Onyxia-openid-install
Jump to navigation
Jump to search
onyxia + openid install
#Official : https://docs.onyxia.sh
- Configurez :
#https://docs.onyxia.sh/ domainRoot=example.com appName=datalab s3Url=https://s3.example.com
- Executez :
mv ~/${appName} ~/${appName}-$(date '+%Y%m%d') mkdir ~/${appName} cd ~/${appName} #values cat <<EOT >${appName}-values.yaml ingress: enabled: true hosts: - host: "${appName}.${domainRoot}" annotations: cert-manager.io/cluster-issuer: letsencrypt-prod tls: - secretName: ${appName}.${domainRoot}-tls hosts: - "${appName}.${domainRoot}" EOT helm repo add onyxia https://InseeFrLab.github.io/onyxia helm repo update helm search repo onyxia --versions |head
- Configurez :
appVersion=8.20.0
- Choisir un mot de passe pour l'installation :
CHANGEME1
- Executez :
helm upgrade --install ${appName} onyxia/onyxia -n ${appName} --create-namespace \ --version "${appVersion}" \ -f ${appName}-values.yaml # Keycloak helm repo add bitnami https://charts.bitnami.com/bitnami keycloakVersion=$(curl -s https://raw.githubusercontent.com/InseeFrLab/onyxia-ops/main/apps/keycloak/Chart.yaml | sed -rn 's#^[[:space:]]+version: (.*)$#\1#p') export appVersion export appDomain=${appName}.${domainRoot} export DOMAIN=${domainRoot} #https://github.com/InseeFrLab/onyxia-ops/blob/main/apps/keycloak/values.yaml [ -z "${CHANGEME1}" ] &&echo CHANGEME1 &&read i &&export CHANGEME1=$i CHANGEME2=${CHANGEME1} CHANGEME3=${CHANGEME2} cat <<EOT >keycloak-values.yaml global: postgresql: auth: postgresPassword: "$CHANGEME1" username: "keycloak" password: "$CHANGEME2" database: "keycloak" #keycloak: auth: adminUser: keycloak adminPassword: $CHANGEME3 production: true tls: enabled: false autoGenerated: false proxy: edge httpRelativePath: "/auth/" replicaCount: 1 ingress: # If `true`, an Ingress is created enabled: true #ingressClassName: nginx # Ingress annotations annotations: ## Resolve HTTP 502 error using ingress-nginx: ## See https://www.ibm.com/support/pages/502-error-ingress-keycloak-response nginx.ingress.kubernetes.io/proxy-buffer-size: 128k cert-manager.io/cluster-issuer: letsencrypt-prod # List of rules for the Ingress hostname: "auth-lab.$DOMAIN" # TLS configuration extraTls: - hosts: - auth-lab.$DOMAIN secretName: auth-lab.$DOMAIN-tls extraStartupArgs: "--features=preview --log-level=org.keycloak.events:debug" extraEnvVars: - name: ONYXIA_RESOURCES_ALLOWED_ORIGINS value: "https://${appDomain}, http://localhost, http://127.0.0.1" initContainers: | - name: realm-ext-provider image: curlimages/curl imagePullPolicy: IfNotPresent command: - sh args: - -c - | curl -L -f -S -o /extensions/onyxia-web.jar https://github.com/InseeFrLab/onyxia/releases/download/v${appVersion}/keycloak-theme.jar volumeMounts: - name: extensions mountPath: /extensions extraVolumeMounts: | - name: extensions mountPath: /opt/bitnami/keycloak/providers extraVolumes: | - name: extensions emptyDir: {} externalDatabase: host: keycloakv3-postgresql port: 5432 user: keycloak password: $CHANGEME2 database: keycloak EOT helm upgrade --install keycloak bitnami/keycloak -n ${appName} --create-namespace \ -f keycloak-values.yaml \ --version "${keycloakVersion}"
- Allez sur Keycloak :
https://auth-lab.<your-domain>/auth/ (keycloak:<your-password>)
- Configurez :
#https://docs.onyxia.sh/admin-doc/readme/user-authentication (partie : Configuring Keycloak) (Ne pas configurer l'étape 3. In Authentication (on the left panel) -> Tab Required Actions enable and set as default action Therms and Conditions.)
