Skip to content

Kubernetes, Keycloak, PostgreSQL & Dirigible

This article is dedicated to the "production-ready" setup of Eclipse Dirigible in a Kubernetes cluster.

Overview

In this article we are going to use Kubernes cluster, Keycloak IAM and PostgreSQL database for setting up a productive Eclipse Dirigible development platform. The target Kubernetes deployment is shown bellow: Diagram

Kubernetes

is an open source system for automating deployment, scaling, and management of containerized applications in a cluster environment. You can read more about Kubernetes here.

Keycloak

is an open source Identity and Access Management system for applications and services. You can read more about Keycloak here.

PostgreSQL

is a powerful open source object-relational database system with over 30 years of active development that has earned it a strong reputation for reliability, feature robustness, and performance. You can read more about PostgreSQL here.

Eclipse Dirigible

is a Cloud Development Platform providing development tools and runtime environment. It supports full development life-cycle of on-demand applications by leveraging in-system programming models and rapid application development techniques. You can read more about Dirigible here.

Prerequisites

In this article we assume that you have already running productive Kubernetes Cluster and configured kubectl for it. If you don't have such, you can create one by using the GKE or the open-source Gardener project. Also we need a configured Helm (The Kubernetes Package Manager), if you don't have it, you can follow this installation guide.

Kubernetes Certificate Management Controller

cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, or a simple signing keypair. You can read more about the cert-manager here.

helm install --name cert-manager --namespace kube-system stable/cert-manager

We are going to use cert-manager for issuing certificates for our access points to the Keycloak Admin Console and Eclipse Dirigible IDE.

Namespaces and ClusterIssuer

auth.yaml

kind: Namespace
metadata:
  name: auth
...
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <your-email-address>
    privateKeySecretRef:
      name: letsencrypt-production
    http01: {}

Note: For testing purposes it's recommended to use the staging Let's Encrypt server.

The whole YAML is available here. Before creating the Kubernetes resources, you should replace the placeholders with the correct values.

kubectl create -f auth.yaml

Keycloak and PostgreSQL

keycloak.yaml

kind: StatefulSet
metadata:
  name: postgres
...
    spec:
      containers:
        - name: postgres
          image: postgres
          env:
            - name: PGDATA
              value: "/var/lib/postgresql/data/pgdata"
            - name: POSTGRES_USER
              value: "keycloak"
            - name: POSTGRES_PASSWORD
              value: "keycloak"
...
kind: Deployment
metadata:
  name: keycloak
...
    spec:
      containers:
      - name: keycloak
        image: jboss/keycloak
        env:
        - name: PROXY_ADDRESS_FORWARDING
          value: "true"
        - name: DB_VENDOR
          value: "postgres"
        - name: DB_USER
          value: "keycloak"
        - name: DB_PASSWORD
          value: "keycloak"
        - name: DB_ADDR
          value: "postgres-jdbc.auth"
        - name: KEYCLOAK_USER
          value: "admin"
        - name: KEYCLOAK_PASSWORD
          value: "admin"
...
kind: Ingress
metadata:
  name: keycloak
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: "letsencrypt-production"
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - keycloak.<your-domain-name>
    secretName: keycloak-production-letsencrypt
  rules:
    - host: keycloak.<your-domain-name>
...

Note: The maximum length of the host name (e.g. keycloak.YOUR-DOMAIN-NAME) used for issuing Let's Encrypt certificate is 63 symbols.

The whole YAML is available here. Before creating the Kubernetes resources, you should replace the placeholders with the correct values.

kubectl create -f keycloak.yaml

Dirigible and PostgreSQL

dirigible.yaml

kind: StatefulSet
metadata:
  name: postgres
...
    spec:
      containers:
        - name: postgres
          image: postgres
          env:
            - name: PGDATA
              value: "/var/lib/postgresql/data/pgdata"
            - name: POSTGRES_USER
              value: "dirigible"
            - name: POSTGRES_PASSWORD
              value: "dirigible"
...
kind: StatefulSet
metadata:
  name: dirigible
...
    spec:
      containers:
        - name: dirigible
          image: dirigiblelabs/dirigible-keycloak
          env:
            - name: DIRIGIBLE_DATABASE_PROVIDER
              value: "custom"
            - name: DIRIGIBLE_DATABASE_CUSTOM_DATASOURCES
              value: "POSTGRES"
            - name: POSTGRES_URL
              value: "jdbc:postgresql://postgres-jdbc.dirigible:5432/dirigible"
            - name: POSTGRES_USERNAME
              value: "dirigible"
            - name: POSTGRES_PASSWORD
              value: "dirigible"
            ...
            - name: KEYCLOAK_CONFIDENTIAL_PORT
              value: "443"
            - name: KEYCLOAK_SSL_REQUIRED
              value: "none"
            - name: KEYCLOAK_CLIENT_ID
              value: "dirigible"
            - name: KEYCLOAK_REALM
              value: "master"
            - name: KEYCLOAK_AUTH_SERVER_URL
              value: "https://keycloak.<your-domain-name>/auth"
...
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: "letsencrypt-production"
    kubernetes.io/ingress.class: "nginx"
  name: dirigible
  namespace: dirigible
spec:
  tls:
  - hosts:
    - ide.<your-domain-name>
    secretName: dirigible-certificate
  rules:
    - host: ide.<your-domain-name>

Note: The maximum length of the host name (e.g. ide.YOUR-DOMAIN-NAME) used for issuing Let's Encrypt certificate is 63 symbols.

The whole list of Eclipse Dirigible environment variables can be found here

The whole YAML is available here. Before creating the Kubernetes resources, you should replace the placeholders with the correct values.

kubectl create -f dirigible.yaml

Add Keycloak Client and Users

Open the Keycloak welcome page (https://keycloak.YOUR-DOMAIN-NAME) and click on the Admin Console, login with admin/admin credentials (see keycloak.yaml).

  1. Create new client named dirigible
  2. For the Root URL add Root URL: http://ide.YOUR-DOMAIN-NAME Create Keycloak Client
  3. Add Client Roles:
    • Everyone
    • Developer
    • Operator
  4. Create new user Create User
  5. Assign User's roles from the dirigible client
  6. Set password from the Credentials tab
  7. Open the Eclipse Dirigible IDE: http://ide.YOUR-DOMAIN-NAME/ and login with the credentials that were created previously in the Keycloak Admin Console. Login

The Keycloak documentation can be found here. Also you can find out how to enable Keycloak Social Login with GitHub here.

Credits