Deployment

Kubernetes

PostgreSQL

We recommend running PostgreSQL as a cloud service such as Google Cloud SQL, Amazon RDS for PostgreSQL or Microsoft Azure PostgreSQL, and not running it in the same Kubernetes cluster as the other applications in case of node failures.

Example Deployment Files

The entire distribution service platform can be deployed in a Kubernetes cluster with only a few commands. We provide a yaml deployment files that you can use as a base for your own deployment. Some configurations are better stored as configmaps or secrets. The script will create 2 replicas of every deployment and attempt to spread them across different nodes in the cluster. Below you can find the deployment files for a deployment in a Google Cloud Kubernetes environment

Namespace & Backend

1
---
2
apiVersion: v1
3
kind: Namespace
4
metadata:
5
name: t1c
6
---
7
apiVersion: cloud.google.com/v1beta1
8
kind: BackendConfig
9
metadata:
10
name: t1c-backendconfig
11
spec:
12
timeoutSec: 300
13
connectionDraining:
14
drainingTimeoutSec: 60
Copied!

Configmaps

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
name: t1c-ds-configmap
5
data:
6
KONG_PROXY_LISTEN: "0.0.0.0:8000, 0.0.0.0:8443 ssl http2"
7
KONG_ADMIN_LISTEN: "0.0.0.0:8001, 127.0.0.1:8444 ssl"
8
KONG_STATUS_LISTEN: "0.0.0.0:8100"
9
KONG_DATABASE: "postgres"
10
KONG_ADMIN_ACCESS_LOG: "/dev/stdout"
11
KONG_ADMIN_ERROR_LOG: "/dev/stderr"
12
KONG_LOG_LEVEL: "warn"
13
KONG_NGINX_PROXY_LARGE_CLIENT_HEADER_BUFFERS: "4 256k"
14
KONG_NGINX_WORKER_PROCESSES: "1"
15
KONG_PROXY_ACCESS_LOG: "/dev/stdout"
16
KONG_PROXY_ERROR_LOG: "/dev/stderr"
17
GCP_DB_CONNECTION_NAME: "t1t-saas-signbox:europe-west1:t1c-ds"
18
DS_ALLOWED_HOST: ".t1t.io"
19
DS_APP_TOKEN_VALIDITY_SECONDS: "600"
20
DS_APPLICATION_ISSUER: "t1cds-app"
21
DS_GATEWAY_ADMIN_URL: "http://kong-admin.t1c.svc.cluster.local:8001"
22
DS_GATEWAY_BASE_PATH: ""
23
DS_GATEWAY_CONSUMER_APPLICATION: "t1cds-app"
24
DS_GATEWAY_CONSUMER_REGISTRATION: "t1cds-reg"
25
DS_GATEWAY_CONSUMER_USER: "t1cds-user"
26
DS_GATEWAY_ENABLED: "true"
27
DS_GATEWAY_URL: "https://acc-ds.t1t.io"
28
DS_IDP_ISSUER: "https://acc-ds.t1t.io/auth/realms/trust1connector"
29
DS_KEYSTORE_PATH: "/mnt/t1cds.p12"
30
DS_REG_TOKEN_VALIDITY_SECONDS: "600"
31
DS_REGISTRATION_ISSUER: "t1cds-reg"
32
DS_SECURITY_ENABLED: "true"
33
DS_MAX_PAGE_SIZE: "100"
34
INCLUDE_STACKTRACE: "true"
35
JAVA_OPTS: "-Xms512m -Xmx1024m -Dpidfile.path=/dev/null -Dconfig.resource=k8s.conf -Dlogger.resource=logback-cloud.xml -Dplay.evolutions.db.default.autoApply=true"
36
REQUIRE_GATEWAY_HEADERS: "false"
37
T1C_DOMAIN: "t1c.t1t.io"
38
T1C_PORT: "51883"
39
T1C_DB_URL: "jdbc:postgresql://127.0.0.1:5432/t1c-ds"
40
T1C_EVOLUTIONS_AUTO: "true"
41
T1C_EVOLUTIONS_AUTO_DOWNS: "false"
42
T1C_EVOLUTIONS_ENABLED: "true"
43
T1C_EVOLUTIONS_SCHEMA: "public"
44
RMC_LABEL: "rmc"
45
RMC_URL: "https://acc-rmc.t1t.io"
46
TZ: "Europe/Brussels"
47
T1C_IMPLICIT_VERSION_CREATION: "true"
48
T1C_VERSION_URI_TEMPLATE: "https://storage.googleapis.com/t1c-dependencies-acc/[[OS]]/v[[VERSION]]/Release/trust1team/[[FILENAME]]"
49
T1C_VERSION_FILENAME_TEMPLATE_VALUES: |
50
{"MACOS":"Trust1Connector-x86.dmg","MACOSARM":"Trust1Connector-arm.dmg","UNIX":"trust1connector.deb","WIN32":"t1c-x86.msi","WIN64":"t1c-x64.msi"}
51
T1C_VERSION_OS_TEMPLATE_VALUES: |
52
{"MACOS":"mac","MACOSARM":"mac","UNIX":"unix","WIN32":"win","WIN64":"win"}
53
KEYCLOAK_HOSTNAME: acc-ds.t1t.io
54
PROXY_ADDRESS_FORWARDING: "true"
55
DB_VENDOR: POSTGRES
56
DB_ADDR: 127.0.0.1
57
DB_DATABASE: keycloak
58
DB_SCHEMA: public
Copied!

