libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6
keycloak-scim/docs/guides/high-availability/partials/aurora/aurora-create-peering-connections.adoc

215 lines
5.3 KiB
Text
Raw Normal View History

Adding a Keycloak High Availability section to Keycloak's docs The content was moved over from the Keycloak Benchmark subproject. Closes #24844 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Pedro Ruivo <pruivo@redhat.com> Co-authored-by: Michal Hajas <mhajas@redhat.com> Co-authored-by: Kamesh Akella <kakella@redhat.com> Co-authored-by: Ryan Emerson <remerson@redhat.com> Co-authored-by: Anna Manukyan <amanukya@redhat.com> Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Stian Thorgersen <stian@redhat.com> Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: AndyMunro <amunro@redhat.com>
2023-11-23 12:27:47 +00:00
. Retrieve the Aurora VPC
+
.Command:
[source,bash]
----
aws ec2 describe-vpcs \
--filters "Name=tag:AuroraCluster,Values=keycloak-aurora" \
--query 'Vpcs[*].VpcId' \
--region eu-west-1 \
--output text
----
+
.Output:
[source]
----
vpc-0b40bd7c59dbe4277
----
+
. Retrieve the ROSA cluster VPC
.. Login to the ROSA cluster using `oc`
.. Retrieve the ROSA VPC
+
.Command:
[source,bash]
----
NODE=$(kubectl get nodes --selector=node-role.kubernetes.io/worker -o jsonpath='{.items[0].metadata.name}')
aws ec2 describe-instances \
--filters "Name=private-dns-name,Values=${NODE}" \
--query 'Reservations[0].Instances[0].VpcId' \
--region eu-west-1 \
--output text
----
+
.Output:
[source]
----
vpc-0b721449398429559
----
+
. Create Peering Connection
+
.Command:
[source,bash]
----
aws ec2 create-vpc-peering-connection \
--vpc-id vpc-0b721449398429559 \# <1>
--peer-vpc-id vpc-0b40bd7c59dbe4277 \# <2>
--peer-region eu-west-1 \
--region eu-west-1
----
<1> ROSA cluster VPC
<2> Aurora VPC
+
.Output:
[source,json]
----
{
"VpcPeeringConnection": {
"AccepterVpcInfo": {
"OwnerId": "606671647913",
"VpcId": "vpc-0b40bd7c59dbe4277",
"Region": "eu-west-1"
},
"ExpirationTime": "2023-11-08T13:26:30+00:00",
"RequesterVpcInfo": {
"CidrBlock": "10.0.17.0/24",
"CidrBlockSet": [
{
"CidrBlock": "10.0.17.0/24"
}
],
"OwnerId": "606671647913",
"PeeringOptions": {
"AllowDnsResolutionFromRemoteVpc": false,
"AllowEgressFromLocalClassicLinkToRemoteVpc": false,
"AllowEgressFromLocalVpcToRemoteClassicLink": false
},
"VpcId": "vpc-0b721449398429559",
"Region": "eu-west-1"
},
"Status": {
"Code": "initiating-request",
"Message": "Initiating Request to 606671647913"
},
"Tags": [],
"VpcPeeringConnectionId": "pcx-0cb23d66dea3dca9f"
}
}
----
+
. Wait for Peering connection to exist
+
.Command:
[source,bash]
----
aws ec2 wait vpc-peering-connection-exists --vpc-peering-connection-ids pcx-0cb23d66dea3dca9f
----
+
. Accept the peering connection
+
.Command:
[source,bash]
----
aws ec2 accept-vpc-peering-connection \
--vpc-peering-connection-id pcx-0cb23d66dea3dca9f \
--region eu-west-1
----
+
.Output:
[source,json]
----
{
"VpcPeeringConnection": {
"AccepterVpcInfo": {
"CidrBlock": "192.168.0.0/16",
"CidrBlockSet": [
{
"CidrBlock": "192.168.0.0/16"
}
],
"OwnerId": "606671647913",
"PeeringOptions": {
"AllowDnsResolutionFromRemoteVpc": false,
"AllowEgressFromLocalClassicLinkToRemoteVpc": false,
"AllowEgressFromLocalVpcToRemoteClassicLink": false
},
"VpcId": "vpc-0b40bd7c59dbe4277",
"Region": "eu-west-1"
},
"RequesterVpcInfo": {
"CidrBlock": "10.0.17.0/24",
"CidrBlockSet": [
{
"CidrBlock": "10.0.17.0/24"
}
],
"OwnerId": "606671647913",
"PeeringOptions": {
"AllowDnsResolutionFromRemoteVpc": false,
"AllowEgressFromLocalClassicLinkToRemoteVpc": false,
"AllowEgressFromLocalVpcToRemoteClassicLink": false
},
"VpcId": "vpc-0b721449398429559",
"Region": "eu-west-1"
},
"Status": {
"Code": "provisioning",
"Message": "Provisioning"
},
"Tags": [],
"VpcPeeringConnectionId": "pcx-0cb23d66dea3dca9f"
}
}
----
+
. Update ROSA cluster VPC route-table
+
.Command:
[source,bash]
----
ROSA_PUBLIC_ROUTE_TABLE_ID=$(aws ec2 describe-route-tables \
--filters "Name=vpc-id,Values=vpc-0b721449398429559" "Name=association.main,Values=true" \# <1>
--query "RouteTables[*].RouteTableId" \
--output text \
--region eu-west-1
)
aws ec2 create-route \
--route-table-id ${ROSA_PUBLIC_ROUTE_TABLE_ID} \
--destination-cidr-block 192.168.0.0/16 \# <2>
--vpc-peering-connection-id pcx-0cb23d66dea3dca9f \
--region eu-west-1
----
<1> ROSA cluster VPC
<2> This must be the same as the cidr-block used when creating the Aurora VPC
+
. Update the Aurora Security Group
+
.Command:
[source,bash]
----
AURORA_SECURITY_GROUP_ID=$(aws ec2 describe-security-groups \
--filters "Name=group-name,Values=keycloak-aurora-security-group" \
--query "SecurityGroups[*].GroupId" \
--region eu-west-1 \
--output text
)
aws ec2 authorize-security-group-ingress \
--group-id ${AURORA_SECURITY_GROUP_ID} \
--protocol tcp \
--port 5432 \
--cidr 10.0.17.0/24 \# <1>
--region eu-west-1
----
<1> The "machine_cidr" of the ROSA cluster
+
.Output:
[source,json]
----
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0785d2f04b9cec3f5",
"GroupId": "sg-0d746cc8ad8d2e63b",
"GroupOwnerId": "606671647913",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 5432,
"ToPort": 5432,
"CidrIpv4": "10.0.17.0/24"
}
]
}
----
Reference in a new issue Copy permalink