gluufederation / cloud-native-edition Goto Github PK
View Code? Open in Web Editor NEWCloud Native Edition repository
Home Page: https://gluu.org/docs/gluu-server/latest/installation-guide/install-kubernetes/
License: Apache License 2.0
Cloud Native Edition repository
Home Page: https://gluu.org/docs/gluu-server/latest/installation-guide/install-kubernetes/
License: Apache License 2.0
missing
volumeMounts:
- name: cb-pass
mountPath: "/etc/gluu/conf/couchbase_password"
subPath: couchbase_password
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
volumes:
- name: cb-pass
secret:
secretName: cb-pass
- name: cb-crt
secret:
secretName: cb-crt
So it seems to be there is no actual Helm chart for Gluu yet. This project only shows off some example manifests which are not dynamic and only work for minikube.
There is this project as well. However there really isn't anything suggesting it uses Helm. I also posted a similar issue on that project as well.
Over the last few weeks, I have built a proper chart for Gluu. The company I work for is Akirix, and they allowed me to share my work with ya'll. Hoping our Helm chart could help with Gluu getting out an official Gluu Helm Chart. Please check this project out and fork if you need.
I basically used the Gluu minikube example and the stable helm charts as the pattern to follow.
Our project is not done nor documented enough and therefore may not be the easiest Chart to use. We are definitely hoping ya'll can finish what we started using your master knowledge of Gluu. Then the community would be complete with an up to date Helm chart.
Prepare the images and/or recipes/docs to integrate with Istio.
No namespace parameter specified, it's using the default of namespace=default
.
Add AWS ECS support
We should clearly state in the docs thats the command to generate a keystore is :
keytool -genkey -noprompt \
-alias oxd-server \
-dname "CN=oxd-server, OU=ID, O=Gluu, L=Gluu, S=TX, C=US" \
-keystore oxd-server.keystore \
-storepass <pass>\
-keypass <pass>\
-deststoretype pkcs12 \
-keysize 2048
Also we need to add how to put that back to be used by oxd-server with helm after encoding it using openssl base64 -A -in oxd-server.keystore
.
The current health check url /passport
results in a 404
response code. This causes the liveness and readiness probes to fail resulting in unwanted restarts of oxpassport containers.
2019-09-02T12:36:29.216Z [INFO] Server listening on https://demoexample.gluu.org:8090
Server listening on https://demoexample.gluu.org:8090
2019-09-02T12:37:06.552Z [INFO] ::ffff:172.17.0.1 - GET /passport HTTP/1.1 404 147 - 5.172 ms
2019-09-02T12:37:07.280Z [INFO] ::ffff:172.17.0.1 - GET /passport HTTP/1.1 404 147 - 1.116 ms
This should be updated to match the new health check URL /passport/token
2019-09-02T12:43:28.973Z [INFO] Server listening on https://demoexample.gluu.org:8090
Server listening on https://demoexample.gluu.org:8090
2019-09-02T12:44:03.780Z [INFO] ::ffff:172.17.0.1 - GET /passport/token HTTP/1.1 200 201 - 5.375 ms
2019-09-02T12:44:05.731Z [INFO] ::ffff:172.17.0.1 - GET /passport/token HTTP/1.1 200 201 - 0.742 ms
At the production level the use of volumes for minor files in our services is costly. Most of the volumes listed in the helm charts are associated with log files which should be shipped any way using other tools and not particularly using volumes.
#9
The first failure here will drop to the catch
and the rest of the commands will not run.
In address to the new sentinel update GluuFederation/oxCore#144 (comment)
The target is to fully automate the gluu installation from CI pipeline. I think its also worth the while to add options to enable and disable casa related scripts, passport, and radius upon installation disregarding the fact that it can be done from oxtrust API. This would ease the installation process to make it clean without intervention from user.
Our objective is to track our containers/pods use and report them in some form. This can be done by an external running container/pod that will always be a requirement running back-end container/pod. Since we will be enforcing license very soon, this actually might come in handy simply as reporting the use of Gluu.
Use the Kustomize convention in our repos
We need to detect all areas of change and migrate connections to CN.
