Skip to content

Home

Jump to bottom
JimmiHsieh edited this page Sep 10, 2019 · 4 revisions

Preparations:

  1. Install Google Cloud SDK. (include kubectl)
  2. Docker
  3. Setup GCP project.

Create Cloud SQL (PostgreSQL)

  1. Create PostgreSQL through GCP console.
  2. Enable "Private IP".
  3. Go to user -> change user password.

Enable Cloud SQL Admin API (Use for Cloud SQL Proxy)

  1. Goto GCP console -> click [APIs & Services] and select [Library]
    -> Type "Cloud SQL" in search bar.
    -> enable "Cloud SQL Admin API" & "Cloud SQL".
  2. Goto GCP console -> click [IAM & admin] -> Service accounts
    -> Click [Create Service Account]
    -> type service account name with:keycloak-master-> create.
  3. select a role with : Cloud SQL Admin-> continue.
  4. create key with json type -> save to file.(as key.json)

Push Keycloak Docker image to Cloud Registry

(currently we use keycloak ver.7.0.0, don't know why not work with v.6.0.1)
export PROJECT_ID="$(gcloud config get-value project -q)"

  1. sudo docker pull jboss/keycloak:7.0.0
  2. sudo docker tag jboss/keycloak asia.gcr.io/${PROJECT_ID}/keycloak
  3. sudo docker push asia.gcr.io/${PROJECT_ID}/keycloak

Create GKE Cluster.

  1. gcloud container clusters create auth-cluster --num-nodes=3
  2. gcloud container clusters get-credentials auth-cluster

Load secret from json file.

  1. kubectl create secret generic cloudsql-instance-credentials
    --from-file=credentials.json="{secret_dir}/key.json"

Deploy Cloud SQL Proxy

  1. Replace DB instance name in proxy/proxy-deployment.yaml
  2. kubectl apply -f proxy/
    Documentation

Using Google Manages SSL Certificate

  1. Reserve a global static IP address.
  2. gcloud compute addresses create example-auth-ip --global
  3. gcloud compute addresses describe example-auth-ip --global

Setup GCP managed certificate. (require 10 ~20 mins)

  1. kubectl apply -f certificate/auth-certificate.yaml
  2. kubectl describe managedcertificate
    Documentation

Deploy statefulset Keycloak

  1. Create Keycloak instances
    kubectl apply -f keycloak-statefulset.yaml

  2. Create headless service.
    kubectl apply -f keycloak-headless.yaml

  3. Create load balancer
    kubectl apply -f keycloak-service.yaml

  4. Expose service via Ingress. (require more than 10 mins)
    kubectl apply -f keycloak-ingress.yaml

  5. Configure the DNS records for your domain to point to the IP address of the load balancer.

  6. Cluster discovery successful.
    10:39:01,203 INFO [org.infinispan.CLUSTER] (thread-101,ejb,keycloak-0) ISPN100000: Node keycloak-2 joined the cluster
    10:39:01,205 INFO [org.infinispan.CLUSTER] (thread-101,ejb,keycloak-0) ISPN000094: Received new cluster view for channel ejb: [keycloak-0|14] (4) [keycloak-0, keycloak-1, keycloak-3, keycloak-2]

Clone this wiki locally