ENDOC-521 Tutorial correction: Connect to an External Keycloak Instance #534
Conversation
| kind: Secret | ||
| metadata | ||
| name: keycloak-admin-secret | ||
| namespace: YOUR-APP-NAMESPACE | ||
| type: Opaque | ||
|
|
||
| The client for the admin user will automatically detect this Secret by name and use it to log in to the Keycloak server at the specified URL. |
There was a problem hiding this comment.
"The client for the admin user.." -> "Entando will use these admin credentials via the named Secret in order to make use of the Keycloak APIs to provision the entando realm"
|
|
||
| Upload the Secret to the namespace where you want to deploy your Entando instance: | ||
|
|
||
| oc create -f YOUR-SECRET.yaml -n YOUR-NAMESPACE |
There was a problem hiding this comment.
We should change this to kubectl apply -f ..., to match the later command, instead of oc.
| > `echo YOUR-VALUE | base64` | ||
| > To encode a value in bash, use `echo YOUR-SECRET-VALUE | base64` | ||
|
|
||
| ### 3. Upload the Secret |
There was a problem hiding this comment.
Upload is the wrong term. Either apply or create would be better, maybe just Create the Secret.
| Now you are ready to deploy your Entando application and the | ||
| administrator will reuse the *keycloak-admin-secret* secret to populate | ||
| the environment correctly. | ||
| You are now ready to deploy your Entando Application. The admin user clien will reuse *keycloak-admin-secret* to populate the environment correctly. |
There was a problem hiding this comment.
I would still include the article - the keycloak-admin-secret since it refers to that specific secret.
| password: #the password of this Keycloak admin user | ||
| url: #the base url of the Keycloak service, typically ending with the path /auth | ||
| password: #the password of the Keycloak admin user | ||
| url: #the base URL of the Keycloak service, typically ending with the path /auth | ||
| kind: Secret | ||
| metadata | ||
| name: keycloak-admin-secret | ||
| namespace: YOUR-APP-NAMESPACE |
There was a problem hiding this comment.
Maybe we should simplify this tutorial like we've done elsewhere, replace YOUR-APP-NAMESPACE with entando, and YOUR-SECRET with keycloak-admin-secret. That allows the user to apply the commands as-is in a quickstart env without changes. In a custom impl, they will need to customize it regardless.
|
|
||
| - The base url for the Keycloak server, including the auth value, e.g. | ||
| https://your-keycloak-instance.com/auth | ||
| > **Note** When connecting an external Keycloak instance to Entando, it is best practice to exclusively enter the admin credentials of a service account dedicated to the management and tracking of system changes. |
There was a problem hiding this comment.
I'm not sure this has quite the meaning. Typically, you want to use a dedicated service account when connecting two systems, rather than an individual user's account. That way if the credentials change or you need to know who made a change you can tell the difference between the activities. Maybe just "... it is a good practice to provide the credentials for a dedicated service account."
| provisioningStrategy: UseExternal | ||
| adminSecretName: keycloak-admin-secret | ||
| frontEndUrl: >- | ||
| http://<keycloak_url>/auth |
| Now you are ready to deploy your Entando application and the | ||
| administrator will reuse the *keycloak-admin-secret* secret to populate | ||
| the environment correctly. | ||
| You are now ready to deploy your Entando Application. Entando will reuse the *keycloak-admin-secret* to populate the environment correctly. |
|
|
||
| - An admin user for the "entando" realm | ||
| - A realm named "entando" in that instance | ||
| - Admin user credentials for the "entando" realm |
There was a problem hiding this comment.
These are the credentials (username/password) for the service account that has the correct level of admin permissions
| @@ -2,75 +2,83 @@ | |||
|
|
|||
| ## Purpose | |||
|
|
|||
| This tutorial enables the Entando administrator to leverage an existing | |||
| Keycloak instance. | |||
| This tutorial details how an Entando instance can be connected to an existing Keycloak instance by an admin user of the Keycloak instance. | |||
There was a problem hiding this comment.
instance is repeated 3 times in this sentence
| @@ -2,75 +2,83 @@ | |||
|
|
|||
| ## Purpose | |||
There was a problem hiding this comment.
Don't think we need this header as we haven't been using it in other tutorials
| use. | ||
|
|
||
| Specifically you will need: | ||
| ### 1. Get Keycloak information |
| the provided Keycloak server. | ||
|
|
||
| Here is an example of the secret you will need to construct: | ||
| Generate a Secret named *keycloak-admin-secret* with the information retrieved in Step 1. For example: |
There was a problem hiding this comment.
should keycloak-admin-secret be backticked?
|
|
||
| oc create -f YOUR-SECRET.yaml -n YOUR-NAMESPACE | ||
|
|
||
| ### 4. Create a YAML configuration file |
There was a problem hiding this comment.
maybe level 3 header doesn't need all caps but I think that's what we've been doing elsewhere. Same below
| kind: EntandoKeycloakServer | ||
| metadata: | ||
| name: external-keycloak | ||
| namespace: {{ namespace }} |
There was a problem hiding this comment.
are these brackets correct? I looked it up and it said something about evaluating the variable inside the brackets but in this case, I don't know if it applies. I've never noticed brackets around the namespace
| Next upload the secret to the namespace where you want to deploy your | ||
| Entando instance. | ||
| ``` | ||
| kubectl apply -f YOUR-YAML-FILE.yaml -n YOUR-NAMESPACE |
There was a problem hiding this comment.
should YOUR-NAMESPACE match up with the YAML file above?
| Now you are ready to deploy your Entando application and the | ||
| administrator will reuse the *keycloak-admin-secret* secret to populate | ||
| the environment correctly. | ||
| You are now ready to deploy your Entando Application. The admin user clien will reuse *keycloak-admin-secret* to populate the environment correctly. |
first commit is a placeholder pending discussion