FAS Setup

How to setup FAS for your Frontier Management Cluster (FMC)

Deploy FAS Into Your FMC

To begin this guide, you must first complete the Stackgres guide from Storage Setup tutorial and the Keycloak Setup guide. Although FAS comes packaged with the FKG FMC installation, it pod will not run until all configurations have been satisfied.

FAS Diagram Flowchart

Frontier CLI Keycloak Authentication Diagram

The diagram above shows the flowchart of all used FMC components with FAS when an authorized FKG user makes a request from their Frontier front-end application. The steps of these FAS requests using the diagram flowchart are:

  • Step 1: The front-end client user attempts to authenticate to the Frontier Keycloak server to retrieve an access token for the Frontier CLI and/or Outpost application
  • Step 2: The Frontier Keycloak server will successfully allow the user to login to the Frontier application to make requests to FAS
  • Step 3: Successfully authenticated Frontier application users can make requests to FAS in the FMC cluster
  • Step 4: FAS will validate the token from the Frontier application user and verify the request through the Frontier Keycloak server
  • Step 5: The Frontier Keycloak server will allow the Frontier application client user to successfully make requests within FAS, as long as the user has the roles and permissions to perform such actions
  • Step 6: FAS will use the request to modify any changes within the FMC cluster
  • Step 7: The FMC cluster will send a response to FAS that changes have been made by an authorized FKG user
  • Step 8: FAS will send the request back to the Frontier application user about any successful modifications that were made within their FMC cluster

FAS Database Setup

We will need to create and enable all required prequisites before connecting FAS services to our SGCluster PostgreSQL database. Taking a look at all our existing database pods using the command:

sudo k3s kubectl exec -ti "$(kubectl get pod --selector app=StackGresCluster,cluster=true -o name | head -n 1)" -c patroni -- patronictl list

We will take the writable [Leader] database and exec into that specific pod.

kubectl exec -it frontier-db-0 -n frontier -- bash

A base shell will appear. Type in the following command to enter your PostgreSQL database configuration:

psql

We will need to write query statements to prepare for the Kubernetes FAS ConfigMap deployment. We will begin by creating the database:

CREATE DATABASE FRONTIER;

Next we will need to create the Frontier user account for the database. Be sure to take note of your username and password. We recommend setting your username to frontier for simplicity. Input any value in for <password>. These values will be used for your Frontier deployment credentials configuration in the manifest.

CREATE USER frontier WITH PASSWORD '<password>';

Once you’ve created the new user, we will now grant all privileges of the Frontier database to the Frontier database user.

GRANT ALL PRIVILEGES ON DATABASE FRONTIER to frontier;

After completing this step, we can then exit out of the PostgreSQL database and pod to begin the FAS configurations.

Requirements for FAS

All configuration settings will be applied in the Kubernetes Configmap required for FAS. The following are all the values that are necessary to run FAS services:

  • oidc-provider: Name of OIDC Provider
  • oidc-provider-url: URL of OIDC Provider Realm
  • oidc-client: OIDC Client ID
  • oidc-client-secret: OIDC Client Secret
  • db-selected: The Database Selected
  • db-host: The Database Connection Host URL
  • db-port: The Database Connection Port
  • db-username: The Database Account Username
  • db-password: The Database Account Password
  • db-name: The name of the Database
  • maas-consumer-key: FKG FMC MAAS Consumer Key
  • maas-consumer-secret: FKG FMC MAAS Consumer Secret
  • maas-access-token: FKG FMC MAAS Access Token
  • maas-token-secret: FKG FMC MAAS Access Token Secret
  • azure-client-id: FKG FMC Azure Client ID
  • azure-tenant-id: FKG FMC Azure Tenant ID
  • azure-sub-id: FKG FMC Azure Subscription ID

Up to this point of the FKG FMC Administration Guide, you should be able to fill in each of these required values. For all oidc values, you should refer back to the Keycloak Setup. With db values, refer to the Persistent Storage Setup. For each of the required values for the infrastructure providers, refer back to the configurations made for your FMC Setup & Installation Guide.

FAS ConfigMap Manifest

We can create a new file named “frontier-api-config.yaml”. We will place the contents below:

apiVersion: v1
kind: ConfigMap
data:
  frontier-api-config.properties: |
    oidc-provider=<provider-chosen>
    oidc-provider-url=<provider-url>
    oidc-client=<provider-client-name>
    oidc-client-secret=<provider-client-secret>
    db-selected=<database-chosen>
    db-host=<database-host-url>
    db-port=<database-host-port>
    db-username=<database-account-username>
    db-password=<database-account-password>
    db-name=frontier
    maas-consumer-key=<maas-consumer-key>
    maas-consumer-secret=<maas-consumer-key> # <--- This is typically blank
    maas-access-token=<maas-access-token>
    maas-token-secret=<maas-access-token-secret>
    azure-client-id=<azure-client-id>
    azure-tenant-id=<azure-tenant-id>
    azure-sub-id=<azure-subscription-id>
metadata:
  name: fas-config
  namespace: frontier

From all the data you have collected, you will insert those into the values of each key. Do not include any quotes and make sure all values are exactly the same from the sources you retrieved them. Once you are done editing the “frontier-api-config.yaml”, we will create the configmap using the following command:

kubectl create configmap api-config --from-file=fas-config=frontier-api-config.yaml

Complete the FAS Setup

We can run the following command to view the current FAS pod:

kubectl get pods -n frontier

Expected Output:

NAME                                   READY   STATUS             RESTARTS        AGE
frontier-db-1                          6/6     Running            0               1d
frontier-db-0                          6/6     Running            0               1d
frontier-cluster-api-b85f9b69d-5vbxz   1/1     CrashLoopBackOff   25 (21h ago)    1d

Now that we have implemented the new ConfigMap with all of FAS configurations, we can restart the pod by deleting it.

kubectl delete pod <pod-name> -n frontier

With the pod deleted, you should then be able to run get pods command again and view a successful running output:

Expected Output:

NAME                                   READY   STATUS    RESTARTS        AGE
frontier-db-1                          6/6     Running   0               1d
frontier-db-0                          6/6     Running   0               1d
frontier-cluster-api-b85f9b69d-2lbtf   1/1     Running   0               50s

You have completed the FKG FMC Installation Guide. You will now be able to manage users for them to have access of the FMC without the need of sharing the kubeconfig file using the Frontier CLI or Outpost GUI applications.