Secrets

Sensitive information such as usernames, passwords, and related data should be stored as secrets. Using Kustomize you can create secrets from string literals which can be set as environment variables in your deployment specs.
1
apiVersion: v1
2
kind: Secret
3
metadata:
4
name: t1c-ds-secrets
5
type: Opaque
6
stringData:
7
DS_KEYSTORE_ALIAS: ""
8
DS_KEYSTORE_PASSWORD: ""
9
PLAY_SECRET: ""
10
T1C_DS_DB_USER: ""
11
DB_USER: ""
12
T1C_DS_DB_PWD: ""
13
DB_PASSWORD: ""
14
KEYCLOAK_USER: ""
15
KEYCLOAK_PASSWORD: ""
16
KONG_PG_DATABASE: ""
17
KONG_PG_HOST: ""
18
KONG_PG_USER: ""
19
KONG_PG_PASSWORD: ""
Copied!

Keycloak IDP

1
apiVersion: v1
2
kind: Service
3
metadata:
4
name: keycloak
5
namespace: t1c
6
labels:
7
app: keycloak
8
annotations:
9
beta.cloud.google.com/backend-config: '{"ports": {"80":"t1c-backendconfig"}}'
10
spec:
11
ports:
12
- name: http
13
port: 80
14
targetPort: 8080
15
- name: https
16
port: 443
17
targetPort: 8443
18
selector:
19
app: keycloak
20
type: NodePort
21
---
22
apiVersion: apps/v1
23
kind: Deployment
24
metadata:
25
name: keycloak
26
namespace: t1c
27
labels:
28
app: keycloak
29
spec:
30
replicas: 1
31
selector:
32
matchLabels:
33
app: keycloak
34
template:
35
metadata:
36
labels:
37
app: keycloak
38
spec:
39
restartPolicy: Always
40
volumes:
41
- configMap:
42
name: t1cds-jks
43
name: keystore
44
- secret:
45
secretName: t1cds-svc-account
46
name: svc-account
47
containers:
48
- name: keycloak
49
image: quay.io/keycloak/keycloak:14.0.0
50
envFrom:
51
- configMapRef:
52
name: t1c-ds-configmap
53
- secretRef:
54
name: t1c-ds-secrets
55
volumeMounts:
56
- mountPath: "/mnt"
57
name: keystore
58
ports:
59
- name: http
60
containerPort: 8080
61
- name: https
62
containerPort: 8443
63
readinessProbe:
64
httpGet:
65
path: /auth/realms/master
66
port: 8080
67
- name: cloud-sql-proxy
68
# It is recommended to use the latest version of the Cloud SQL proxy
69
# Make sure to update on a regular schedule!
70
image: gcr.io/cloudsql-docker/gce-proxy:1.23.1
71
envFrom:
72
- configMapRef:
73
name: t1c-ds-configmap
74
command: [ "/cloud_sql_proxy" ]
75
args: [ "-log_debug_stdout=true", "-verbose=false","-instances=$(GCP_DB_CONNECTION_NAME)=tcp:5432", "-credential_file=/secrets/service_account.json" ]
76
securityContext:
77
# The default Cloud SQL proxy image runs as the
78
# "nonroot" user and group (uid: 65532) by default.
79
runAsNonRoot: true
80
volumeMounts:
81
- name: svc-account
82
mountPath: /secrets/
83
readOnly: true
Copied!

