MODULE
value: '${KCSE_AUDIT_MODULE}'
- name: KCSE_AUDIT_SOURCE_SYSTEM
value: '${KCSE_AUDIT_SOURCE_SYSTEM}'
- name: KCSE_AUDIT_SECURITY_PROTOCOL
value: '${KCSE_AUDIT_SECURITY_PROTOCOL}'
- name: KCSE_AUDIT_KEYSTORE_PASSWORD
value: '${KCSE_AUDIT_KEYSTORE_PASSWORD}'
- name: KCSE_AUDIT_TRUSTSTORE_PASSWORD
value: '${KCSE_AUDIT_TRUSTSTORE_PASSWORD}'
- name: KC_HOSTNAME
value: '${HOSTNAME}'
- name: KC_HTTPS_CERTIFICATE_FILE
value: '/opt/keycloak/conf/tls/tls.crt'
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: '/opt/keycloak/conf/tls/tls.key'
- name: KCSE_ENABLE_EVENTS_CONFIG
value: '${KCSE_ENABLE_EVENTS_CONFIG}'
- name: KC_HTTPS_KEY_STORE_FILE
value: /tmp/kcse/opt/keycloak/conf/keystores/https-keystore.jks
- name: KC_HTTPS_KEY_STORE_TYPE
value: JKS
- name: KC_HTTPS_TRUST_STORE_FILE
value: /tmp/kcse/opt/keycloak/conf/keystores/https-keystore.jks
- name: KC_SPI_TRUSTSTORE_FILE_FILE
value: /tmp/kcse/opt/keycloak/conf/keystores/https-keystore.jks
- name: KC_HTTPS_TRUST_STORE_TYPE
value: JKS
- name: KC_HOSTNAME_VERIFICATION_POLICY
value: ANY
- name: KCSE_TRUSTED_CERTS
value: /secrets/trusted_certs
- name: KC_HTTP_RELATIVE_PATH
value: '/auth'
- name: KC_PROXY
value: 'edge'
- name: KC_SPI_THEME_DEFAULT
value: "platform-v"
- name: KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN
value: "true"
- name: KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI
value: "true"
- name: KC_SPI_BRUTE_FORCE_PROTECTOR_EXTENDED_BRUTE_FORCE_DETECTOR_ENABLED
value: "true"
- name: KC_SPI_BRUTE_FORCE_PROTECTOR_DEFAULT_BRUTE_FORCE_DETECTOR_ENABLED
value: "false"
- name: KC_SPI_ACCOUNT_PASSWORD_FREEMARKER_ENABLED
value: "true"
- name: KC_SPI_ACCOUNT_FREEMARKER_ENABLED
value: "false"
- name: KC_SPI_LOGIN_LOGIN_FREEMARKER_ENABLED
value: "true"
- name: KC_SPI_LOGIN_FREEMARKER_ENABLED
value: "false"
- name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE
value: "false"
- name: KC_CACHE
value: "ispn"
- name: KC_HEALTH_ENABLED
value: "true"
- name: KC_METRICS_ENABLED
value: "true"
image: "${KCSE_IMAGE}"
livenessProbe:
failureThreshold: 100
httpGet:
path: /auth/health/live
port: 8080
scheme: HTTP
initialDelaySeconds: 60
name: '${APPLICATION_NAME}'
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
readinessProbe:
failureThreshold: 300
httpGet:
path: /auth/health/ready
port: 8080
scheme: HTTP
initialDelaySeconds: 30
securityContext:
capabilities:
drop:
- ALL
privileged: false
runAsGroup: 20003 #обязательный параметр, начиная с релиза Platform V IAM SE 1.8.1 для OSE и k8s.
