Skip to content

Home

Jump to bottom
JimmiHsieh edited this page Sep 10, 2019 · 4 revisions

Preparations:

  1. Install Google Cloud SDK. (include kubectl)
  2. Docker
  3. Setup GCP project.

Create Cloud SQL (PostgreSQL)

  1. Create PostgreSQL through GCP console.
  2. Enable "Private IP".
  3. Go to user -> change user password.

Enable Cloud SQL Admin API (Use for Cloud SQL Proxy)

  1. Goto GCP console -> click [APIs & Services] and select [Library]
    -> Type "Cloud SQL" in search bar.
    -> enable "Cloud SQL Admin API" & "Cloud SQL".
  2. Goto GCP console -> click [IAM & admin] -> Service accounts
    -> Click [Create Service Account]
    -> type service account name with:keycloak-master-> create.
  3. select a role with : Cloud SQL Admin-> continue.
  4. create key with json type -> save to file.(as key.json)

Push Keycloak Docker image to Cloud Registry

(currently we use keycloak ver.7.0.0, don't know why not work with v.6.0.1)
export PROJECT_ID="$(gcloud config get-value project -q)"
$ sudo docker pull jboss/keycloak:7.0.0
$ sudo docker tag jboss/keycloak asia.gcr.io/${PROJECT_ID}/keycloak
$ sudo docker push asia.gcr.io/${PROJECT_ID}/keycloak

Create GKE Cluster.

$ gcloud container clusters create auth-cluster --num-nodes=3
$ gcloud container clusters get-credentials auth-cluster

Load secret from json file.

$ kubectl create secret generic cloudsql-instance-credentials
--from-file=credentials.json="{secret_dir}/key.json"

Deploy Cloud SQL Proxy

  1. Replace DB instance name in proxy/proxy-deployment.yaml
    $ kubectl apply -f proxy/
    Documentation

Using Google Manages SSL Certificate(Optional)

*** Here we have our domain host and need GCP to renew ssl certificate automatically.***
*** skip this step if you don't require SSL.***

  1. Reserve a global static IP address.
    $ gcloud compute addresses create example-auth-ip --global
    $ gcloud compute addresses describe example-auth-ip --global

  2. GCP managed certificate
    $ kubectl apply -f certificate/auth-certificate.yaml
    $ kubectl describe managedcertificate
    Documentation

Deploy statefulset Keycloak

  1. Create Keycloak instances
    $ kubectl apply -f keycloak-statefulset.yaml

  2. Create headless service.
    $ kubectl apply -f keycloak-headless.yaml

  3. Create load balancer
    $ kubectl apply -f keycloak-service.yaml

  4. Expose service via Ingress. (require more than 10 mins)
    ***delete annotations from ingress.yaml if you don't need ssl. ***
    $ kubectl apply -f keycloak-ingress.yaml

  5. Configure the DNS records for your domain to point to the IP address of the load balancer.(optional)

  6. Cluster discovery successful.
    10:39:01,203 INFO [org.infinispan.CLUSTER] (thread-101,ejb,keycloak-0) ISPN100000: Node keycloak-2 joined the cluster
    10:39:01,205 INFO [org.infinispan.CLUSTER] (thread-101,ejb,keycloak-0) ISPN000094: Received new cluster view for channel ejb: [keycloak-0|14] (4) [keycloak-0, keycloak-1, keycloak-3, keycloak-2]

Clone this wiki locally