Prerequisites: Istio should be installed on your cluster with the demo profile. You may need to add istioctl to you $PATH variable.
istioctl install --set profile=demo
Please refer to the istio documentation for more information.
-You will also need cfssl installed on your system: sudo apt install golang-cfssl
Please refer to the K8s documentation: Manage TLS Certificates in a Cluster
The deployments have been implemented and tested using minikube.
If you are not using minikube, references to "minikube ip" should be changed to the appropiate value for you host.
+The ipAddresses field in cluster-issuer.yaml not referring to the generic localhost ip should be changed to your own ip.
To replicate these tests you will need to setup the various host path referenced in the yaml files on your own machine.
chartmuseum.yaml: path: /var/chartmuseum/charts
-keycloak.yaml: path: /var/keycloak/certs
postgres.yaml: path: "/var/keycloak/data2"
-rapps-keycloak-mgr.yaml: path: /var/rapps/certs
-rapps-webhook.yaml: "-hostPath", "/var/rapps/certs"
or change them to match your own setup.
-The certs directory contains 3 shell scripts for creating the server, client and webhook certs: server_certs.sh, client_certs.sh and webhook_certs.sh
-Keystores/Truststores generated by the server_certs.sh script: server.keystore and server.truststore go in the "/var/keycloak/certs" directory
-Certs generated by the client_certs.sh script: client.crt, client.key and rootCA.crt go in the "/var/rapps/certs" directory
-The webhook_certs.sh script generates certs for use in the MutatingWebhookConfiguration.yaml and the rapps-webhook.yaml files.
-To configure MutatingWebhookConfiguration.yaml run the following commands:
-1. ca_pem_b64="$(openssl base64 -A <"./certs/ca.pem")"
-2. sed -i 's/${CA_PEM_B64}/'"$ca_pem_b64"'/g' MutatingWebhookConfiguration.yaml
-
-To configure rapps-webhook.yaml append the rapps-webhook-tls.yaml file to the end of it
-1. cat rapps-webhook.yaml ./certs/rapps-webhook-tls.yaml >> rapps-webhook.yaml.tmp
-2. mv rapps-webhook.yaml.tmp rapps-webhook.yaml
-
Create the istio-nonrtric namespace and enable it for istio injection
kubectl create ns istio-nonrtric
helm package rapp-helloworld-invoker2
scp -i $(minikube ssh-key) rapp-helloworld-invoker2-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts
+Start cert-manager using the following command:
+ ./cert-manager.sh deploy
-Start keycloak and postgres in the default namespace with istio injection:
+Copy keycloak client certs into the istio-nonrtric namespace by running:
+ ./copy_tls_secret.sh -n cm-keycloak-client-certs -s default -d istio-nonrtric
-Run ./keycloak.sh deploy
+Start keycloak and postgres in the default namespace with istio injection by running:
+
+ ./keycloak.sh deploy
To start the management pods run:
You can also uninstall individual rapp using the undeploy_rapp.sh script.
e.g. ./undeploy_rapp.sh rapp-helloworld-provider
-Remove postgres and keycloak with the following commands:
+Remove postgres and keycloak with the following command:
./keycloak.sh undeploy
+
+Remove cert-manager with the following command:
+ ./cert-manager.sh undeploy