Kong DB Bootstrapping

Should only be run once
1
---
2
# This job will state "Pod has warnings, but if the kong-migrations job has completed (db is bootstrapped), you can delete the job
3
apiVersion: batch/v1
4
kind: Job
5
metadata:
6
name: kong-migrations
7
spec:
8
template:
9
metadata:
10
name: kong-migrations
11
spec:
12
volumes:
13
- name: svc-account
14
secret:
15
secretName: t1cds-svc-account
16
containers:
17
- name: kong-migrations
18
image: kong:2.5.0-alpine
19
command:
20
- /bin/sh
21
- -c
22
- kong migrations bootstrap
23
envFrom:
24
- configMapRef:
25
name: t1c-ds-configmap
26
- secretRef:
27
name: t1c-ds-secrets
28
- name: cloud-sql-proxy
29
# It is recommended to use the latest version of the Cloud SQL proxy
30
# Make sure to update on a regular schedule!
31
image: gcr.io/cloudsql-docker/gce-proxy:1.23.1
32
envFrom:
33
- configMapRef:
34
name: t1c-ds-configmap
35
command: [ "/cloud_sql_proxy" ]
36
args: [ "-log_debug_stdout=true", "-instances=$(GCP_DB_CONNECTION_NAME)=tcp:5432", "-credential_file=/secrets/service_account.json" ]
37
securityContext:
38
# The default Cloud SQL proxy image runs as the
39
# "nonroot" user and group (uid: 65532) by default.
40
runAsNonRoot: true
41
volumeMounts:
42
- name: svc-account
43
mountPath: /secrets/
44
readOnly: true
45
restartPolicy: OnFailure
Copied!
1
---
2
# This job will state "Pod has warnings, but if the kong-migrations job has completed (db is bootstrapped), you can delete the job
3
apiVersion: batch/v1
4
kind: Job
5
metadata:
6
name: kong-migrations
7
spec:
8
template:
9
metadata:
10
name: kong-migrations
11
spec:
12
volumes:
13
- name: svc-account
14
secret:
15
secretName: t1cds-svc-account
16
containers:
17
- name: kong-migrations
18
image: kong:2.5.0-alpine
19
command:
20
- /bin/sh
21
- -c
22
- kong migrations up
23
envFrom:
24
- configMapRef:
25
name: t1c-ds-configmap
26
- secretRef:
27
name: t1c-ds-secrets
28
- name: cloud-sql-proxy
29
# It is recommended to use the latest version of the Cloud SQL proxy
30
# Make sure to update on a regular schedule!
31
image: gcr.io/cloudsql-docker/gce-proxy:1.23.1
32
envFrom:
33
- configMapRef:
34
name: t1c-ds-configmap
35
command: [ "/cloud_sql_proxy" ]
36
args: [ "-log_debug_stdout=true", "-instances=$(GCP_DB_CONNECTION_NAME)=tcp:5432", "-credential_file=/secrets/service_account.json" ]
37
securityContext:
38
# The default Cloud SQL proxy image runs as the
39
# "nonroot" user and group (uid: 65532) by default.
40
runAsNonRoot: true
41
volumeMounts:
42
- name: svc-account
43
mountPath: /secrets/
44
readOnly: true
45
restartPolicy: OnFailure
Copied!
1
---
2
# This job will state "Pod has warnings, but if the kong-migrations job has completed (db is bootstrapped), you can delete the job
3
apiVersion: batch/v1
4
kind: Job
5
metadata:
6
name: kong-migrations
7
spec:
8
template:
9
metadata:
10
name: kong-migrations
11
spec:
12
volumes:
13
- name: svc-account
14
secret:
15
secretName: t1cds-svc-account
16
containers:
17
- name: kong-migrations
18
image: kong:2.5.0-alpine
19
command:
20
- /bin/sh
21
- -c
22
- kong migrations finish
23
envFrom:
24
- configMapRef:
25
name: t1c-ds-configmap
26
- secretRef:
27
name: t1c-ds-secrets
28
- name: cloud-sql-proxy
29
# It is recommended to use the latest version of the Cloud SQL proxy
30
# Make sure to update on a regular schedule!
31
image: gcr.io/cloudsql-docker/gce-proxy:1.23.1
32
envFrom:
33
- configMapRef:
34
name: t1c-ds-configmap
35
command: [ "/cloud_sql_proxy" ]
36
args: [ "-log_debug_stdout=true", "-instances=$(GCP_DB_CONNECTION_NAME)=tcp:5432", "-credential_file=/secrets/service_account.json" ]
37
securityContext:
38
# The default Cloud SQL proxy image runs as the
39
# "nonroot" user and group (uid: 65532) by default.
40
runAsNonRoot: true
41
volumeMounts:
42
- name: svc-account
43
mountPath: /secrets/
44
readOnly: true
45
restartPolicy: OnFailure
Copied!

