TLS Enablement for Stateful Components
This procedure requires redeployment of the existing solution to enable SSL/TLS support in PostgreSQL and KeyCloak. Please take a backup before proceeding with the procedure below, and then restore it when completed.
Take a Backup of the PostgreSQL
For Backup and Restore details, please see this guide
Deploy Static Certificates
Change the directory to
cd CX-4.10.2/kubernetesapply TLS secrets for external components:-
kubectl apply -f pre-deployment/static-tls/postgresql-tls.yamlPostgreSQL
To delete the config map of PostgreSQL
kubectl -n ef-external delete configmap ef-postgresql-license-manager-cmUninstall the PostgreSQL Helm chart
helm uninstall -n ef-external ef-postgresql Delete the PVC for PostgreSQL
kubectl -n ef-external delete pvc data-ef-postgresql-0Download the values.yaml file locally to customise the parameter values.
helm show values expertflow/postgresql > helm-values/ef-postgresql-custom-values.yamlUpdate the following values file helm-values/ef-postgresql-custom-values.yaml as mentioned below:-
auth:
password: "<CHANGE_PASSWORD>"For Worker HA deployment, add the following tolerations
tolerations:
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 60 # Evict after 60 seconds of being unreachable
- key: "node.kubernetes.io/not-ready"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 60 # Evict after 60 seconds of being not-readyCreate the configMap for PostgreSQL
kubectl -n ef-external create configmap ef-postgresql-license-manager-cm --from-file=./pre-deployment/licensemanager/licensemanager.sqlDeploy the PostgreSQL
helm upgrade --install=true --namespace=ef-external --values=helm-values/ef-postgresql-custom-values.yaml ef-postgresql expertflow/postgresqlOnce PostgreSQL is deployed successfully, migrate the TLS certificate to Expertflow namespace by executing
kubectl get secret ef-postgresql-crt -n ef-external -o yaml | sed 's/namespace: ef-external/namespace: expertflow/' | kubectl create -f -Manual Verification
export all cert files using the following commands:-
mkdir /tmp/postgresql_certs/
CERTFILES=($(kubectl get secret ef-postgresql-crt -n ef-external -o go-template='{{range $k,$v := .data}}{{$k}}{{"\n"}}{{end}}'))
for f in ${CERTFILES[*]}; do kubectl get secret ef-postgresql-crt -n ef-external -o go-template='{{range $k,$v := .data}}{{ if eq $k "'$f'"}}{{$v | base64decode}}{{end}}' > /tmp/postgresql_certs/${f} 2>/dev/null; doneExport Postgres Password:-
export POSTGRES_PASSWORD=$(kubectl get secret --namespace ef-external ef-postgresql -o jsonpath="{.data.password}" | base64 -d)Start a Postgresql client pod by running this command:-
kubectl run ef-postgresql-client --rm --tty -i --restart='Never' --namespace ef-external --image docker.io/bitnami/postgresql:14.5.0-debian-11-r21 --env="PGPASSWORD=$POSTGRES_PASSWORD" \
--command -- psql --host ef-postgresql -U sa -d licenseManager -p 5432Now restore the backup for PostgreSQL using this guide
Create subscription_order table for License Manager
This script has all the commands to add the subscription_order table for License Manager.
# Login to Postgres client
# On your terminal, execute the command below.
helm -n ef-external status ef-postgresql
# It will return some steps to connect to postgresql client.
# Execute the command returned after text "To get the password for "postgres" run:". It should start with the keyword "export".
# After this, execute the next command returned after text "To get the password for "sa" run:". It should start with the keyword "export".
# After this, execute the next command returned after the text "To connect to your database, run the following command:". It would be in 3 lines, so copy all of it and paste it to execute it.
# After this, you should see a terminal with pre-word as "licenseManager=>". If not, then you can try pressing enter to see this.
# Here, you can execute this command to create the subscription_order table
CREATE TABLE public.subscription_order (
subscription_id INT NOT NULL,
order_id INT NOT NULL,
PRIMARY KEY (subscription_id, order_id)
);
# After executing this command, you can verify the Table is created using the command "\dt;" (without quotes). It will list all databases.
# At the end, you can execute "\q" to quit from the client.Keycloak
Uninstall the Keycloak Helm Chart
helm uninstall -n ef-external keycloakRemove the existing Ingress for Keycloak
kubectl delete ingress keycloak -n ef-externalDelete the ConfigMap
k delete cm ef-keycloak-config -n ef-externalClone the values file and update the parameter values
helm show values expertflow/keycloak > helm-values/ef-keycloak-custom-values.yamlEdit helm-values/ef-keycloak-custom-values.yaml and update the password for postgresql database
global:
ingressRouter: <DEFAULT-FQDN>
externalDatabase:
password: "Expertflow123"
The default Keycloak deployment uses PostgreSQL running inside the same Kubernetes cluster. When using a managed PostgreSQL database instance, update the above parameters with relevant information
For Worker HA deployments, add the following tolerations:-
tolerations:
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 60 # Evict after 60 seconds of being unreachable
- key: "node.kubernetes.io/not-ready"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 60 # Evict after 60 seconds of being not-readyKeycloak Deployment
Keycloak is used as the centralized authentication and authorization component for Expertflow CX. Follow these steps to setup KeyCloak.
Now, deploy KeyCloak by running the following command
helm upgrade --install=true --debug --namespace=ef-external --values=helm-values/ef-keycloak-custom-values.yaml keycloak expertflow/keycloakCheck the KeyCloak installation status. You can check the status of the deployment by using the following command
kubectl -n ef-external rollout status sts keycloak