Deploying the Authorization Server
Please ensure that you have Helm installed correctly before proceeding with the steps outlined below. Refer to Installing Helm for details.
Authorization Server Deployment using Helm Charts
FPX is packaged as a Helm chart. There are two ways to gain access to the chart, either directly via the chart source code, or by adding the remote repository:
$ helm repo add identos https://charts.dev.identos.ca
It should then show up with the command:
$ helm repo list
Finally, to install the Helm chart, run the following command:
$ helm upgrade --install fpx identos/fpxcore -f configuration.yaml --version v2.1.4
During the installation, the components network will be deployed. Installation is complete when you run the following command and all deployments are ready, up-to-date and available (the numbers may differ based on the configuration applied):
$ kubectl get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
fpx-authapi 1/1 1 1 2m6s
fpx-authserver 1/1 1 1 2m6s
Assuming that ingress objects were enabled as part of the installation, the deployed HTTP endpoints can be shown:
$ kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
fpx-authapi authapi.example.com 80, 443 6m6s
fpx-authserver idnserver.example.com 80, 443 6m6s
Helm Chart Configuration Parameters
Configuration for a Helm chart is provided as a YAML formatted file. For details on the configuration parameters and their default values, see:
- Helm configuration parameters for the Authorization Server
- Helm configuration parameters for the Authorization Server Admin API
Keystore Creation and Config
The Authorization Server deployment configuration YAML consists of several parameters that address keystore values. The keystore is used to store the custom signing encryption keys for the Authorization Server and the Authorization Server API. The parameters used to define keystore related values are:
- authorizationServer.keystores.https.alias
- authorizationServer.keystores.https.enabled
- authorizationServer.keystores.https.jwks
- authorizationServer.keystores.https.password
- authorizationServer.keystores.signingKey.enable
- authorizationApi.keystores.https.alias
- authorizationApi.keystores.https.enabled
- authorizationApi.keystores.https.jwks
- authorizationApi.keystores.https.password
- authorizationApi.keystores.signingKey.enable
In order to populate the alias, JWKS key and password parameters, the following steps need to be executed:
-
Generate a keystore and alias key.
-
Apply base64 encoding for the alias name, password and JWKS key.
-
Update these base64 encoded values into the YAML config file.
To generate the key and the keystore, run the following command:
keytool -genkey -v -keystore AS.jks -alias <custom_alias> -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -ext KeyUsage=keyCertSign -validity 10000
IMPORTANT: The Keystore alias defined should always be in lower case. The alias can be of alpha-numeric characters only.
To apply the base64 encoding for the alias name, password and JWKS key, run the following commands:
echo <alias name> | base64echo <password> | base64echo <JWKS Key> | base64
These commands will return the values in the base64 encoded format. Enter the encoded values in the configuration parameters listed above.
For production environments, it is recommended that individual keystores and key values exist for the Authorization Server and the Authorization Server API parameters.
Authorization Server Application Config
The authorizationServer.application.config Helm chart property group contains multiple sub-parameters that are essential for the proper configuration and set up of the Authorization Server
See authorizationServer.application.config for details on configuring the sub-parameters and values.
Authorization Server Admin API Application Config
The authorizationApi.application.config parameter is used to define the main elements for the Authorization Server API - the administrative API for the Authorization Server. Without clearly defining these parameters, the setup of the AS API will fail and limit the integration of the other parties with the Authorization Server.
See authorizationApi.application.config for details on configuring the sub-parameters and values.