Kong Gateway

1
---
2
apiVersion: v1
3
kind: ServiceAccount
4
metadata:
5
name: kong-serviceaccount
6
namespace: t1c
7
---
8
apiVersion: v1
9
kind: Service
10
metadata:
11
name: kong-service
12
namespace: t1c
13
annotations:
14
beta.cloud.google.com/backend-config: '{"ports": {"80":"t1c-backendconfig"}}'
15
spec:
16
type: NodePort
17
ports:
18
- name: proxy
19
port: 80
20
protocol: TCP
21
targetPort: 8000
22
- name: proxy-ssl
23
port: 443
24
protocol: TCP
25
targetPort: 8443
26
selector:
27
app: kong-gateway
28
---
29
apiVersion: v1
30
kind: Service
31
metadata:
32
name: kong-admin
33
namespace: t1c
34
annotations:
35
beta.cloud.google.com/backend-config: '{"ports": {"80":"oppaas-api-backendconfig"}}'
36
spec:
37
type: NodePort
38
ports:
39
- name: admin
40
port: 8001
41
protocol: TCP
42
targetPort: 8001
43
- name: admin-ssl
44
port: 8444
45
targetPort: 8444
46
protocol: TCP
47
selector:
48
app: kong-gateway
49
---
50
apiVersion: apps/v1
51
kind: Deployment
52
metadata:
53
labels:
54
app: kong-gateway
55
name: kong-gateway
56
namespace: t1c
57
spec:
58
replicas: 1
59
selector:
60
matchLabels:
61
app: kong-gateway
62
template:
63
metadata:
64
labels:
65
app: kong-gateway
66
spec:
67
affinity:
68
podAntiAffinity:
69
requiredDuringSchedulingIgnoredDuringExecution:
70
- labelSelector:
71
matchExpressions:
72
- key: app
73
operator: In
74
values:
75
- kong-gateway
76
topologyKey: "kubernetes.io/hostname"
77
volumes:
78
- name: svc-account
79
secret:
80
secretName: t1cds-svc-account
81
containers:
82
- name: kong-gateway
83
image: kong:2.5.0-alpine
84
envFrom:
85
- configMapRef:
86
name: t1c-ds-configmap
87
- secretRef:
88
name: t1c-ds-secrets
89
lifecycle:
90
preStop:
91
exec:
92
command:
93
- /bin/sh
94
- -c
95
- kong quit
96
livenessProbe:
97
failureThreshold: 3
98
httpGet:
99
path: /status
100
port: 8100
101
scheme: HTTP
102
initialDelaySeconds: 5
103
periodSeconds: 10
104
successThreshold: 1
105
timeoutSeconds: 1
106
ports:
107
- containerPort: 8000
108
name: proxy
109
protocol: TCP
110
- containerPort: 8443
111
name: proxy-ssl
112
protocol: TCP
113
- containerPort: 8100
114
name: metrics
115
protocol: TCP
116
- containerPort: 8001
117
name: admin
118
protocol: TCP
119
- containerPort: 8444
120
name: admin-ssl
121
protocol: TCP
122
readinessProbe:
123
failureThreshold: 3
124
httpGet:
125
path: /status
126
port: 8100
127
scheme: HTTP
128
initialDelaySeconds: 5
129
periodSeconds: 10
130
successThreshold: 1
131
timeoutSeconds: 1
132
securityContext:
133
runAsUser: 1000
134
- name: cloud-sql-proxy
135
# It is recommended to use the latest version of the Cloud SQL proxy
136
# Make sure to update on a regular schedule!
137
image: gcr.io/cloudsql-docker/gce-proxy:1.23.1
138
envFrom:
139
- configMapRef:
140
name: t1c-ds-configmap
141
command: [ "/cloud_sql_proxy" ]
142
args: [ "-log_debug_stdout=true", "-instances=$(GCP_DB_CONNECTION_NAME)=tcp:5432", "-credential_file=/secrets/service_account.json" ]
143
securityContext:
144
# The default Cloud SQL proxy image runs as the
145
# "nonroot" user and group (uid: 65532) by default.
146
runAsNonRoot: true
147
volumeMounts:
148
- name: svc-account
149
mountPath: /secrets/
150
readOnly: true
151
serviceAccountName: kong-serviceaccount
Copied!

