Creating new deployment targets manually

Overview

This guide explains how to setup and configure a deployment target manually, not making use of the k5-project custom resource and the operator that is installed by IBM Industry Solutions Workbench.

Create needed Bindings/Secrets for Service Projects

The following examples show the bindings/secrets that are needed for starting the deployed service projects. Please adjust the namespace and the values accordingly.

IAM configuration

kind: Secret
apiVersion: v1
metadata:
  name: k5-default-iam-service-binding
  namespace: k5-deployment-target
data:
  oidc.issuer: https://keycloak-sso.apps.openshift.cloud/auth/realms/k5-deployment-target
  oidc.jwkUri: https://keycloak-sso.apps.openshift.cloud/auth/realms/k5-deployment-target/protocol/openid-connect/certs
type: Opaque

kind: Secret
apiVersion: v1
metadata:
  name: dashboard-oauth-client-secret
  namespace: k5-deployment-target
data:
  client.id: dashboard-client
  client.secret: PxvjHXXFwNQxG56taV14FbkZDUwrI
  issuer: https://keycloak-sso.apps.openshift.cloud/auth/realms/k5-deployment-target
  realm: k5-deployment-target
  token.endpoint: https://keycloak-sso.apps.openshift.cloud/auth/realms/k5-deployment-target/protocol/openid-connect/token
type: Opaque

MongoDB connection string

kind: Secret
apiVersion: v1
metadata:
  name: k5-default-document-storage-service-binding
  namespace: k5-deployment-target
data:
  binding: '{"uri":"mongodb://user:password@mongodb.mongodb.svc.cluster.local:27017/admin?ssl=true"}'
type: Opaque

AMQ Streams/Kafka login configuration

Only needed if a events are used.

kind: Secret
apiVersion: v1
metadata:
  name: k5-default-message-service-binding
  namespace: k5-deployment-target
data:
  binding: '{"kafka_brokers_sasl":["kafka-kafka-bootstrap.foundation.svc:9093"],"user":"kafka-user","password":"password","saslJaasConfigLoginModuleQualifiedName":"org.apache.kafka.common.security.scram.ScramLoginModule","saslMechanism":"SCRAM-SHA-512"}'
type: Opaque

Url for Schema registry

Only needed if a schema registry is used.

kind: Secret
apiVersion: v1
metadata:
  name: k5-schema-registry-binding
data:
  securityEnabled: false
  url: https://schema-registry.apps.openshift.cloud
type: Opaque

Truststore

Here you can add all required certificates that the services should trust.

kind: Secret
apiVersion: v1
metadata:
  name: k5-truststore
  namespace: k5-deployment-target
data:
  mongo_cert: LS0t...UtLS0tLQo=
  kafka_cert: LS0t...US0tLQo=
  keycloak_cert: LS0t...LS0tLQo=
type: Opaque

Create needed ServiceAccount and RoleBinding for Service Projects

Please create the following service account and regarding role binding that will be used by the service projects and ensure that the service account has permission (image pull secret) for pulling the needed images.

kind: ServiceAccount
apiVersion: v1
metadata:
  name: k5-viewer-sa
  namespace: k5-deployment-target
imagePullSecrets:
  - name: k5-image-pull-secret

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: k5-viewer-rb
  namespace: k5-deployment-target
subjects:
  - kind: ServiceAccount
    name: k5-viewer-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view