en Installation Kubernetes (comments)
Our installation bundle for the comment server on Kubernetes consists of several files:
In the following, we assume that you know how to use Dockerfiles and .yml configuration files in Kubernetes.
Dockerfile*
The three Dockerfiles contain the instructions on how to create the three containers needed for commenting. The containers created in this way must then be pushed into your docker registry in order to use them in Kubernetes.
Files comments-keycloak-theme, commenting.jar, nginx.conf, keycloak-docker-entrypoint.sh
These files are used by the Dockerfiles to create the individual containers. A modification is usually not necessary here.
*-kubernetes-*.yml
The five YAML files contain the configurations for Kubernetes to be able to start our service. These serve as orientation and adjustments may be necessary depending on your Kubernetes configuration.
The 0-kubernetes-ns.yml defines the namespace in which the graphomate comments entities are created in Kubernetes.
The 1-kubernetes-role.yml defines the roles necessary to allow graphomate services to read the configurations.
The 2-kubernetes-config.yml file defines various configuration parameters for our service. This includes the connection details for the databases where the comments and users are stored. These can also be stored in the same database. This requires two schemas in PostgreSQL. So far, we have also been able to successfully test MSSQL on Azure without schemas. The configuration for this is somewhat more complex than for PostgreSQL and can be explained by us if required. The definition for the mail server is also done here. This is used to notify a user mentioned in a comment by mail.
In the 3-kubernetes-secrets.yml, access data for the databases, the mail server and the initial administrator are maintained. These are Base64 encoded as usual for Kubernetes.
In 4-kubernetes-deployment.yml, the three containers needed for our service are configured. In our example, these are all united in a pod and use temporary in-memory volumes. Of course, you are free to use other, for example persistent, volumes and to distribute the containers in different pods for better load balancing. However, in the case of the keycloak container, this requires a relatively complex configuration and an adaptation of the nginx.conf for the Nginx container, which we will not go into here.
Installation process
The three Docker containers have to be created with the Dockerfiles we deliver and pushed into your Docker registry used by kubernetes.
After the configuration parameters and secrets have been adjusted, they should be applied in Kubernetes. Apart from creating a database and the schemas, our service takes care of the rest of the configuration of the database itself once the service is started for the first time.
In front of port 80 of the Nginx container, for example, you should set an ingress controller that takes over the SSL termination and exposes the port to the outside secured with SSL. Further ports on our service are not necessary, as the Nginx container acts here as a reverse proxy.
After the first start, the client secret must be read from the Keycloak UI under <server URL>/auth for the "frontend" client. This should then be inserted into the Kubernetes secrets under "KEYCLOAK_CLIENT_SECRET". A subsequent restart of the containers is necessary.
Once you have successfully installed the service, there are three things you can do to check that it is working:
At the root URL to the service, a JSON should appear with information about the service and the installed version.
<Server URL>/auth should open the user interface of Keycloak, where you can log in with the initial admin user data by clicking on "Administration Console". Here you can also connect other ident providers to our service. For example, Active Directory via SAML and external OAuth providers. For more information, please consult the Keycloak documentation.
Finally, please check whether our user interface for the backend appears under <server URL>/commenting/administration/. Here you can, with a valid user (e.g. the admin again), view existing comments, edit them and also create new ones. You have the option of creating new users and authorising them to use context combinations.