Skip to content

Latest commit

 

History

History
217 lines (141 loc) · 8.76 KB

README.md

File metadata and controls

217 lines (141 loc) · 8.76 KB
Raw

Kubernetes Resources for deployment of WSO2 Identity Server

Core Kubernetes resources for a clustered deployment of WSO2 Identity Server.

A clustered deployment WSO2 Identity Server

Contents

Prerequisites

  • In order to use WSO2 Kubernetes resources, you need an active WSO2 subscription. If you do not possess an active WSO2 subscription already, you can sign up for a WSO2 Free Trial Subscription from here.

  • Install Git and Kubernetes client (compatible with v1.10) in order to run the steps provided in the following quick start guide.

  • An already setup Kubernetes cluster.

  • A pre-configured Network File System (NFS) to be used as the persistent volume for artifact sharing and persistence. In the NFS server instance, create a Linux system user account named wso2carbon with user id 802 and a system group named wso2 with group id 802. Add the wso2carbon user to the group wso2.

groupadd --system -g 802 wso2
useradd --system -g 802 -u 802 wso2carbon

Quick Start Guide

In the context of this document, KUBERNETES_HOME will refer to a local copy of the wso2/kubernetes-is Git repository.

1. Clone the Kubernetes Resources for WSO2 Identity Server Git repository:
git clone https://github.com/wso2/kubernetes-is.git
2. Create a namespace named wso2 and a service account named wso2svc-account, within the namespace wso2.
kubectl create namespace wso2
kubectl create serviceaccount wso2svc-account -n wso2

Then, switch the context to new wso2 namespace.

kubectl config set-context $(kubectl config current-context) --namespace=wso2
3. Create a Kubernetes Secret for pulling the required Docker images from WSO2 Docker Registry:

Create a Kubernetes Secret named wso2creds in the cluster to authenticate with the WSO2 Docker Registry, to pull the required images.

kubectl create secret docker-registry wso2creds --docker-server=docker.wso2.com --docker-username=<WSO2_USERNAME> --docker-password=<WSO2_PASSWORD> --docker-email=<WSO2_USERNAME>

WSO2_USERNAME: Your WSO2 username
WSO2_PASSWORD: Your WSO2 password

Please see Kubernetes official documentation for further details.

4. Setup product database(s):

Setup the external product databases. Please refer to WSO2 Identity Server's official documentation on creating the required databases for the deployment.

Provide appropriate connection URLs, corresponding to the created external databases and the relevant driver class names for the data sources defined in the following files:

  • <KUBERNETES_HOME>/is/confs/is/datasources/master-datasources.xml
  • <KUBERNETES_HOME>/is/confs/is/datasources/bps-datasources.xml

Please refer WSO2's official documentation on configuring data sources.

Note:

  • For evaluation purposes, you can use Kubernetes resources provided in the directory
    <KUBERNETES_HOME>/is/extras/rdbms/mysql for deploying the product databases, using MySQL in Kubernetes. However, this approach of product database deployment is not recommended for a production setup.

  • For using these Kubernetes resources,

    first create a Kubernetes ConfigMap for passing database script(s) to the deployment.

    kubectl create configmap mysql-dbscripts --from-file=<KUBERNETES_HOME>/is/extras/confs/mysql/dbscripts/

    Here, a Network File System (NFS) is needed to be used for persisting MySQL DB data.

    Create and export a directory within the NFS server instance.

    Provide read-write-execute permissions to other users for the created folder.

    Update the Kubernetes Persistent Volume resource with the corresponding NFS server IP (NFS_SERVER_IP) and exported, NFS server directory path (NFS_LOCATION_PATH) in <KUBERNETES_HOME>/is/extras/rdbms/volumes/persistent-volumes.yaml.

