PoC Deployment on Kubernetes with use of Keycloak as OIDC provider
This page describes the steps for installing Smartfacts for testing Smartfacts in a Proof of Concept. To simplify the installation process, Smartfacts is not connected to your OIDC provider. Instead, a Keycloak is contained in the deployment, which is used as the OIDC provider.
- 1 Preparations
- 2 Setup the Kubernetes Environment
- 2.1 Install k3s
- 2.1.1 Install helm
- 2.1.2 Set Link to Cluster Configuration
- 2.1 Install k3s
- 3 Prepare Deployment
- 4 Install Smartfacts
- 5 Add Web Origin to Keycloak
- 6 A note on Smartfacts PoC Test Users
- 7 Create a Smartfacts Model Warehouse
- 8 Install the Plug-Ins
- 9 Troubleshooting
- 9.1 Detect running containers
- 9.2 Show the logs of a pod
- 9.3 Show certtool logs
- 9.4 Show Keycloak password
- 9.5 Reset lost password for keycloak-admin user
- 9.6 How to Move k3s data to another partition or disk
- 9.7 Postgres Password – How to Fix the "'global.postgresql.auth.postgresPassword' must not be empty" Error
Preparations
If not done so far please prepare your infrastructure as described in Installing Smartfacts for Proof of Concepts | Prepare your infrastructure.
Setup the Kubernetes Environment
You need a Kubernetes cluster to deploy Smartfacts in. If you already have a Kubernetes infrastructure on AWS, GCP or Azure, you can use this.
Please make sure that an ingress controller of nginx or Traefik is installed.
If you don’t have a Kubernetes infrastructure you can set up a single node cluster at a vm. The following section will describe how to set zu such a cluster.
Install k3s
If your server only reaches the Internet via a proxy, you must set up your environment so that this proxy is used with k3s and helm. If this is the case, follow the instructions in this section:
Execute the installation of k3s with the command
Wait 30 seconds.
You can test it with the command sudo kubectl get node
. It will provide an output similar to this one:
NAME STATUS ROLES AGE VERSION
mysrv Ready control-plane,master 161d v1.23.6+k3s1
For more information see: https://rancher.com/docs/k3s/latest/en/quick-start
Install helm
For more information see: https://helm.sh/docs/intro/install
Set Link to Cluster Configuration
Prepare Deployment
Add MID Repository
You will need a username and password to download the helm chart and containers from MID's repository. You will receive username and password from your MID contact or from cops@mid.de.
Provide Certificates and Key as Base64 String
Make sure that the complete certificate chain is contained in a file in correct order in x509 PEM format. The content of certificates in PEM formate looks like this:
In a certificate chain, multiple blocks of certificates are present, representing the server, intermedate and root certificates.
The correct order of the blocks is from top to bottom:
server certificate at the top
intermediate cerificate(s), if any
root certificate at the bottom
Also see Section “Certificates” above in this article.
Save certificate chain as a base64 string:
Save certificate key as base64 string:
Customize Values File
Change to your user's home directory on the server and create a new text file
values.yaml
with the following content:Replace the value of the domain property with your domain name.
If your cluster has access to the internet, then you can pull the images directly from the registry provided by MID. In this case replace the value of the repologin property with the value provided from MID.
Replace the placeholder of the crtFullChain property with the content of the file
chain.crt.base64
.Replace the placeholder of the key property with the content of the
key.base64
file.Replace the placeholder for the externalUrls property with the URL of your Jama or Codebeamer instance. If you connect multiple instances, separate the URLs with a space.
Save the
values.yaml
file.
Option: Use a private container registry
If your Kubernetes cluster has no access to the internet, you can pull the images from the MID registry, re-tag them and push them to your private registry. State the name of your private registry in the property
in your values file.
Install Smartfacts
Execute the Installation
Enter the following command to execute the Installation:
Watch Deployment (in a new Session)
Open a second session on the server and enter the following command:
As soon as all deployments are available, the installation is ready.
Add Web Origin to Keycloak
For Smartfacts to function, it is necessary to correct a value in the Keycloak configuration.
Get the Keycloak administrator password:
Get the URL of keycloak:
Call this URL in a browser. Click on “Administration Console” and log in with Username “keycloak-admin” and the password returned in the step above.
Select “Clients” and the client ID “smartfacts”.
Scroll down until you see the property “Web Origins”. Insert a plus sign “+” into the value field.
Scroll to the bottom of the page and click on the “save” button
A note on Smartfacts PoC Test Users
For the Smartfacts PoC you can use the generated test users “poc1”…”poc50”. All poc users have the same password “poc”. For managing the test users in the CAMP use the account administrator user “acm” which has the password “acm”.