Distribution Service

1
---
2
apiVersion: v1
3
kind: Service
4
metadata:
5
labels:
6
app: t1c-ds-service-v3-5
7
name: t1c-ds-service-v3-5
8
namespace: t1c
9
annotations:
10
beta.cloud.google.com/backend-config: '{"ports": {"80":"t1c-backendconfig"}}'
11
spec:
12
type: NodePort
13
ports:
14
- name: http
15
port: 80
16
protocol: TCP
17
targetPort: 9000
18
selector:
19
app: t1c-ds-v3-5
20
---
21
apiVersion: apps/v1
22
kind: Deployment
23
metadata:
24
namespace: t1c
25
name: t1c-ds-v3-5
26
labels:
27
app: t1c-ds-v3-5
28
spec:
29
replicas: 1
30
selector:
31
matchLabels:
32
app: t1c-ds-v3-5
33
template:
34
metadata:
35
labels:
36
app: t1c-ds-v3-5
37
spec:
38
restartPolicy: Always
39
volumes:
40
- configMap:
41
name: t1cds-keystore
42
name: keystore
43
- secret:
44
secretName: t1cds-svc-account
45
name: svc-account
46
containers:
47
- name: t1c-ds-v3-5
48
image: eu.gcr.io/t1t-pre-prod/t1cds:3.5.0-SNAPSHOT
49
imagePullPolicy: Always
50
ports:
51
- name: http
52
containerPort: 9000
53
volumeMounts:
54
- mountPath: "/mnt"
55
name: keystore
56
envFrom:
57
- configMapRef:
58
name: t1c-ds-configmap
59
- secretRef:
60
name: t1c-ds-secrets
61
resources:
62
requests:
63
memory: "600Mi"
64
readinessProbe:
65
httpGet:
66
path: /v3_5/system/ready
67
port: http
68
periodSeconds: 10
69
failureThreshold: 10
70
initialDelaySeconds: 20
71
livenessProbe:
72
httpGet:
73
path: /v3_5/system/alive
74
port: http
75
periodSeconds: 10
76
initialDelaySeconds: 20
77
- name: cloud-sql-proxy
78
# It is recommended to use the latest version of the Cloud SQL proxy
79
# Make sure to update on a regular schedule!
80
image: gcr.io/cloudsql-docker/gce-proxy:1.23.1
81
envFrom:
82
- configMapRef:
83
name: t1c-ds-configmap
84
command: [ "/cloud_sql_proxy" ]
85
args: [ "-log_debug_stdout=true", "-verbose=false","-instances=$(GCP_DB_CONNECTION_NAME)=tcp:5432", "-credential_file=/secrets/service_account.json" ]
86
securityContext:
87
# The default Cloud SQL proxy image runs as the
88
# "nonroot" user and group (uid: 65532) by default.
89
runAsNonRoot: true
90
volumeMounts:
91
- name: svc-account
92
mountPath: /secrets/
93
readOnly: true
Copied!

ReadMyCards

1
---
2
apiVersion: v1
3
kind: Service
4
metadata:
5
labels:
6
app: read-my-cards-service
7
name: read-my-cards-service
8
namespace: t1c
9
annotations:
10
beta.cloud.google.com/backend-config: '{"ports": {"80":"t1c-backendconfig"}}'
11
spec:
12
type: NodePort
13
ports:
14
- name: http
15
port: 80
16
protocol: TCP
17
targetPort: 8080
18
selector:
19
app: read-my-cards
20
---
21
apiVersion: apps/v1
22
kind: Deployment
23
metadata:
24
name: read-my-cards
25
namespace: t1c
26
labels:
27
app: read-my-cards
28
spec:
29
replicas: 1
30
selector:
31
matchLabels:
32
app: read-my-cards
33
template:
34
metadata:
35
labels:
36
app: read-my-cards
37
spec:
38
restartPolicy: Always
39
containers:
40
- name: read-my-cards
41
image: eu.gcr.io/t1t-pre-prod/read-my-cards:0.1.3
42
imagePullPolicy: Always
43
ports:
44
- name: http
45
containerPort: 8080
46
env:
47
- name: VUE_APP_T1C_URL
48
value: "https://t1c.t1t.io"
49
- name: VUE_APP_T1C_PORT
50
value: "51883"
51
resources:
52
requests:
53
cpu: 0.2
54
memory: "200Mi"
55
readinessProbe:
56
httpGet:
57
path: /index.html
58
port: 8080
59
periodSeconds: 10
60
failureThreshold: 10
61
initialDelaySeconds: 20
62
livenessProbe:
63
httpGet:
64
path: /index.html
65
port: 8080
66
periodSeconds: 10
67
initialDelaySeconds: 20
Copied!

