Deploying WSO2 Identity Server on Kubernetes using AWS-EKS

Gomathy Kumarakuruparan
4 min readMay 10, 2020

--

WSO2 Identity Server offers an identity and access management (IAM) solution to all enterprise needs. The product is based on open standards and open source principles. It is a developer-friendly product which is capable of integrating with several applications and extending its capabilities for every use case required.

Deployment of WSO2 Identity Server can be easily done in a number of environments and platforms. This article gives the steps to deploy WSO2 Identity Server on kubernetes using AWS-EKS.

Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed Kubernetes service. Kubernetes is an open source container orchestration engine for automating deployment, scaling, and management of containerized applications. The open source project is hosted by the Cloud Native Computing Foundation (CNCF).

Install the following applications if you do not have them installed already. Make sure you install the recommended versions for a seamless deployment. This blog is based on the testing done in WSO2 5.10.0.

1. Install Git.

2. Install Helm and Tiller (version 2.9.1).

3. Install Kubernetes Client (version-v1.17.3).

4. Set up an EKS cluster on AWS cloud, if you do not have one set up already. You can find the instructions to do this, here.

Make sure you have set up the following components properly before you set up the cluster.

For more information, see the amazon EKS getting started guide.

- The EKS Service Role

- The EKS Cluster VPC

- AWS CLI version 2

Alternatively, you can also use AWS CLI version 1 however, you need to make sure that you have installed Python3. AWS CLI version 2 is independent of the Python version you are using.

5. Launch a managed node to get started with your instance profile. For instructions to do this, see the amazon EKS getting started guide.

While configuring the added node group, ensure that the instance type is c5.4xlarge or that of a larger capacity to avoid errors in deployment due to insufficient CPU.

6. Install NGINX Ingress Controller (version-nginx-0.22.0). You can get the raw file for the recommended version from the NGINX Ingress release tag.

To ensure that the NGINX Ingress controller is exposed, download the source code and apply the following files. Note that you can use the files for layer 7 instead of layer 4 as well.

kubectl apply -f namespace.yaml

kubectl apply -f mandatory.yaml

kubectl apply -f patch-configmap-14.yaml

kubectl apply -f service-l4.yaml

7. Add the WSO2 Helm chart repository.

helm repo add wso2 https://helm.wso2.com && helm repo update

- The local copy of the `wso2/kubernetes-is` git repository will be referred to as `KUBERNETES_HOME`.

- `<KUBERNETES_HOME>/advanced/` will be referred to as `HELM_HOME`.

Follow the steps below to deploy WSO2 Identity Server

Step 1 — Clone the Kubernetes resources from the WSO2 Identity Server git repository

git clone https://github.com/wso2/kubernetes-is.git

Step 2 — Change the configurations as required

1. The default configurations work well for the basic deployment of the product. However, if there is anything specific that needs to be configured, change the respective files in `<HELM_HOME>/is-pattern-1/`.

2. Open `<HELM_HOME>/is-pattern-1/values.yaml` and provide the values as mentioned in the second step (Provide configurations) of the Helm Quick Start Guide.

Step 3 — Deploy WSO2 Identity Server

Execute the following command to deploy the product. Here, `NAMESPACE` is the Kubernetes Namespace in which the resources are deployed and the `<RELEASE_NAME>` can be any name that you choose for the deployed instance.

helm install — dep-up — name <RELEASE_NAME> <HELM_HOME>/is-pattern-1 — namespace <NAMESPACE>

Troubleshooting Tip

If you come across the following error while deploying the product, execute the commands given below to resolve it.

Error:

forbidden: User “system:serviceaccount:kube-system:default” cannot get namespaces in the namespace

Commands to resolve the above error:

kubectl create serviceaccount — namespace kube-system tiller

kubectl create clusterrolebinding tiller-cluster-rule — clusterrole=cluster-admin — serviceaccount=kube-system:tiller

kubectl patch deploy — namespace kube-system tiller-deploy -p ‘{“spec”:{“template”:{“spec”: {“serviceAccount”:”tiller”}}}}’

Step 4 — Access the management console

To access the console in the environment,

1. Obtain the external IP of the Ingress resources by listing down the Kubernetes Ingresses as shown below.

kubectl get ing -n <NAMESPACE>

This gives you the <RELEASE_NAME> and <EXTERNAL-IP> as shown below.

NAME HOSTS ADDRESS PORTS AGE

wso2is-ingress <RELEASE_NAME> <EXTERNAL-IP> 80, 443 3m

2. Add the information obtained above in the /etc/hosts file as an entry.

<HOST-IP> <RELEASE_NAME>

The <HOST-IP> that needs to be mentioned in the /etc/hosts file can be obtained by pinging the <EXTERNAL-IP> you got in the first step.

Request:

ping <EXTERNAL-IP>

Response:

PING <EXTERNAL-IP> <HOST-IP>: xx data bytes

3. Navigate to `https://<RELEASE_NAME>/carbon` on a new browser window.

Try it Out

You can now test the functionalities of WSO2 Identity Server with your app. Alternatively, you can choose a sample app from here and follow the steps given to deploy the chosen application.

Make sure you add the proxy port configuration to <KUBERNETES_HOME>/advanced/is-pattern-1/values.yaml.

[transport.http.properties]

proxyPort = 80

[transport.https.properties]

proxyPort = 443

The host name included in the URLs related to the identity provider must be changed based on the `<RELEASE_NAME>` you chose. This configuration is present in the properties file in `<SAMPLE_HOME>/WEB-INF/classes` where`<SAMPLE_HOME>` refers to the sample application that you have chosen to verify this deployment.

--

--

Gomathy Kumarakuruparan
Gomathy Kumarakuruparan

Written by Gomathy Kumarakuruparan

Technical Writer @ WSO2. Curiouser and curiouser about content writing & IAM solutions

No responses yet