Onyxia-openid-install

From Essential
Jump to navigation Jump to search

onyxia + openid install

#Official : https://docs.onyxia.sh
  • Configurez :
#https://docs.onyxia.sh/
domainRoot=example.com
appName=datalab
s3Url=https://s3.example.com
  • Executez :
mv ~/${appName} ~/${appName}-$(date '+%Y%m%d')
mkdir ~/${appName}
cd ~/${appName}
#values
cat <<EOT >${appName}-values.yaml
ingress:
  enabled: true
  hosts:
    - host: "${appName}.${domainRoot}"
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  tls:
    - secretName: ${appName}.${domainRoot}-tls
      hosts:
        - "${appName}.${domainRoot}"
EOT
helm repo add onyxia https://InseeFrLab.github.io/onyxia
helm repo update
helm search repo onyxia --versions |head
  • Configurez :
appVersion=8.20.0
  • Choisir un mot de passe pour l'installation :
CHANGEME1
  • Executez :
helm upgrade --install ${appName} onyxia/onyxia -n ${appName} --create-namespace \
--version "${appVersion}" \
-f ${appName}-values.yaml

# Keycloak
helm repo add bitnami https://charts.bitnami.com/bitnami
keycloakVersion=$(curl -s https://raw.githubusercontent.com/InseeFrLab/onyxia-ops/main/apps/keycloak/Chart.yaml | sed -rn 's#^[[:space:]]+version: (.*)$#\1#p')
export appVersion
export appDomain=${appName}.${domainRoot}
export DOMAIN=${domainRoot}
#https://github.com/InseeFrLab/onyxia-ops/blob/main/apps/keycloak/values.yaml
[ -z "${CHANGEME1}" ] &&echo CHANGEME1 &&read i &&export CHANGEME1=$i
CHANGEME2=${CHANGEME1}
CHANGEME3=${CHANGEME2}
cat <<EOT >keycloak-values.yaml
global:
  postgresql:
    auth:
      postgresPassword: "$CHANGEME1"
      username: "keycloak"
      password: "$CHANGEME2"
      database: "keycloak"
#keycloak:
auth:
  adminUser: keycloak
  adminPassword: $CHANGEME3
production: true
tls: 
  enabled: false
  autoGenerated: false
proxy: edge
httpRelativePath: "/auth/"
replicaCount: 1
ingress:
  # If `true`, an Ingress is created
  enabled: true
  #ingressClassName: nginx
  # Ingress annotations
  annotations:
    ## Resolve HTTP 502 error using ingress-nginx:
    ## See https://www.ibm.com/support/pages/502-error-ingress-keycloak-response
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    cert-manager.io/cluster-issuer: letsencrypt-prod
  # List of rules for the Ingress
  hostname: "auth-lab.$DOMAIN"
  # TLS configuration
  extraTls:
     - hosts:
       - auth-lab.$DOMAIN
       secretName: auth-lab.$DOMAIN-tls

extraStartupArgs: "--features=preview --log-level=org.keycloak.events:debug"

extraEnvVars: 
  - name: ONYXIA_RESOURCES_ALLOWED_ORIGINS
    value: "https://${appDomain}, http://localhost, http://127.0.0.1"

initContainers: |
  - name: realm-ext-provider
    image: curlimages/curl
    imagePullPolicy: IfNotPresent
    command:
      - sh
    args:
      - -c
      - |
        curl -L -f -S -o /extensions/onyxia-web.jar https://github.com/InseeFrLab/onyxia/releases/download/v${appVersion}/keycloak-theme.jar
    volumeMounts:
      - name: extensions
        mountPath: /extensions

extraVolumeMounts: |
  - name: extensions
    mountPath: /opt/bitnami/keycloak/providers