Create a Smartfacts Model Warehouse
Open the Smartfacts URL in your browser:
https://smartfacts.<yoursmartfactsdomain>
and log-in with the account manager credentials (user “acm”, password “acm”).You will now be asked to create a Model Warehouse.
Click on CREATE A NEW MODEL WAREHOUSE.
In the create dialog, first select the previously created account.
Provide a name for the Model Warehouse.
Optionally, activate the check box Create Demo Models if you want some demo content to be added to the Model Warehouse.
Model Warehouse creation is the final step in the Smartfacts platform set-up process.
Install the Plug-Ins
It depends on which tools you want to use in connection with Smartfacts. Smartfacts provides a plugin for every tool which is supported. You can download the plug-ins from the main menu via the command Get Plug-ins.
Troubleshooting
For general Kubernetes Troubleshooting you can consult the kubectl Quick Reference.
Detect running containers
Show the logs of a pod
With the following command you can get the log files of the Smartfacts platform (pod “sfit-platform”). If you deployed with a namespace named other than “smartfacts”, adjust the value of the second variable “ns”.
If you have to call “kubectl” with “sudo”:
If “sudo” is not required:
If you need to get the logs of another pod, change the value of the variable “pod” at the beginning of the line. Available pod names for the Smartfacts installation are the following:
value for pod variable | POD |
---|---|
sfit-platform | The Smartfacts platform |
sfit-spa | The Smartfacts SPA |
mongodb | The mongodb database |
genoslc | The OSLC Connector for Smartfacts |
keycloak | The keycloak pod (identity provider for PoC installations with dummy users) |
Show certtool logs
Show certtool output from Job
Show Secret written by certtool (Attention: The secret does not exist if the certtool did not succeed!)
Show Keycloak password
If it is necessary to login into the admin UI of Keycloak, the password for the admin user “keycloak-admin” can be optained by the following command.
Reset lost password for keycloak-admin user
In rare cases, it might happen that the password of the keycloak-admin user is different from the password in the secret “smartfacts-keycloak-admin-secret” and is not known anymore. This section describes the steps necessary to reset this password.
To reset the password for the keycloak-admin user:
Get the password from the secret like described in the section “Show Keycloak password” above. Save the password in a password manager.
Edit the secret “smartfacts-keycloak-admin-secret”, this command will open the secret in a vi editor:
replace the value of the field “KEYCLOAK_USER” with the base64 value for “tmp-admin”: dG1wLWFkbWlu
Save and quit
Restart the keycloak pod:
Sign in into the keycloak UI with the user “tmp-admin” and the password saved from the secret
In the Keycloak UI, switch to the realm “Master” and then to the section “users”
Klick on “View all users”
Klick on the ID of the user “keycloak-admin”
Go to section “Credentials” and insert the correct password in the fields in section “Reset Password”
Switch “Temprory” to “OFF”
Klick on “Reset Password” and confirm the Reset Password dialog
Log off of Keycloak
Edit the secret “smartfacts-keycloak-admin-secret” again
replace the value of the field “KEYCLOAK_USER” with the base64 value for “keycloak-admin”: a2V5Y2xvYWstYWRtaW4=
Save and quit
Restart the keycloak pod
Sign in into keycloak with keycloak-admin and the password saved from the secret
In the Keycloak UI switch to the realm “Master” and then to section “users”
Klick on “View all users”
Delete the user “tmp-admin”
log out of Keycloak
How to Move k3s data to another partition or disk
Postgres Password – How to Fix the "'global.postgresql.auth.postgresPassword' must not be empty" Error
During Smartfacts installation, some users may face an unexpected issue with Postgres, which is part of the Keycloak service. This issue may occur in different scenarios, such as syntax, certificate or repologin errors in a values.yaml file, network issues etc.
These issues may occur during the Execute the Installation step if some of the previous steps were completed incorrectly. This step consists of two parts:
Creation of the smartfacts namespace in your K8s or K3s cluster
Deployment of the Smartfacts resources to this namespace with Helm package manager
If any of the previous steps were completed incorrectly, a smartfacts namespace will be created, however, checks and jobs will terminate the deployment with the error message.
After fixing all the errors, it is possible to rerun the installation, but a new error message will occur:
During normal installation, the password for the Postgres user will be generated and assigned to the Kube secrets automatically. However, if the installation was interrupted, then this password will be missing and you must set it manually in Helm.
The best solution is to delete the incomplete smartfacts namespace, rather than setting the password manually. To do this, run this command:
After execution of this command, the smartfacts namespace will be deleted and you can successfully install the application.