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
resources:
limits:
cpu: 1
memory: 2Gi
requests:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: tls-cert
readOnly: true
mountPath: /opt/keycloak/conf/tls
- name: empty
mountPath: /tmp/keycloak/data #начиная с версии Platform V IAM SE 2.0.0
- name: tmp
mountPath: /tmp
- name: logs
mountPath: /kcse-logs
args:
- '--verbose'
- 'start'
volumes:
- name: tls-cert
secret:
secretName: tls-secret
- name: empty
emptyDir: {}
- name: tmp
emptyDir: {}
- name: logs
emptyDir: {}
triggers:
- type: ConfigChange
parameters:
- name: APPLICATION_NAME
displayName: Application Name
description: The name for the application.
value: kcse-quarkus
required: true
- name: KCSE_IMAGE
required: true
- name: KEYCLOAK_ADMIN
displayName: Keycloak Administrator Username
description: Keycloak Server administrator username
generate: expression
from: '[a-zA-Z0-9]{8}'
required: true
- name: KEYCLOAK_ADMIN_PASSWORD
displayName: Keycloak Administrator Password
description: Keycloak Server administrator password
generate: expression
from: '[a-zA-Z0-9]{8}'
required: true
- name: HOSTNAME
displayName: Custom Route Hostname
description: >-
Custom hostname for the service route. Leave blank for default hostname,
e.g.: <application-name>-<namespace>.<default-domain-suffix>
- name: NAMESPACE
displayName: Namespace used for DNS discovery
description: >-
This namespace is a part of DNS query sent to Kubernetes API. This query
allows the DNS_PING protocol to extract cluster members. This parameter
might be removed once https://issues.jboss.org/browse/JGRP-2292 is
implemented.
required: true
- name: KCSE_SMS_SERVICE_ADDR
displayName: KCSE_SMS_SERVICE_ADDR
description: KCSE_SMS_SERVICE_ADDR
value: 'http://develop-mock-service:8181/sendSMS'
required: true
- name: KCSE_SMS_AUTH_SERVICE_ADDR
displayName: KCSE_SMS_AUTH_SERVICE_ADDR
description: KCSE_SMS_AUTH_SERVICE_ADDR
value: 'http://localhost:8080/realms/master/protocol/openid-connect/token/'
required: true
- name: KCSE_SMS_AUTH_CLIENT_ID
displayName: KCSE_SMS_AUTH_CLIENT_ID
description: KCSE_SMS_AUTH_CLIENT_ID
value: 'testSmsClient'
required: true
- name: KCSE_SMS_AUTH_CLIENT_SECRET
displayName: KCSE_SMS_AUTH_CLIENT_SECRET
description: KCSE_SMS_AUTH_CLIENT_SECRET
value: 'AQ0bgoixKqj45GuFAlTL1meCkdEGxWKK'
required: true
- name: KCSE_AUDIT_REST_PROXY_URL
displayName: KCSE_AUDIT_REST_PROXY_URL
description: KCSE_AUDIT_REST_PROXY_URL
value: 'http://<ip.addres:port>/audit2-platform4-stub-1.0.0-SNAPSHOT/v1/event/'
required: true
