In this post, I am going to walk through how to deploy WSO2 Identity Server on Kubernetes. If you are going to deploy on a Kubernetes cluster there is detailed official documentation from WSO2 on how to do it.
A basic understanding of Kubernetes is needed to follow this guide. There are plenty of resources out there to get a basic understanding of the Kubernetes, even the official documentation is good enough.
For any deployment on proper multi-node Kubernetes setup on either big clouds (AWS, Azure, and GCP) or on-premise or even bare metal I would recommend above guide.
If you want to deploy locally on a Mini Kube environment unfortunately above resource doesn’t work without a few modifications. Purpose of this post to guide deploying WSO2 Identity server on Mini Kube using the above resource as a basis with few modifications.
Installing Mini Kube
As a first step make sure you have the Mini Kube setup with enough memory and CPU allocated. I would say having 4 CPUs and 8 GB memory is more than enough to do this deployment.
Installing Ingress Controller
An ingress controller is needed to access the WSO2 identity server from the browser. Setting up Ingress controller with SSL passthrough is simpler than doing an SSL termination. This is the approach has taken by the official guide from WSO2. The ingress controller addon of Mini Kube doesn’t support SSL passthrough. We have to deploy the modified Kubernetes manifest to deploy an ingress controller with SSL passthrough instead of the addon. I have a Github repository with required manifests. Clone the repository and copy the manifests to ~/.minikube/addons location and restart the Mini Kube.
git clone https://github.com/ajanthan/minikube-ingress-with-ssl-passthrough.gitcd minikube-ingress-with-ssl-passthroughcp *.yaml ~/.minikube/addonsminikube stopminikube start
Installing WSO2 Identity Server
Updating Configurations
Clone the WSO2 Kubernetes resource git repository locally. We are going to modify it to fit for Mini Kube. If you want to skip modifying the configurations and jump into deploying, I have an updated repository with all the changes. You could use it and deploy Mysql and WSO2 Identity Server without going through the following steps.
git clone https://github.com/wso2/kubernetes-is.gitPersistence volume is used to store and data generated by Mysql POD and WSO2 Identity Server POD. By default, NFS is used as persistence volume provider. For Mini Kube based local setup setting Hostpath persistence volume type will simplify the deployment process since it doesn't require any NFS. It will just mount a folder from the host machine. To enable Hostpath persistence volume type for WSO2 identity server persistence volume configuration and Mysql configuration do following changes.
for Mysql.
for WSO2 IS
When the Hostpath volume persistence is used with Mini Kube the container needs root access to access the attached volume since the Mini Kube VM doesn’t have any none root users. Creating a none user in Mini Kube VM is also not straightforward. To make things simpler here we are going to run WSO2 Identity server container and the Mysql container as root. Running container as root in production strictly not recommended but for demo purpose, we could run it. Do the following changes to run containers as the root user.
Mysql container
WSO2 IS container
The default WSO2 Identity server POD uses an image which requires a trial license from WSO2 because it has bugfix patches which are under a commercial license. In this exercise, we are going to use the opensource version of the images from the official docker hub.
For a single node demo deployment clustering is not needed. The official Kubernetes guide has clustering enabled. let’s disable the cluster as follows.
Now we are ready to deploy the setup. We are going to deploy a single node WSO2 identity server without analytics on the default namespace. The official guide has a script to deploy or undeploy the setup but here we are going to use kubectl to deploy everything manually.
I have committed above changes to my own fork of the original repository. In the end, you should have below changes to your checkout as in the commit history.
Deploying Mysql
Execute the following commands from the checkout directory to deploy persistent volume for Mysql.
kubectl create -f is/extras/rdbms/mysql/mysql-persistent-volume-claim.yamlkubectl create -f is/extras/rdbms/volumes/persistent-volumes.yaml
A configMap with the script to populate WSO2 specific schema needs to be deployed.
kubectl create configmap mysql-dbscripts --from-file=is/extras/confs/rdbms/mysql/dbscripts/Deploy Mysql deployment and the service to spin up the POD and expose it as service internally.
kubectl create -f is/extras/rdbms/mysql/mysql-deployment.yamlkubectl create -f is/extras/rdbms/mysql/mysql-service.yaml
Wait for a few minutes and the Mysql POD will be up and running.
Deploying WSO2 Identity Server
The next step is deploying WSO2 Identity server. First, the volumes need to be deployed and a service account needs to be created.
kubectl create serviceaccount wso2svc-accountkubectl create -f is/volumes/persistent-volumes.yamlkubectl create -f is/identity-server-volume-claims.yaml
Then the configMaps with all the customized configurations for Kubernetes needs to be applied.
kubectl create configmap identity-server-conf --from-file=is/confs/kubectl create configmap identity-server-conf-axis2 --from-file=is/confs/axis2/kubectl create configmap identity-server-conf-datasources --from-file=is/confs/datasources/kubectl create configmap identity-server-conf-identity --from-file=is/confs/identity/
Then the deployment and the service for exposing WSO2 identity server for internal access needs to be applied.
kubectl create -f is/identity-server-deployment.yamlWait until the server is up and running. You may check the logs of the WSO2 IS POD in order to determine whether the server is up and running.
kubectl logs <WSO2 IS POD name> -fOnce the server is up and running you can deploy the service description and ingress controller.
kubectl create -f is/identity-server-service.yamlkubectl create -f is/ingresses/identity-server-ingress.yaml
The final step of the deployment is updating DNS entry for the WSO2 IS hostname. In oder to get the IP address for the hostname issue following command and get Mini Kube IP.
minikube ipthen update your /etc/hosts entry with following entry with the IP address you got in the previous step.
192.168.64.6 wso2isNow you can access the management console of WSO IS at https://wso2is/carbon.
In order to use the product please use following getting started guide.
When you are ready to tear down the setup issue following commands in the order.
kubectl delete -f is/identity-server-volume-claims.yamlkubectl delete -f is/volumes/persistent-volumes.yamlkubectl delete -f is/identity-server-service.yamlkubectl delete -f is/identity-server-deployment.yamlkubectl delete -f is/extras/rdbms/mysql/mysql-service.yamlkubectl delete -f is/extras/rdbms/mysql/mysql-deployment.yamlkubectl delete -f is/extras/rdbms/mysql/mysql-persistent-volume-claim.yamlkubectl delete -f is/extras/rdbms/volumes/persistent-volumes.yamlkubectl delete -f is/ingresses/identity-server-ingress.yamlkubectl delete serviceaccount wso2svc-account
In this guide, we have looked at how the WSO2 Identity Server can be deployed in a Mini Kube environment.