Ingress

1
apiVersion: "networking.k8s.io/v1beta1"
2
kind: "Ingress"
3
metadata:
4
name: "trust1connector-lb"
5
namespace: t1c
6
annotations:
7
kubernetes.io/ingress.global-static-ip-name: acc-trust1connector-ip
8
ingress.gcp.kubernetes.io/pre-shared-cert: "t1t-io-ssl-2022-02-18"
9
kubernetes.io/ingress.allow-http: "false"
10
spec:
11
backend:
12
serviceName: kong-service
13
servicePort: 80
14
rules:
15
- host: "acc-ds.t1t.io"
16
http:
17
paths:
18
- path: "/auth"
19
backend:
20
serviceName: "keycloak"
21
servicePort: 80
22
- path: "/auth/*"
23
backend:
24
serviceName: "keycloak"
25
servicePort: 80
26
- host: "acc-rmc.t1t.io"
27
http:
28
paths:
29
- path: "/*"
30
backend:
31
serviceName: "read-my-cards-service"
32
servicePort: 80
Copied!

ConfigMaps From Files

The DS keystores can be stored as configmaps in the cluster, and be mounted as volumes in the pod containers. We require a Java keystore (jks) file to configure the IDP, and a PKCS12 keystore (p12) for the DS API. The contents of both keystores must be identical.
1
kubectl create configmap t1cds-keystore --from-file=conf/t1cds.p12
2
kubectl create configmap t1cds-jks --from-file=conf/t1cds.jks
Copied!

GKE Guide

Database

Create a PostgreSQL 12 database instance
When creating the database instance, configure the connectivity and backups option according to your need. The database instance must be reachable from the K8s cluster.
Create the necessary databases:
    1.
    t1c-ds
    2.
    keycloak
    3.
    kong

Create Kubernetes Cluster

Ubuntu 18.04

PostgreSQL

1) Add PostgreSQL repository:
1
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
2
echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" |sudo tee /etc/apt/sources.list.d/pgdg.list
Copied!
2) Install PostgreSQL:
1
sudo apt update
2
sudo apt -y install postgresql-12 postgresql-client-12
Copied!
3) Configure PostgreSQL. The PostgreSQL server should be reachable from the DS API, Kong Gateway and Keycloak application server(s). We refer you to the documentation: https://www.postgresql.org/docs/12/
4) Create the users and the 3 databases (t1c-ds, kong, keycloak):
We recommend creating different users for each database, but the same user can also be used for all databases.
1
CREATE USER [INSERT_DATASTORE_USERNAME_HERE];
2
ALTER USER [INSERT_DATASTORE_USERNAME_HERE] PASSWORD '[INSERT_DATASTORE_PASSWORD_HERE]';
3
CREATE DATABASE [INSERT_DATABASE_NAME_HERE] OWNER [INSERT_DATASTORE_USERNAME_HERE];
Copied!

Distribution Service API

1) Obtain the Distribution Service API server distributable. If you wish to build a package from source, run sbt ";clean;compile;dist" from the project root. A zip archive containing the application will be available under the target/universal folder
2) Install Java:
1
wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | sudo apt-key add -
2
sudo add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
3
# If you get a command not found error run the command below:
4
# sudo apt-get install -y software-properties-common
5
sudo apt-get update
6
sudo apt-get install adoptopenjdk-11-hotspot
Copied!
3) Unzip to a folder of your choice. We recommend using a subdirectory of the /opt folder.
4) Configure the Distribution Service API. See Configuration for a detailed description of the available options.
5) Create a service. We recommend using systemctl. Create a file in the /etc/systemd/system/ folder called t1cds.service and configure it as follows:
1
Description=T1C-DS API
2
After=syslog.target network.target
3
Before=httpd.service
4
5
[Service]
6
Environment=PLAY_SECRET=nf8dqrQM9_?XUm]JCxKu7Jyo9cMf`Eqh<VmOTlj`QWJAiKDqp?fD3J=zvOm3v9L:
7
ExecStart=/opt/t1cds/bin/t1c-ds
8
9
[Install]
10
WantedBy=multi-user.target
Copied!
We strongly recommend placing sensitive information in the service definition as environment variables. See Configuration to get a list of configuration keys.
6) Enable and start the service
1
chmod 664 /etc/systemd/system/t1cds.service
2
systemctl enable /etc/systemd/system/t1cds.service
3
service t1cds start
Copied!