- name: KCSE_AUDIT_REST_METAMODEL_NAME
value: kcse-events-to-audit-by-rest
- name: KCSE_AUDIT_REST_METAMODEL_VERSION
value: '1'
- name: KCSE_AUDIT_PROPERTY_NAMES
displayName: KCSE_AUDIT_PROPERTY_NAMES
description: KCSE_AUDIT_PROPERTY_NAMES
value: 'kafka.producer.bootstrap.servers,buffer.maxSize,mockMode'
required: true
- name: KCSE_AUDIT_BOOTSTRAP_SERVER
displayName: KCSE_AUDIT_BOOTSTRAP_SERVER
description: KCSE_AUDIT_BOOTSTRAP_SERVER
value: 'localhost:9092'
required: true
- name: KCSE_AUDIT_BUFFER
displayName: KCSE_AUDIT_BUFFER
description: KCSE_AUDIT_BUFFER
value: '10000'
required: true
- name: KCSE_AUDIT_MOCKMODE
displayName: KCSE_AUDIT_MODEMODE
description: KCSE_AUDIT_MODEMODE
value: 'true'
required: true
- name: KCSE_AUDIT_MODE
displayName: KCSE_AUDIT_MODE
description: KCSE_AUDIT_MODE
value: 'async'
required: true
- name: KCSE_AUDIT_NODE
displayName: KCSE_AUDIT_NODE
description: KCSE_AUDIT_NODE
value: 'testnode.platformid'
required: true
- name: KCSE_AUDIT_MODULE
displayName: KCSE_AUDIT_MODULE
description: KCSE_AUDIT_MODULE
value: 'PLID'
required: true
- name: KCSE_AUDIT_SOURCE_SYSTEM
displayName: KCSE_AUDIT_SOURCE_SYSTEM
description: KCSE_AUDIT_SOURCE_SYSTEM
value: 'PlatformId'
required: true
- name: KCSE_AUDIT_SECURITY_PROTOCOL
displayName: KCSE_AUDIT_SECURITY_PROTOCOL
description: KCSE_AUDIT_SECURITY_PROTOCOL
value: 'SSL'
required: true
- name: KCSE_AUDIT_KEYSTORE_PASSWORD
displayName: KCSE_AUDIT_KEYSTORE_PASSWORD
description: KCSE_AUDIT_KEYSTORE_PASSWORD
value: 'zaq12345678'
required: true
- name: KCSE_AUDIT_TRUSTSTORE_PASSWORD
displayName: KCSE_AUDIT_TRUSTSTORE_PASSWORD
description: KCSE_AUDIT_TRUSTSTORE_PASSWORD
value: 'zaq12345678'
required: true
- name: KC_DB
displayName: KC_DB
description: KC_DB
value: 'postgres'
required: true
- name: KC_DB_URL_HOST
displayName: KC_DB_URL_HOST
description: KC_DB_URL_HOST
required: true
- name: KC_DB_URL_PORT
displayName: KC_DB_URL_PORT
description: KC_DB_URL_PORT
value: '5432'
required: true
- name: KC_DB_URL_DATABASE
displayName: KC_DB_URL_DATABASE
description: KC_DB_URL_DATABASE
required: true
- name: KC_DB_USERNAME
displayName: KC_DB_USERNAME
description: KC_DB_USERNAME
required: true
- name: KC_DB_PASSWORD
displayName: KC_DB_PASSWORD
description: KC_DB_PASSWORD
required: true
- name: KC_DB_SCHEMA
displayName: KC_DB_SCHEMA
description: KC_DB_SCHEMA
value: 'public'
required: true
- name: KC_DB_URL_PROPERTIES
displayName: KC_DB_URL_PROPERTIES
description: KC_DB_URL_PROPERTIES
value: '?ssl=false&sslmode=disable'
