The ForgeRock Deployment for Cloud Readiness
1 like571 views
This document discusses ForgeRock's support for deploying identity and access management products in cloud environments using DevOps practices. It provides examples of deploying OpenAM and OpenDJ using Docker containers and Kubernetes, and references code repositories containing Dockerfiles, Kubernetes manifests, and configuration files to automate deployment. The document also notes some limitations in ForgeRock products for stateless operations and discusses configuration approaches for different products.
The ForgeRock Deployment for Cloud Readiness
- 1. Patryk Królikowski ForgeRock Deployment for Cloud Readiness
- 2. Generics
- 3. Copyright © 2017 ForgeRock, all rights reserved. 3 VS
- 4. Copyright © 2017 ForgeRock, all rights reserved. 4
- 5. Copyright © 2017 ForgeRock, all rights reserved. 5 Configuration as an artefact
- 6. Copyright © 2017 ForgeRock, all rights reserved. 6 GUI as config editor
- 7. Copyright © 2017 ForgeRock, all rights reserved. 7 Container friendliness
- 8. Copyright © 2017 ForgeRock, all rights reserved. 8 12 Factor Container friendly Config as an artefact (Infrastructure as Code)
- 9. Copyright © 2017 ForgeRock, all rights reserved. Lingo 9 helm install stable/mysql images containersdocker files K8s manifests helm / charts yaml
- 10. Copyright © 2017 ForgeRock, all rights reserved. what we support DevOps with? Sample Dockerfiles: ★ backstage account needed ★ NO images Sample Kubernetes Manifests ★ for dev/test Support for deployments using Docker Images 10
- 11. Copyright © 2017 ForgeRock, all rights reserved. DevOps Examples Minikube / Kubernetes on Google Container Engine: ★ OpenAM / DJ ★ OpenIDM ★ OpenIG 11
- 12. Copyright © 2017 ForgeRock, all rights reserved. something more for Cloud? ForgeRock Service Broker ★ for Cloud Foundry ★ allows Cloud Foundry apps to access OAuth2 features of our stack ★ automates OAuth2 client profile creation ★ package for installation in Cloud Foundry 12
- 15. Copyright © 2017 ForgeRock, all rights reserved. Autonomous Server ★ No crosstalk, no special servers ★ CTS - sole source of state for all tokens ★ Throw me more servers 15
- 16. Copyright © 2017 ForgeRock, all rights reserved. amster ★ realizes configuration as an artefact approach What is it? ★ interacts with OpenAM via REST based API ★ lightweight OpenAM configurator ★ export/import configs as JSON 16 connect http://www.example.com:8080/openam -k /Users/demo/ keyfile import-config --path /Users/demo/am-config :exit
- 17. Copyright © 2017 ForgeRock, all rights reserved. is that all? … well … no ★ bootstrap - boot.json ★ Agents 5 - no more callbacks - websocket channel based communications 17
- 19. Copyright © 2017 ForgeRock, all rights reserved. I was (almost) born for DevOps ★ JSON/REST friendly ★ export/import config but…. ★ I still require cluster aware persistence layer but my parents love me … ★ dynamic cluster handling ★ Immutable Server Configuration ★ config read on startup and stored in memory (not repo) ‣ read only config for PROD and r/w for DEV 19
- 21. Copyright © 2017 ForgeRock, all rights reserved. … me too … ★ stateless ★ I scale easily ★ configs / scripts as an artefact but…. ★ JWT session tokens must use the same key: ‣ same keystore across nodes ‣ distribution via Kubernetes secret volumes 21
- 23. Copyright © 2017 ForgeRock, all rights reserved. … well, I’m a pet ★ stable network identity ★ stable storage ★ sharding- all tokens with same ID go to same DJ backend ★ in samples we base on Kubernetes StatefulSet feature. 23 SOURCE: https://www.pinterest.com/pin/539095017866111126/
- 24. Copyright © 2017 ForgeRock, all rights reserved. Caveats OpenAM ★ browser AuthN is stateful = sticky sessions on LB ★ no direct config export to GIT ★ still some of the OpenAM settings require restart = redeploy container OpenIDM ★ JDBC repo available as pre-requirement ★ clusters - node list not modified = may grow fast 24
- 25. Copyright © 2017 ForgeRock, all rights reserved. Configurations Immutable vs mutable: ★ Config baked into docker image ★ Difficult for OpenAM - shared config store ★ OpenIDM easier and even easier with 5.5 ★ OpenIG - well supported 25
- 26. Toolkit
- 27. Copyright © 2017 ForgeRock, all rights reserved. OpenAM / OpenDJ example 27
- 28. Copyright © 2017 ForgeRock, all rights reserved. Sample setup 28 kubctl docker minikube helm fretes tiller pod Pod Docker EngineKubernetes Minikube VM
- 29. Copyright © 2017 ForgeRock, all rights reserved. Resources Docker build files: https://stash.forgerock.org/scm/docker/docker.git Kubernetes deployment examples: https://stash.forgerock.org/scm/docker/fretes.git Scripts and JSON configs for configuring the AM/DJ/IDM/IG: https://stash.forgerock.org/scm/cloud/forgeops-init.git Samples for OpenIG: https://github.com/ForgeRock/openig-devops-guide 29
- 30. Deploy AM/DJ in 5 :)