This procedure requires redeployment of the existing solution to enable SSL/TLS support in PostgreSQL and KeyCloak. Please take a backup before proceeding with the procedure below, and then restore it when completed.
Take a Backup of the PostgreSQL
For Backup and Restore details, please see this guide
Deploy Static Certificates
Change the directory to
cd CX-4.10.2/kubernetes
apply TLS secrets for external components:-
kubectl apply -f pre-deployment/static-tls/postgresql-tls.yaml
PostgreSQL
To delete the config map of PostgreSQL
kubectl -n ef-external delete configmap ef-postgresql-license-manager-cm
Uninstall the PostgreSQL Helm chart
helm uninstall -n ef-external ef-postgresql
Delete the PVC for PostgreSQL
kubectl -n ef-external delete pvc data-ef-postgresql-0
Download the values.yaml file locally to customise the parameter values.
helm show values expertflow/postgresql > helm-values/ef-postgresql-custom-values.yaml
Update the following values file helm-values/ef-postgresql-custom-values.yaml as mentioned below:-
auth:
password: "<CHANGE_PASSWORD>"
For Worker HA deployment, add the following tolerations
tolerations:
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 60 # Evict after 60 seconds of being unreachable
- key: "node.kubernetes.io/not-ready"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 60 # Evict after 60 seconds of being not-ready
Create the configMap for PostgreSQL
kubectl -n ef-external create configmap ef-postgresql-license-manager-cm --from-file=./pre-deployment/licensemanager/licensemanager.sql
Deploy the PostgreSQL
helm upgrade --install=true --namespace=ef-external --values=helm-values/ef-postgresql-custom-values.yaml ef-postgresql expertflow/postgresql
Once PostgreSQL is deployed successfully, migrate the TLS certificate to Expertflow namespace by executing
kubectl get secret ef-postgresql-crt -n ef-external -o yaml | sed 's/namespace: ef-external/namespace: expertflow/' | kubectl create -f -
Manual Verification
export all cert files using the following commands:-
mkdir /tmp/postgresql_certs/
CERTFILES=($(kubectl get secret ef-postgresql-crt -n ef-external -o go-template='{{range $k,$v := .data}}{{$k}}{{"\n"}}{{end}}'))
for f in ${CERTFILES[*]}; do kubectl get secret ef-postgresql-crt -n ef-external -o go-template='{{range $k,$v := .data}}{{ if eq $k "'$f'"}}{{$v | base64decode}}{{end}}' > /tmp/postgresql_certs/${f} 2>/dev/null; done
Export Postgres Password:-
export POSTGRES_PASSWORD=$(kubectl get secret --namespace ef-external ef-postgresql -o jsonpath="{.data.password}" | base64 -d)
Start a Postgresql client pod by running this command:-
kubectl run ef-postgresql-client --rm --tty -i --restart='Never' --namespace ef-external --image docker.io/bitnami/postgresql:14.5.0-debian-11-r21 --env="PGPASSWORD=$POSTGRES_PASSWORD" \
--command -- psql --host ef-postgresql -U sa -d licenseManager -p 5432
Now restore the backup for PostgreSQL using this guide
Create subscription_order table for License Manager
This script has all the commands to add the subscription_order table for License Manager.
# Login to Postgres client
# On your terminal, execute the command below.
helm -n ef-external status ef-postgresql
# It will return some steps to connect to postgresql client.
# Execute the command returned after text "To get the password for "postgres" run:". It should start with the keyword "export".
# After this, execute the next command returned after text "To get the password for "sa" run:". It should start with the keyword "export".
# After this, execute the next command returned after the text "To connect to your database, run the following command:". It would be in 3 lines, so copy all of it and paste it to execute it.
# After this, you should see a terminal with pre-word as "licenseManager=>". If not, then you can try pressing enter to see this.
# Here, you can execute this command to create the subscription_order table
CREATE TABLE public.subscription_order (
subscription_id INT NOT NULL,
order_id INT NOT NULL,
PRIMARY KEY (subscription_id, order_id)
);
# After executing this command, you can verify the Table is created using the command "\dt;" (without quotes). It will list all databases.
# At the end, you can execute "\q" to quit from the client.
Keycloak
Uninstall the Keycloak Helm Chart
helm uninstall -n ef-external keycloak
Remove the existing Ingress for Keycloak
kubectl delete ingress keycloak -n ef-external
Delete the ConfigMap
k delete cm ef-keycloak-config -n ef-external
Clone the values file and update the parameter values
helm show values expertflow/keycloak > helm-values/ef-keycloak-custom-values.yaml
Edit helm-values/ef-keycloak-custom-values.yaml and update the password for postgresql database
global:
ingressRouter: <DEFAULT-FQDN>
externalDatabase:
password: "Expertflow123"
The default Keycloak deployment uses PostgreSQL running inside the same Kubernetes cluster. When using a managed PostgreSQL database instance, update the above parameters with relevant information
For Worker HA deployments, add the following tolerations:-
tolerations:
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 60 # Evict after 60 seconds of being unreachable
- key: "node.kubernetes.io/not-ready"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 60 # Evict after 60 seconds of being not-ready
Keycloak Deployment
Keycloak is used as the centralized authentication and authorization component for Expertflow CX. Follow these steps to setup KeyCloak.
Now, deploy KeyCloak by running the following command
helm upgrade --install=true --debug --namespace=ef-external --values=helm-values/ef-keycloak-custom-values.yaml keycloak expertflow/keycloak
Check the KeyCloak installation status. You can check the status of the deployment by using the following command
kubectl -n ef-external rollout status sts keycloak