required: true
- name: KC_HTTPS_CERTIFICATE_FILE
displayName: KC_HTTPS_CERTIFICATE_FILE
description: KC_HTTPS_CERTIFICATE_FILE
value: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVmekNDQXVlZ0F3SUJBZ0lSQUlVenBxa1FoaTNKclZBcmxVNVRhVTB3RFFZSktvWklodmNOQVFFTEJRQXcKZ1lreEhqQWNCZ05WQkFvVEZXMXJZMlZ5ZENCa1pYWmxiRzl3YldWdWRDQkRRVEV2TUMwR0ExVUVDd3dtWVhCbApjblZtWm05QVlYQmxjblZtWm04dGJXRmpJQ2hCYm1SeVpXRWdVR1Z5ZFdabWJ5a3hOakEwQmdOVkJBTU1MVzFyClkyVnlkQ0JoY0dWeWRXWm1iMEJoY0dWeWRXWm1ieTF0WVdNZ0tFRnVaSEpsWVNCUVpYSjFabVp2S1RBZUZ3MHkKTWpBek1ETXhNVEExTlRWYUZ3MHlOREEyTURNeE1EQTFOVFZhTUZveEp6QWxCZ05WQkFvVEhtMXJZMlZ5ZENCawpaWFpsYkc5d2JXVnVkQ0JqWlhKMGFXWnBZMkYwWlRFdk1DMEdBMVVFQ3d3bVlYQmxjblZtWm05QVlYQmxjblZtClptOHRiV0ZqSUNoQmJtUnlaV0VnVUdWeWRXWm1ieWt3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUN5MjljQ0JrSzZNWERNbWZONy9TVmdiNXR2WXFWc01LVjhjaEwvTE5UcXVkdVA0QVBZeEtzMApQWnZBd0RRa3lGUXRxQlVvTXBhelBCaUpyREZ2eHc2VDZaeGVUOXlobCtvNWxhVmdseUdUMC9TcTBjTkg3UkZaCk5KeXpEZDdhREVjc2E0cmZmVEJPbk9UZjZ3QzhuSkNobTl4Mm9FWlU0UHRIb2tKZzcrVlFXYUdVRHg3Wm5YSlgKUXQ5SXFSb1dQWW1BWnNQc1FUNzdPeWkzUGZSa2NqZ1FTWEJsWVhNWXFZOWxMZTZpR2NldnNkdGhyOEdOZFF4dQpJV3RBOTYwdkgzSFpwRmgyRXRJbnVEOTdlWjU4STB4WXZuU2xSZGlXV1BPSTNwWDFvR0xyWDZjWGl1RlRDNUg3ClB3NnVSZUdVZ2tvR2tXS1pSU3RZdGp1dENuZHEvZ2JuQWdNQkFBR2pnWTh3Z1l3d0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQjhHQTFVZEl3UVlNQmFBRkg2Qmh5V21zVEpwMTdqSApVLzlKaDI1MUdhMTFNRVFHQTFVZEVRUTlNRHVDQzJWNFlXMXdiR1V1WTI5dGdnbHRlV0Z3Y0M1a1pYYUNDV3h2ClkyRnNhRzl6ZEljRWZ3QUFBWWNRQUFBQUFBQUFBQUFBQUFBQUFBQUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0MKQVlFQWYrazRMQW11YjlLKzM3RWo5M3RwYXhZdER2cUl4d1VpVkRHUyt6TElrd296akkyaHVTYko2N0lsdVJZaQp0SjVUU3hlM1hMTTNJM1NQU2tKNUxpY0JLRjJDRW1tdDBKRnk2WERxeU80L3NncFVDWVh6V3J1ZWU5VWM4VkhNCnljL3ZLclN3bTVDek82alIyZk0xajdCUWVJdHh6Qk1rTlJYZUUxSUVJWGtYMUFFUGRYaFBHZXFya1NqYzdGbjkKSkIzeGIvN0xvdTNxSFlBV2xyeThicWd2Z0pjZFlVWE9RWlVZSXE0ekd4bkNZRFRTblRuTG8vbW5YQ0h6MHZXRApldlpRQzhsL2t2TWRNb1RNSUxWamxObFgyeTNyekw2ak1QZTIxcGpSdFd3K0R6S1E1dkdZemMxL1hFbXJRaVJVCmxlRWE4cVp4QVkySXptMW9hTWdNa0cwZklKRkEyZk9DSGVWTnJOek93S1ZjaXFGVHpUanpZMW9HZDd5bncrQ28KaUF1Tm03TERxdzczakJYMVBBK1ZYM0pnRTVlODVnQ0FVU0UzK0Y3Z1RGb1hBS1M3T255Mk9mS0xSREw3U0NPWgp1THlub1NVeTUrcnJlUjBJNzRwTXVhRm9hUHo5U2lCNzVCNnZ4eGZWV0xLN0g3T1ZxV1YyR0Qra3dxSW1hOUVJClVmV2IKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo='
required: true
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
displayName: KC_HTTPS_CERTIFICATE_KEY_FILE
description: KC_HTTPS_CERTIFICATE_KEY_FILE
