Skip to main content

Helm (Vendor neutral)

This guide will walk you through deploying D1 Storage or D1 Generic, to a Kubernetes cluster with Keycloak for OIDC and Redis as storage.

To follow this guide, you will need to have a running Kubernetes cluster.

Keycloak

Add the Bitnami repository to Helm

helm repo add bitnami https://charts.bitnami.com/bitnami

To configure Keycloak the easiest is to create a JSON file with the configuration, a good starting point is:

{
  "id": "d1",
  "realm": "d1",
  "enabled": true,
  "groups": [
    // Insert the groups you want to be created automatically
    // For example
    // {
    //   "name": "admin",
    //   "path": "/admin",
    // },
    // {
    //   "name": "dev",
    //   "path": "/dev",
    // }
  ],
  "clients": [
    {
      "clientId": "d1",
      "redirectUris": [
        // Insert to needed redirect URLs
      ],
      "publicClient": true,
      "standardFlowEnabled": true,
      "implicitFlowEnabled": true,
      "protocolMappers": [
        {
          "name": "Add groups",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-group-membership-mapper",
          "consentRequired": false,
          "config": {
            "full.path": "false",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "claim.name": "groups",
            "userinfo.token.claim": "true"
          }
        },
        {
          "name": "Add audience",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-audience-mapper",
          "consentRequired": false,
          "config": {
            "included.client.audience": "d1",
            "id.token.claim": "true",
            "access.token.claim": "true"
          }
        }
      ]
    }
  ],
}

Then install Keycloak using the Helm chart

helm install my-release bitnami/keycloak \
  --set auth.adminUser=<ADMIN_USER> \
  --set auth.adminPassword=<ADMIN_PASSWORD> \
  --set keycloakConfigCli.enabled=true \
  --set-file keycloakConfigCli.configuration."realm\.json"=<file>

Deployment

You first need to deploy K1 using our Helm chart.

helm install k1 oci://ghcr.io/cybercryptio/helm-charts/k1 --version 1.0.2 \
  --set k1.keyprovider.standalone.initKey=<64 hex digit key> \
  --set postgresql.auth.database="k1"
  --set postgresql.auth.username=<DB user name>
  --set postgresql.auth.database=<DB user password>

Once the deployment is succesful, create a new Key Set and get the Key Initialization Key:

export KS_ID=$(kubectl exec -it deployments/k1 -- /k1 newKeySet 2> /dev/null | tail -n 3 | jq -r ".KsID")
kubectl exec -it deployments/k1 -- /k1 newKik --ksid=$KS_ID

You are now ready to deploy D1 Storage or D1 Generic using our Helm charts. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:

config:
  keys:
    provider: "k1"

    k1:
      endpoint: <K1 endpoint>
      kik: <KIK obtain earlier>
      kik: <KIK ID obtain earlier>

  id:
    provider: "oidc"

    oidc:
      issuer: <Keycloak realm endpoint>
      clientid: <OIDC client ID>
      signingalg: "RS256"
      claimtranslation: <You desired claim translation>

You can then deploy D1 Storage or D1 Generic:

helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-storage --version 1.0.0 --values values.yaml
# OR
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-generic --version 1.0.0 --values values.yaml