Kong Gateway

We refer you to the Kong installation guides for the platform of your choice:
Contact Sales - KongHQ
KongHQ
The Kong gateway should be configured to run in database mode, and the Admin API must be available on a port accessible only by the DS API.

Keycloak

We refer you to the Keycloak Installation documentation.

Docker Compose

For development and testing purposes we offer a Docker Compose image to run the platform easily. Note that you must have access to the Trust1Team Docker container registry, or import the DS API image in yours.
After executing docker-compose up, you must still bootstrap the gateway and configure the IDP keystore

Bootstrapping Gateway Request

This is an example request to bootstrap the gateway for a docker compose deployment following the example docker-compose.yml below.
1
curl --location --request POST 'http://localhost:4600/v3_5/gateway/bootstrap' \
2
--header 'Authorization: Bearer ey...ngA' \
3
--header 'Content-Type: application/json' \
4
--data-raw '{
5
"dsServiceName": "t1c-ds",
6
"dsServiceHost": "t1c-ds",
7
"dsPort": 4600
8
}'
Copied!

Example

1
version: "3"
2
services:
3
database:
4
image: "postgres:11.3"
5
container_name: "t1c-db"
6
netwversion: "3"
7
services:
8
t1c-db:
9
image: "postgres:13-alpine"
10
container_name: "t1c-db"
11
networks:
12
- t1c-io
13
volumes:
14
- "./postgres:/docker-entrypoint-initdb.d"
15
- "t1c-data:/var/lib/postgresql/data"
16
command: ["-c", "shared_buffers=256MB", "-c", "max_connections=200"]
17
ports:
18
- 5433:5432
19
environment:
20
TZ: "Europe/Brussels"
21
PGTZ: "Europe/Brussels"
22
POSTGRES_USER: "postgres"
23
POSTGRES_PASSWORD: "postgres"
24
t1c-idp:
25
image: "jboss/keycloak:latest"
26
container_name: "t1c-idp"
27
networks:
28
- t1c-io
29
command:
30
- "-Dkeycloak.profile.feature.upload_scripts=enabled"
31
- "-Dkeycloak.profile.feature.token_exchange=enabled"
32
environment:
33
DB_VENDOR: POSTGRES
34
DB_ADDR: t1c-db
35
DB_DATABASE: keycloak
36
DB_USER: postgres
37
DB_SCHEMA: public
38
DB_PASSWORD: postgres
39
KEYCLOAK_USER: admin
40
KEYCLOAK_PASSWORD: admin
41
TZ: "Europe/Brussels"
42
volumes:
43
- ./conf/t1cds.jks:/mnt/t1cds.jks
44
ports:
45
- 9999:8080
46
depends_on:
47
- t1c-db
48
t1c-gtw-migration:
49
image: "kong:2.5.0-alpine"
50
container_name: "t1c-gtw-migration"
51
command: kong migrations bootstrap
52
depends_on:
53
- t1c-db
54
environment:
55
KONG_DATABASE: postgres
56
KONG_PG_DATABASE: kong
57
KONG_PG_HOST: t1c-db
58
KONG_PG_USER: postgres
59
KONG_PG_PASSWORD: postgres
60
TZ: "Europe/Brussels"
61
networks:
62
- t1c-io
63
restart: on-failure
64
deploy:
65
restart_policy:
66
condition: on-failure
67
t1c-gtw-migrations-up:
68
image: "kong:2.5.0-alpine"
69
container_name: "t1c-gtw-migrations-up"
70
command: kong migrations up && kong migrations finish
71
depends_on:
72
- t1c-db
73
environment:
74
KONG_DATABASE: postgres
75
KONG_PG_DATABASE: kong
76
KONG_PG_HOST: t1c-db
77
KONG_PG_USER: postgres
78
KONG_PG_PASSWORD: postgres
79