value: 'LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ3kyOWNDQmtLNk1YRE0KbWZONy9TVmdiNXR2WXFWc01LVjhjaEwvTE5UcXVkdVA0QVBZeEtzMFBadkF3RFFreUZRdHFCVW9NcGF6UEJpSgpyREZ2eHc2VDZaeGVUOXlobCtvNWxhVmdseUdUMC9TcTBjTkg3UkZaTkp5ekRkN2FERWNzYTRyZmZUQk9uT1RmCjZ3QzhuSkNobTl4Mm9FWlU0UHRIb2tKZzcrVlFXYUdVRHg3Wm5YSlhRdDlJcVJvV1BZbUFac1BzUVQ3N095aTMKUGZSa2NqZ1FTWEJsWVhNWXFZOWxMZTZpR2NldnNkdGhyOEdOZFF4dUlXdEE5NjB2SDNIWnBGaDJFdEludUQ5NwplWjU4STB4WXZuU2xSZGlXV1BPSTNwWDFvR0xyWDZjWGl1RlRDNUg3UHc2dVJlR1Vna29Ha1dLWlJTdFl0anV0CkNuZHEvZ2JuQWdNQkFBRUNnZ0VBWEtWSlV2QWhRa2IzMGROdzd1bXFvYkJPQ0QxRnlLdk9ISThPVGdWUDZLSUwKSEJTQ2laY2R3M3FpSWc2dE05eGMxaVY1aUEva1JjVThSSnZnSTdFdFdPcXFKNlFnZWNleCtOQU9FT0ZYOERYYgpSMXhPVmdSemR3eXNtb2IxeDJhU3UyeWRTN1NTQURaK3k0bjBJTDdNb0JtVzhnK0ZQdFFtOU8wVWl4ZllaV3lhCmVleHFOS0xLVS9neG5iZXIvQy9kVWpPS3dndmpDRHkvZjhGQ1BNcDBEZzFLdU1Uc2J5ZjRyczQvM1JkUDBtK08KdXZhTTJQaEJsNEJJQVg2NXRIc1p6TGRtZWhOdzd1RGR1eGhBenVwVkR6YlhKcGQ5cEZaWE83QzlGWXhVNFpuSgpHbnliWktQcDlrL28yVkw2OWR1d0NSdkYySlVWdEZQZ2pibG80R2o4Y1FLQmdRRFc3NXVhdGtHUmNHR1Y3QWE3CktWcXVwWXFoazlxOERvaG9CZ2xvZzZMb3REMzFxbks2b1hwM2UweS9mZElMaEFERGdCaStEYW05aGFicEV4Q3YKK29TcnVNbFJLM1EyN1ZzbFd6WVQ2K0JyZDRNS3RrNjN6TG1YS25iTWhsOE9TQ1FERmdrUXQrWExGak1FUmNmawpvb2JWem1qajdrWnh5c1hoV2xsdlFTaXkyUUtCZ1FEVkI3ZG9oNDcwZ3I2VjBvbko4VzlDazF6MTBWMEtCQ0ZjCmFkd3Z4UjBKdUhsc2ZmVVJsaU1zQ3VzQlYzWDJpb3liblNxeG14SGQ0Qm5zeWx4bFlLdEpkM2pQbE05bnVoajAKbWZwMzFIcEN6aWRZRUs5Q1RVVFBTZE5tcUlFdHJqTkppano0OHcxNWlTVFA2c2c4ZXhWVUdtTVkrUDVyeDM4SQpXSkxzU3VqdnZ3S0JnUUNrTW5QN0l4VEFHTXhVRGZXdWNZODNNSHZScC9SSUNnb20vY1dlTkVIMTZBd1ZhdHN1CnZFR2ttV3N1TnQ2SnNaUXJ4ZVlnK3FzYmY4amM4WldqK292ejY3elA1NVJtaWJsQnRvWi9mWWo2VUZpcGpGQmkKbFdHS25BUVpodVdETVpWaFRpb3F2WEl0VFk0M3kxOUR5TzJjMUl6STQ3U3BKYkU1MFIzVm9qK0hNUUtCZ0VkZwpESDJEWGN4aXVnUnN4Q25iTU5IM21kL3F3K2VGTnNCRjM3WkpyczhBOWYzNXZkQ2tveWd3aUVpc3l5Tk5qSXJlCi85ejkvZUIvSTNDSTVLZzYyV2tHRkg1SWQ2MWpWdFV0ZWhRSUp1YVhOK3R6dTZUVlNzYkJENG1IejdCRWUzNmEKU0krSXIrMFduRFRsankxa2QrTHo3RndEb1FydmpvcDNVdExFem9MMUFvR0JBTTcvWVRNWSszV1NDeENPL3NIWAo3OGZDeHhBRHFMVWMxVURYdGMzcFhKQnorL3hJeUx1Q3JQYnlsUC82L21yRjN4SENTbGg3bi9mcFovV1dRMzIxCjNyZnR5Y2czWWVzalZxdjBaZmJVb01OdFE5cGYrcFpQMGpWVEZXMlF3YTZWYURrcGdTQnB4QzlvWXlMWTRldGMKajBkWm9NeTVMYXNKcm5jUjhlTVc4NHlnCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K'
required: true
Отличие установки в DropApp#
В файле kcse.all.conf должны быть установлены следующие параметры:
# Корректное заполнение SecurityContext, для корректного монтирования и использования volumes и старта контейнера
# Пример для K8S:
kcse.k8s.deployment.spec.template.spec.securityContext.fsGroup=20003