extraVolumes: |
  - name: extensions
    emptyDir: {}

externalDatabase:
  host: keycloakv3-postgresql
  port: 5432
  user: keycloak
  password: $CHANGEME2
  database: keycloak
EOT
helm upgrade --install keycloak bitnami/keycloak -n ${appName} --create-namespace \
-f keycloak-values.yaml \
--version "${keycloakVersion}"
  • Allez sur Keycloak :
 https://auth-lab.<your-domain>/auth/ (keycloak:<your-password>)
  • Configurez :
#https://docs.onyxia.sh/admin-doc/readme/user-authentication (partie : Configuring Keycloak)
(Ne pas configurer l'étape 3. In Authentication (on the left panel) -> Tab Required Actions enable and set as default action Therms and Conditions.)
  • Executez :
if [ -z "$appName" ] || [ -z "$domainRoot" ] || [ -z "$appVersion" ] ;then
  echo nok
  break
fi
export DOMAIN=${domainRoot}
cat <<EOT >${appName}-values.yaml
ingress:
  enabled: true
  hosts:
    - host: "${appName}.${domainRoot}"
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  tls:
    - secretName: ${appName}.${domainRoot}-tls
      hosts:
        - "${appName}.${domainRoot}"
api:
  startupProbe:
    enabled: true
    periodSeconds: 60
  serviceAccount:
    create: true
    clusterAdmin: true
  env:
    authentication.mode: "openidconnect"
    oidc.issuer-uri: "https://auth-lab.$DOMAIN/auth/realms/datalab"
    oidc.clientID: "onyxia"
  catalogs:
    [
    ]
  regions: [
      {
        id: "default",
        name: "default",
        location: {lat: 48.864716, longitude: 2.349014, name: "Paris" },
        description: "Default",
        services: {
          quotas: {
            enabled: false,
            userEnabled: false,
            groupEnabled: false,
            allowUserModification: false,
            default: {
              "count/pods": 100,
              "requests.memory": 32,
              "requests.cpu": 8,
              "limits.memory": 32,
              "limits.cpu": 8,
              "requests.storage": "500Gi"
              }
          },
          type: "KUBERNETES",
          singleNamespace: false,
          authenticationMode: "serviceAccount",
          expose: {
            domain: "$DOMAIN",
            route: false,
            ingress: true
          },
          defaultConfiguration: {
             ipprotection: false,
             sliders: {
               cpu: {
                  sliderUnit: "m",
                  sliderMax: 8000,
                  sliderStep: 100,
                  sliderMin: 100
                },
               memory: {
                  sliderMax: 16,
                  sliderMin: 1,
                  sliderUnit: "Gi",
                  sliderStep: 1
             },
               disk: {
                 sliderMin: 1,
                 sliderMax: 200,
                 sliderUnit: "Gi",
                 sliderStep: 1
              }
            },
            resources: {
              cpuLimit: 2000m,
              memoryLimit: 4Gi,
              disk: 5Gi
            }
          },
        },
        data: {
           S3: {
            URL: "${s3Url}",
            pathStyleAccess: true,
            workingDirectory: {
              bucketMode: "multi",
              bucketNamePrefix: "",
              bucketNamePrefixGroup: "project-"
           }
         }
       }
     }
    ]
  extraVolumes:
  - name: config
    emptyDir: {}
  - name: cache
    emptyDir: {}
  extraVolumeMounts:
  - mountPath: /.config/
    name: config
  - mountPath: /.cache/
    name: cache

web:
  env:
    FONT: |
      {
        fontFamily: "Marianne",
        dirUrl: "%PUBLIC_URL%/fonts/Marianne",
        "400": "Marianne-Regular.woff2",
        "400-italic": "Marianne-Regular_Italic.woff2",
        "500": "Marianne-Medium.woff2",
        "700": "Marianne-Bold.woff2",
        "700-italic": "Marianne-Bold_Italic.woff2"
      }
    PALETTE_OVERRIDE: |
      {
        focus: {
          main: "#000091",
          light: "#9A9AFF",
          light2: "#E5E5F4"
        },
        dark: {
          main: "#2A2A2A",
          light: "#383838",
          greyVariant1: "#161616",
          greyVariant2: "#9C9C9C",
          greyVariant3: "#CECECE",
          greyVariant4: "#E5E5E5"
        },
        light: {
          main: "#F1F0EB",
          light: "#FDFDFC",
          greyVariant1: "#E6E6E6",
          greyVariant2: "#C9C9C9",
          greyVariant3: "#9E9E9E",
          greyVariant4: "#747474"
        }
      }
    HOMEPAGE_HERO_TEXT_AUTHENTICATED: "Bonjour %USER_FIRSTNAME% !"
    HOMEPAGE_CARDS: "[]"
    SOCIAL_MEDIA_IMAGE: "%PUBLIC_URL%/preview-france.png"
    HEADER_TEXT_BOLD: "Fabrique Numérique"
    DISABLE_HOMEPAGE: false
    HOMEPAGE_MAIN_ASSET: false
    HEADER_TEXT_FOCUS: "DataLab"
    HEADER_MAIN_ASSET: "false"
  extraVolumes:
  - name: nginx
    emptyDir: {}
  - name: index
    emptyDir: {}
EOT
helm upgrade --install ${appName} onyxia/onyxia -n ${appName} --create-namespace \
--version "${appVersion}" \
-f ${appName}-values.yaml
Retrieved from "https://infocepo.com/wiki/index.php?title=Onyxia-openid-install&oldid=1847"