add apiserver client config to keycloak

Signed-off-by: akihikokuroda <akihikokuroda2020@gmail.com>
Qiskit · Feb 28, 2023 · a528d6f · a528d6f
1 parent 6e888ef
commit a528d6f
Show file tree

Hide file tree

Showing 4 changed files with 260 additions and 59 deletions.
diff --git a/infrastructure/helm/hacks/apiserver-patch.sh b/infrastructure/helm/hacks/apiserver-patch.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+LOCAL_IP=$1
+kubectl patch deployments kuberay-apiserver --type=json -p='[{"op": "add", "path": "/spec/template/spec/containers/-","value":{"image": "quay.io/gogatekeeper/gatekeeper:2.1.1","imagePullPolicy": "IfNotPresent","name": "gatekeeper","args":["--no-redirects=true","--forwarding-grant-type=client_credentials","--listen=0.0.0.0:4180","--client-id=rayapiserver","--client-secret=APISERVERSECRET-CHANGEME","--discovery-url=http://'$LOCAL_IP':31059/realms/quantumserverless","--enable-logging=true","--verbose=true","--upstream-url=http://kuberay-apiserver-service:8888/"]}}]'
diff --git a/infrastructure/helm/quantumserverless/README.md b/infrastructure/helm/quantumserverless/README.md
@@ -59,6 +59,12 @@ Install from specific values file
 kubectl patch svc -n ray kuberay-apiserver-service --type json  --patch '[{"op" : "replace" ,"path" : "/spec/selector" ,"value" : {"app.kubernetes.io/component": "kuberay-apiserver"}}]'
 ```
 
+(temporary) Patch the kuberay-apiserver deployment
+
+```shell
+./hack/apisesrver=patch.sh <LOCAL-IP>
+```
+
 ## Helm chart versions
 
 The Quantum Serverless Chart has several internal and external dependencies. If you are interested to know what versions the project is using you can check them in the [Chart.lock file](./Chart.lock).
@@ -109,6 +115,26 @@ For our Ray Charts dependencies we are using the configuration created by the Ra
 
 - For Ray Api Server you can read their [values.yaml](https://github.com/ray-project/kuberay-helm/blob/main/helm-chart/kuberay-apiserver/values.yaml).
 
+- Ray Api Server access needs the access token issued by the keycloak.  Here is the example to obtain the access token and send request to the Ray API Server
+
+```
+#!/bin/bash
+API=$1
+RESPONSE=$(curl --request POST \
+  --url 'http://<LOCAL-IP>:31059/realms/quantumserverless/protocol/openid-connect/token' \
+  --header 'content-type: application/x-www-form-urlencoded' \
+  --data grant_type=client_credentials \
+  --data client_id=rayapiserver \
+  --data client_secret=APISERVERSECRET-CHANGEME \
+  --data audience=rayapiserver | jq .access_token)
+TOKEN=${RESPONSE//'"'/}
+
+curl --request GET -k --proxy http://<LOCAL-IP>:30634/ \
+--header "authorization: Bearer $TOKEN" \
+--header 'content-type: application/json' \
+--url "http://kuberay-apiserver-service:8888/$API"
+```
+
 **Keycloak**
 
 - The initial user ID and password for both keycload console(adminUser/adminPassword) and Ray dashboard(keycloakUserID/keycloakPassword) can be changed in the values.yaml file. It is good to change them before apply the helm.