@nynymike
IP addresses: in chroot, oxauth connects to LDAP via localhost, so bootstrap LDAP connection properties will need to be updated when migrating to kubernetes. Also, the IP Address is in the chroot httpd.conf Listen directive
Cache Refresh… which uses the file system to store snapshots
Private key access
Is the chroot one instance, or a clustered deployment (using Cluster Manager)?
https://github.com/GluuFederation/enterprise-edition/wiki/chroot-to-kubernetes-migration
kubernetes_c0282ea8667c78f4756eb1ec25f61eeb8d64a9efc01719584e9421d6b8933be1/site-packages/pygluu/kubernetes/create.py", line 755, in deploy_nfs
self.kubernetes.connect_get_namespaced_pod_exec(exec_command=exec_command_shared_shib, label="app=nfs-server")
TypeError: connect_get_namespaced_pod_exec() got an unexpected keyword argument 'label'
source ./venv/bin/activate
should be source .venv/bin/activate
./pygluu-kuberenets.pyz upgrade
should be supported
Move create.sh
from Kubernetes installation example and run_all.sh
from docker compose to python3 scripts.
To meet same structure as Gluu CE.
https://gluu.org/docs/ce/4.0/admin-guide/radius-server/gluu-radius/
Currently the following are being used as the RADIUS server :
Add to run_all.sh
logic to detect any conflicting containers and closed ports. We will require the VM to be in a clean state.
Add image and manifests for Gluu OXD
Add License enforcement in our EE edition. This needs to be in our GUI , ask for a license file and have a back end server approve this license.
Current oxAuth/oxTrust images don't have scim-rp.jks
or any SCIM-related files inside the container.
This includes the need to add the manifests to our tempaltes
With the nginx-ingress required to be installed before the rest of the chart and it operating on a different namespace we should just switch to two helm installs
instead of having the user minipulate the main values.yaml
helm install
then manipulate again and helm upgrade
.
https://github.com/GluuFederation/enterprise-edition/tree/4.0/helm/charts/nginx-ingress
Create image and manifests to use Gluu Gatway.
https://gluu.org/docs/gg/
As Macs have Python2 installed (and it's recommended not to uninstall Python2), the instructions for mac should specify Python3:
python3 -m venv .venv
pip3 install shiv
etc.
Currently to use casa the user must move /etc/gluu/conf/casa.json
to the backend manually. This step has to be automated to load at:
dn: ou=casa,ou=configuration,o=gluu
objectClass: top
objectClass: oxApplicationConfiguration
ou: casa
oxConfApplication: < ... contents of casa.json ... >
Current Swarm example requires users to modify manifests to choose which services deployed to swarm cluster. The ease the operation, the examples should adhere to Compose and/or Kubernetes examples that are modular.
@shmorri @mogluu
We have to be able to integrate with a locally deployed Kubernetes that is setup using any method such as using rke , kubeadm ..etc.
Issues that are at hand with a fully local deployment are:
Create RHEL UBI-based image that conforms to the following rules:
In alignment with Red Hat’s container repo policy it is recommended to
explicitly indicate the RHEL version in repo names (like so: -ubi7, -ubi8, rhel7, rhel8).
Certified partner images with “UBI” only content: Eligible for distribution through External Registries
Example: Namespace/Repository MYCOMPANY/MYPRODUCT-UBI7
testing
We need to add instructions to the user on how to reinstall Gluu with currently available information in the backend without overwriting any info. This might also be addressed in the installer.
app=casa
app=oxauth
app=oxd-server
app=oxpassport
app=radius
app=redis
app=efs-provisioner
app=key-rotation
app=opendj
app=oxtrust
app=oxshibboleth
app=config-init-load
app=persistence-load
app=cr-rotate
app=nfs-server
app=shared-shib
Should be ca_crt_content
to match the next line.
cr-rotate:
enabled: false
NAME READY STATUS RESTARTS AGE
gluu-config-7lnkz 0/1 Completed 0 5m37s
gluu-cr-rotate-47cvg 1/1 Running 0 5m37s
gluu-cr-rotate-75sdn 1/1 Running 0 5m37s
gluu-cr-rotate-7b9s6 1/1 Running 0 5m37s
gluu-cr-rotate-8sqhc 1/1 Running 0 5m37s
gluu-cr-rotate-9f9l9 1/1 Running 0 5m37s
gluu-cr-rotate-cp7jb 1/1 Running 0 5m37s
gluu-oxauth-5d9977fcdb-khrj7 0/1 Running 2 5m37s
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.