acs-sso-example
An example Chart to demonstrate how to compose your own Alfresco platform with SSO on kubernetes using a nthrid party Keycloak. if you’re familiar with Helm & Kubernetes taking a look at the values.yaml should be enough but the principals are also documented in two differents steps:
- Composing your ACS from individual component charts we provide. Check the step by step documentation
- SSO integration, to add keycloak and configure Alfresco applications accordingly: SSO guide
Note: this chart is just an example that can run on a localhost only. It ships ACS repo, the repository database, the message broker, the Keycloak IdP and front end applications (Share and Content app) & no other component.
:warning: All components have persistence disabled so all data is lost after a deployment is destroyed or rolled back!
Homepage: https://www.alfresco.com
Source Code
Requirements
| Repository | Name | Version |
|---|---|---|
| https://alfresco.github.io/alfresco-helm-charts/ | activemq | 3.6.2 |
| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-content-app(alfresco-adf-app) | 0.2.2 |
| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-repository | 0.10.0 |
| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-share | 1.4.0 |
| https://codecentric.github.io/helm-charts | keycloakx | 6.0.0 |
| oci://registry-1.docker.io/bitnamicharts | repository-database(postgresql) | 13.4.0 |
Values
| Key | Type | Default | Description |
|---|---|---|---|
| activemq | object | check values.yaml | Configure the ACS ActiveMQ message broker as per https://github.com/Alfresco/alfresco-helm-charts/tree/activemq-3.4.1/charts/activemq |
| alfresco-content-app | object | check values.yaml | Configure the Alfresco Conent-app as per https://github.com/Activiti/activiti-cloud-common-chart/tree/8.2.0/charts/common |
| alfresco-repository | object | check values.yaml | Configure the ACS repository as per https://github.com/Alfresco/alfresco-helm-charts/tree/alfresco-repository-0.1.3/charts/alfresco-repository |
| alfresco-share | object | check values.yaml | Configure the Alfresco Share as per https://github.com/Alfresco/alfresco-helm-charts/tree/alfresco-share-0.3.0/charts/alfresco-share |
| global.known_urls | list | ["http://localhost"] | list of trusted URLs. URLs a re used to configure Cross-origin protections Also the first entry is considered the main hosting domain of the platform. |
| keycloakx | object | check values.yaml | Configure the ACS Keycloak Identity provider as per https://github.com/codecentric/helm-charts/tree/keycloakx-2.3.0 |
| keycloakx.admin.password | string | random ascii string | Keycloak admin password. By default generated on first deployment, to get its value use:kubectl get secrets keycloak -o jsonpath='{@.data.KC_BOOTSTRAP_ADMIN_PASSWORD}' | base64 -d |
| keycloakx.admin.realm[0] | object | {"clients":[{"attributes":{"display.on.consent.screen":false,"oauth2.device.authorization.grant.enabled":false,"oidc.ciba.grant.enabled":false,"use.refresh.tokens":false},"clientId":"alfresco","enabled":true,"implicitFlowEnabled":true,"publicClient":true,"redirectUris":"{{- $redirectUris := list }} {{- range (index (include \"alfresco-common.known.urls\" $ | mustFromJson) \"known_urls\") }} {{- $redirectUris = append $redirectUris (printf \"%s/*\" .) }} {{- end }} {{- $redirectUris }}","standardFlowEnabled":true,"webOrigins":"{{ index (include \"alfresco-common.known.urls\" $ | mustFromJson) \"known_urls\" }}"}],"defaultLocale":"en","enabled":true,"id":"alfresco","internationalizationEnabled":true,"loginTheme":"alfresco","realm":"alfresco","sslRequired":"none","supportedLocales":["ca","de","en","es","fr","it","ja","lt","nl","no","pt-BR","ru","sv","zh-CN"],"users":[{"credentials":[{"type":"password","value":"secret"}],"email":"admin@example.org","enabled":true,"firstName":"admin","lastName":"admin","username":"admin"}]} | Alfresco Realm definition |
| keycloakx.admin.realm[0].users[0] | object | {"credentials":[{"type":"password","value":"secret"}],"email":"admin@example.org","enabled":true,"firstName":"admin","lastName":"admin","username":"admin"} | default Alfresco admin user |
| keycloakx.admin.realm[0].users[0].credentials[0].value | string | "secret" | default Alfresco admin password |
| keycloakx.admin.username | string | "admin" | Keycloak admin username |
| keycloakx.command | list | ["/opt/keycloak/bin/kc.sh","start","--hostname=http://localhost/auth","--hostname-backchannel-dynamic=true","--health-enabled=true","--http-enabled=true","--http-port=8080","--import-realm"] | hostname-backchannel-dynamic is only needed if you want to use the backchannel authentication flow. This is needed when the client application can only access the Keycloak server via an internal hostname (such as localhost). |
| repository-database | object | check values.yaml | Configure the ACS repository Postgres database as per https://github.com/bitnami/charts/tree/002c752f871c8fa068a770dc80fec4cf798798ab/bitnami/postgresql |