    Deploy the persistent volume resource and volume claim as follows:

    kubectl create -f <KUBERNETES_HOME>/is/extras/rdbms/mysql/mysql-persistent-volume-claim.yaml
kubectl create -f <KUBERNETES_HOME>/is/extras/rdbms/volumes/persistent-volumes.yaml

    Then, create a Kubernetes service (accessible only within the Kubernetes cluster) and followed by the MySQL Kubernetes deployment, as follows:

    kubectl create -f <KUBERNETES_HOME>/is/extras/rdbms/mysql/mysql-service.yaml
kubectl create -f <KUBERNETES_HOME>/is/extras/rdbms/mysql/mysql-deployment.yaml
5. Create a Kubernetes role and a role binding necessary for the Kubernetes API requests made from Kubernetes membership scheme.
kubectl create --username=admin --password=<K8S_CLUSTER_ADMIN_PASSWORD> -f <KUBERNETES_HOME>/rbac/rbac.yaml

K8S_CLUSTER_ADMIN_PASSWORD: Kubernetes cluster admin password

6. Setup a Network File System (NFS) to be used for persistent storage.

Create and export unique directories within the NFS server instance for each Kubernetes Persistent Volume resource defined in the <KUBERNETES_HOME>/is/volumes/persistent-volumes.yaml file.

Grant ownership to wso2carbon user and wso2 group, for each of the previously created directories.

sudo chown -R wso2carbon:wso2 <directory_name>

Grant read-write-execute permissions to the wso2carbon user, for each of the previously created directories.

chmod -R 700 <directory_name>

Update each Kubernetes Persistent Volume resource with the corresponding NFS server IP (NFS_SERVER_IP) and exported, NFS server directory path (NFS_LOCATION_PATH).

Then, deploy the persistent volume resource and volume claim as follows:

kubectl create -f <KUBERNETES_HOME>/is/identity-server-volume-claims.yaml
kubectl create -f <KUBERNETES_HOME>/is/volumes/persistent-volumes.yaml
7. Create Kubernetes ConfigMaps for passing WSO2 product configurations into the Kubernetes cluster:
kubectl create configmap identity-server-conf --from-file=<KUBERNETES_HOME>/is/confs/
kubectl create configmap identity-server-conf-axis2 --from-file=<KUBERNETES_HOME>/is/confs/axis2/
kubectl create configmap identity-server-conf-datasources --from-file=<KUBERNETES_HOME>/is/confs/datasources/
kubectl create configmap identity-server-conf-identity --from-file=<KUBERNETES_HOME>/is/confs/identity/
8. Create Kubernetes Services and Deployments for WSO2 Identity Server:
kubectl create -f <KUBERNETES_HOME>/is/identity-server-service.yaml
kubectl create -f <KUBERNETES_HOME>/is/identity-server-deployment.yaml
9. Deploy Kubernetes Ingress resource:

The WSO2 Identity Server Kubernetes Ingress resource uses the NGINX Ingress Controller.

In order to enable the NGINX Ingress controller in the desired cloud or on-premise environment, please refer the official documentation, NGINX Ingress Controller Installation Guide.

Finally, deploy the WSO2 Identity Server Kubernetes Ingress resources as follows:

kubectl create -f <KUBERNETES_HOME>/is/ingresses/identity-server-ingress.yaml
10. Access Management Console:

Default deployment will expose wso2is host (to expose Administrative services and Management Console).

To access the console in the environment,

a. Obtain the external IP (EXTERNAL-IP) of the Ingress resources by listing down the Kubernetes Ingresses.

kubectl get ing

NAME                       HOSTS          ADDRESS        PORTS     AGE
wso2is-ingress             wso2is         <EXTERNAL-IP>  80, 443   3m

b. Add the above host as an entry in /etc/hosts file as follows:

<EXTERNAL-IP>	wso2is

c. Try navigating to https://wso2is/carbon from your favorite browser.

11. Scale up using kubectl scale:

Default deployment runs a single replica (or pod) of WSO2 Identity server. To scale this deployment into any <n> number of container replicas, upon your requirement, simply run following Kubernetes client command on the terminal.

kubectl scale --replicas=<n> -f <KUBERNETES_HOME>/is/identity-server-deployment.yaml

For example, If <n> is 2, you are here scaling up this deployment from 1 to 2 container replicas.