TZ: "Europe/Brussels"
80
networks:
81
- t1c-io
82
restart: on-failure
83
deploy:
84
restart_policy:
85
condition: on-failure
86
t1c-gtw:
87
image: "kong:2.5.0-alpine"
88
container_name: "t1c-gtw"
89
depends_on:
90
- t1c-db
91
environment:
92
KONG_ADMIN_ACCESS_LOG: /dev/stdout
93
KONG_ADMIN_ERROR_LOG: /dev/stderr
94
KONG_ADMIN_LISTEN: 0.0.0.0:8001
95
KONG_PROXY_LISTEN: 0.0.0.0:8000
96
KONG_DATABASE: postgres
97
KONG_PG_DATABASE: kong
98
KONG_PG_HOST: t1c-db
99
KONG_PG_PASSWORD: postgres
100
KONG_PG_USER: postgres
101
KONG_PROXY_ACCESS_LOG: /dev/stdout
102
KONG_PROXY_ERROR_LOG: /dev/stderr
103
TZ: "Europe/Brussels"
104
networks:
105
- t1c-io
106
ports:
107
- "8000:8000/tcp"
108
- "8001:8001/tcp"
109
healthcheck:
110
test: ["CMD", "kong", "health"]
111
interval: 10s
112
timeout: 10s
113
retries: 10
114
restart: always
115
t1c-ds:
116
environment:
117
JAVA_OPTS: "-Dconfig.resource=k8s.conf -Dlogger.resource=logback-docker.xml -Dplay.evolutions.db.default.autoApply=true"
118
DS_ALLOWED_HOST: ".t1t.io"
119
DS_APP_TOKEN_VALIDITY_SECONDS: 600
120
DS_GATEWAY_ADMIN_URL: "http://t1c-gtw:8001"
121
DS_GATEWAY_CONSUMER_REGISTRATION: "t1cds-reg"
122
DS_GATEWAY_CONSUMER_APPLICATION: "t1cds-app"
123
DS_GATEWAY_CONSUMER_USER: "t1cds-user"
124
DS_GATEWAY_BASE_PATH: ""
125
DS_GATEWAY_ENABLED: "true"
126
DS_GATEWAY_URL: "http://localhost:8000"
127
DS_IDP_ISSUER: "http://localhost:9999/auth/realms/trust1connector"
128
DS_KEYSTORE_PATH: "/mnt/t1cds.p12"
129
DS_KEYSTORE_PASSWORD: "password"
130
DS_KEYSTORE_ALIAS: "t1cds"
131
DS_REG_TOKEN_VALIDITY_SECONDS: 600
132
DS_SECURITY_ENABLED: "true"
133
DS_MAX_PAGE_SIZE: 100
134
INCLUDE_STACKTRACE: "true"
135
PLAY_SECRET: "superdupersecret"
136
REQUIRE_GATEWAY_HEADERS: "false"
137
T1C_DOMAIN: "t1c.t1t.io"
138
T1C_PORT: "51983"
139
T1C_EVOLUTIONS_ENABLED: "true"
140
T1C_EVOLUTIONS_AUTO: "true"
141
T1C_EVOLUTIONS_AUTO_DOWNS: "true"
142
T1C_DB_URL: "jdbc:postgresql://t1c-db:5432/t1c-ds"
143
T1C_DS_DB_USER: "postgres"
144
T1C_DS_DB_PWD: "postgres"
145
T1C_EVOLUTIONS_SCHEMA: "public"
146
T1C_IMPLICIT_VERSION_CREATION: "true"
147
T1C_VERSION_URI_TEMPLATE: "https://storage.googleapis.com/t1c-dependencies-dev/[[OS]]/v[[VERSION]]/Release/trust1team/[[FILENAME]]"
148
T1C_VERSION_FILENAME_TEMPLATE_VALUES: |
149
{"MACOS":"Trust1Connector-x86.dmg","MACOSARM":"Trust1Connector-arm.dmg","UNIX":"trust1connector.deb","WIN32":"t1c-x86.msi","WIN64":"t1c-x64.msi"}
150
T1C_VERSION_OS_TEMPLATE_VALUES: |
151
{"MACOS":"mac","MACOSARM":"mac","UNIX":"unix","WIN32":"win","WIN64":"win"}
152
RMC_LABEL: "rmc"
153
TZ: "Europe/Brussels"
154
image: "eu.gcr.io/t1t-pre-prod/t1cds:latest"
155
container_name: "t1c-ds"
156
volumes:
157
- ./conf/t1cds.p12:/mnt/t1cds.p12
158
networks:
159
- t1c-io
160
ports:
161
- 4600:9000
162
depends_on:
163
- t1c-db
164
networks:
165
t1c-io:
166
driver: bridge
167
168
volumes:
169
t1c-data:
170
driver: local
Copied!
You can run the docker in detached mode via the command
1
$ docker compose up -d
Copied!
Last modified 2mo ago