- Executez :
if [ -z "$appName" ] || [ -z "$domainRoot" ] || [ -z "$appVersion" ] ;then echo nok break fi export DOMAIN=${domainRoot} cat <<EOT >${appName}-values.yaml ingress: enabled: true hosts: - host: "${appName}.${domainRoot}" annotations: cert-manager.io/cluster-issuer: letsencrypt-prod tls: - secretName: ${appName}.${domainRoot}-tls hosts: - "${appName}.${domainRoot}" api: startupProbe: enabled: true periodSeconds: 60 serviceAccount: create: true clusterAdmin: true env: authentication.mode: "openidconnect" oidc.issuer-uri: "https://auth-lab.$DOMAIN/auth/realms/datalab" oidc.clientID: "onyxia" catalogs: [ ] regions: [ { id: "default", name: "default", location: {lat: 48.864716, longitude: 2.349014, name: "Paris" }, description: "Default", services: { quotas: { enabled: false, userEnabled: false, groupEnabled: false, allowUserModification: false, default: { "count/pods": 100, "requests.memory": 32, "requests.cpu": 8, "limits.memory": 32, "limits.cpu": 8, "requests.storage": "500Gi" } }, type: "KUBERNETES", singleNamespace: false, authenticationMode: "serviceAccount", expose: { domain: "$DOMAIN", route: false, ingress: true }, defaultConfiguration: { ipprotection: false, sliders: { cpu: { sliderUnit: "m", sliderMax: 8000, sliderStep: 100, sliderMin: 100 }, memory: { sliderMax: 16, sliderMin: 1, sliderUnit: "Gi", sliderStep: 1 }, disk: { sliderMin: 1, sliderMax: 200, sliderUnit: "Gi", sliderStep: 1 } }, resources: { cpuLimit: 2000m, memoryLimit: 4Gi, disk: 5Gi } }, }, data: { S3: { URL: "${s3Url}", pathStyleAccess: true, workingDirectory: { bucketMode: "multi", bucketNamePrefix: "", bucketNamePrefixGroup: "project-" } } } } ] extraVolumes: - name: config emptyDir: {} - name: cache emptyDir: {} extraVolumeMounts: - mountPath: /.config/ name: config - mountPath: /.cache/ name: cache web: env: FONT: | { fontFamily: "Marianne", dirUrl: "%PUBLIC_URL%/fonts/Marianne", "400": "Marianne-Regular.woff2", "400-italic": "Marianne-Regular_Italic.woff2", "500": "Marianne-Medium.woff2", "700": "Marianne-Bold.woff2", "700-italic": "Marianne-Bold_Italic.woff2" } PALETTE_OVERRIDE: | { focus: { main: "#000091", light: "#9A9AFF", light2: "#E5E5F4" }, dark: { main: "#2A2A2A", light: "#383838", greyVariant1: "#161616", greyVariant2: "#9C9C9C", greyVariant3: "#CECECE", greyVariant4: "#E5E5E5" }, light: { main: "#F1F0EB", light: "#FDFDFC", greyVariant1: "#E6E6E6", greyVariant2: "#C9C9C9", greyVariant3: "#9E9E9E", greyVariant4: "#747474" } } HOMEPAGE_HERO_TEXT_AUTHENTICATED: "Bonjour %USER_FIRSTNAME% !" HOMEPAGE_CARDS: "[]" SOCIAL_MEDIA_IMAGE: "%PUBLIC_URL%/preview-france.png" HEADER_TEXT_BOLD: "Fabrique Numérique" DISABLE_HOMEPAGE: false HOMEPAGE_MAIN_ASSET: false HEADER_TEXT_FOCUS: "DataLab" HEADER_MAIN_ASSET: "false" extraVolumes: - name: nginx emptyDir: {} - name: index emptyDir: {} EOT helm upgrade --install ${appName} onyxia/onyxia -n ${appName} --create-namespace \ --version "${appVersion}" \ -f ${appName}-values.yaml