Platform deployment
TODO:This should be captured in scripts for automated setup.
This repository includes manifests for deployment in OpenShift under /.openshift
. The micro-services communicate over APIs and RabbitMQ, and so deployment into other hosting environments is also possible.
Prerequisites
A few prerequisites are needed to set up an ADSP deployment:
- Keycloak is used as an IAM solution. Realms provide tenants with user access management under their own administrative control.
- RabbitMQ is used as a messaging framework and work queue in some platform services.
- Databases for platform micro-services. Containerized databases are not included in the deployment manifests, and managed options are recommended.
Keycloak configuration
Master realm configuration
The tenant service creates realms for new tenants using a service account.
- Create a confidential client with a service account.
- Grant the service account role(s) to create and modify realms.
Core realm configuration
Platform micro-services make requests under a non-tenant ‘core’ context. This is handled with a ‘core’ realm in Keycloak.
- Create a ‘core’ realm in Keycloak.
- Create public client with Standard Flow enabled for tenant administration application:
urn:ads:platform:tenant-admin-app
. - Create confidential clients with service accounts for
urn:ads:platform:subscriber-gateway
andurn:ads:platform:api-docs-app
. - Create confidential clients with service accounts for backend micro-services including:
urn:ads:platform:tenant-service
urn:ads:platform:event-service
urn:ads:platform:value-service
- …
- Create service client roles:
- In
urn:ads:platform:value-service
, createvalue-reader
andvalue-writer
roles. - In
urn:ads:platform:event-service
, createevent-sender
role. - In
urn:ads:platform:configuration-service
, createconfigured-service
role. - In
urn:ads:platform:notification-service
, createsubscription-app
role. - In
urn:ads:platform:verify-service
, createcode-generator
andcode-verifier
roles. - In
urn:ads:platform:tenant-service
, createplatform-service
role, enable composite roles, and addevent-sender
andconfigured-service
client roles from above.
- In
- Assign roles to clients
- Grant the service accounts the
platform-service
role. - Grant
urn:ads:platform:event-service
thevalue-writer
role. - Grant
urn:ads:platform:notification-service
thecode-generator
andcode-verifier
roles. - Grant
urn:ads:platform:subscriber-gateway
andurn:ads:platform:form-service
thesubscription-app
role.
- Grant the service accounts the
RabbitMQ configuration
Some platform services communicate over RabbitMQ. The exchange and queue configuration required is contained in the code, but manual configuration is necessary to create the accounts. All accounts should access a common vhost in RabbitMQ.
- Create accounts for platform services including:
- event-service
- notification-service
- push-service
- file-service
Additional services can be modified to use RabbitMQ for configuration cache invalidation.
OpenShift configuration
References for configuration in the form of ConfigMaps and Secrets are included in the /.openshift/configuration
directory. These resources need to be manually created within the environment with configuration values. Other deployment resources are contained in templates under the /.openshift/managed
directory and are automatically applied by the deliver-ci
workflow.
- Create projects for ‘build’, ‘dev’, ‘uat’, and ‘prod’ environments in OpenShift.
- Set appropriate values in the ConfigMaps and Secrets and apply to environments.
- Create a service account in ‘build’ with edit permission to other projects for the pipeline.
- Process and apply managed templates, and/or set service account token in GitHub for the pipeline.