kcse.k8s.deployment.spec.template.spec.securityContext.runAsUser=10003
kcse.k8s.deployment.spec.template.spec.securityContext.runAsGroup=20003
# Пример для OSE:
kcse.k8s.deployment.spec.template.spec.securityContext.fsGroup=
kcse.k8s.deployment.spec.template.spec.securityContext.runAsUser=
kcse.k8s.deployment.spec.template.spec.securityContext.runAsGroup=20003
# front settings
kcse.k8s.front.hostEnabled=true
kcse.k8s.front.host=kcse-domain.ru
В файле kcse.istio.all.conf должны быть установлены следующие параметры:
# Тип используемой Service Mesh:
# ossm - Red Hat OpenShift Service Mesh
# ssm - Synapse Service Mesh
kcse.k8s.istio.type=ssm
# control plain
kcse.k8s.istio.istioControlPlane=syn-cp-02
# control plain service
kcse.k8s.istio.istioControlPlaneIstiodService=istiod-syn-cp-02
# Для SSM используется third-party-jwt, для OSSM используется first-party-jwt, пример:
kcse.k8s.istio.deployment.spec.template.spec.containers.istioProxy.env.jwtPolicy=third-party-jwt
# fsGroup, для корректного монтирования и использования volumes
# в случае OSE, поле остается пустым, пример для DropApp:
kcse.k8s.istio.deployment.spec.template.spec.securityContext.fsGroup=20003
kcse.k8s.istio.deployment.spec.template.spec.securityContext.runAsUser=10003
kcse.k8s.istio.deployment.spec.template.spec.securityContext.runAsGroup=20003
В файле kcse.gossiprouter.conf должны быть установлены следующие параметры:
# пример для DAP:
gossiprouter.k8s.deployment.spec.template.spec.securityContext.fsGroup=20003
gossiprouter.k8s.deployment.spec.template.spec.securityContext.runAsUser=10003
gossiprouter.k8s.deployment.spec.template.spec.securityContext.runAsGroup=20003
# в случае OSE:
gossiprouter.k8s.deployment.spec.template.spec.securityContext.fsGroup=
gossiprouter.k8s.deployment.spec.template.spec.securityContext.runAsUser=
gossiprouter.k8s.deployment.spec.template.spec.securityContext.runAsGroup=20003
Описание конфигурационных параметров на странице Настройка конфигурационных параметров
После параметризации свойств этих документов необходимо запустить процедуру развертывания (Deployment) в среде контейнеризации.
После запуска Pods необходимо проверить работоспособность приложения согласно url, прописанному в Routes для данного приложения.
Вам откроется консоль администратора
Чек-лист валидации установки в среде контейнеризации#
После параметризации свойств этих документов запущен Deployment в среде контейнеризации;
По url, прописанному в Routes для данного приложения, открывается консоль администратора.