Deploy Sign-In Application to OKE

Download the code from GitHub, customize the code, and deploy it.

The sample code is available on GitHub.

  1. Go to GitHub.
  2. Clone or download the repository.
  3. Follow the instructions in the README document.

Follow these steps to deploy the application to OKE:

  1. Fork and clone the GitHub repository.
  2. Create the Dockerfile and build an image.
  3. Push the Docker image to the OCI Registry.
  4. Set up environment variables.
  5. Register the application in your Identity Domain.
  6. Deploy the Docker image to an OKE cluster.
  7. Test the custom sign-in experience with your working sample application.

Fork and Clone GitHub Repository

Fork the GitHub repository to create a copy of a repository on your development machine.

Then clone the forked repository on your development machine using the following command.

git clone https://github.com:USERNAME/YOUR-FORKED-REPO

Create a Dockerfile

Create a new file names Dockerfile in the cloned repository.

The custom sign-in application is a Node JS application. The Dockerfile looks similar to any Node JS application.
Use the following sample Dockerfile as a starting point.
FROM node:alpine

# Create app directory WORKDIR /usr/src/app # Install app dependencies
# A wildcard is used to ensure both package.json AND package-lock.json are copied where available (npm@5+)
COPY package*.json ./
RUN npm install
# If you are building your code for production
# RUN npm install --only=production
# Bundle app source
COPY . .

EXPOSE 3000# "npm start" is how this would normally be startedCMD [ "npm", "start" ]
You can use the Linux distribution allowed in your organization instead of alpine.

Build a Docker Image

Use the following command to build a Docker image from the Dockerfile and provide your image name.

docker build -t $IMAGE_NAME $PATH_TO_DOCKERFILE

Use the following command to list the images to verify your Docker image.

docker images

Push the Docker Image to OCI Registry

To push your Docker image to the OCI Registry, follow these steps:

  1. Sign in to the OCI Console.
  2. Open your Profile menu and click User Settings to view the details.
  3. On the Auth Tokens page, click Generate Token to create a new token.

    Caution:

    Copy the auth token and save it to a secure location to retrieve it later. You can't see the auth token later in your Console.
  4. Close the Generate Token dialog.
  5. Run the command docker login <region-key>.ocir.io to sign in to the OCI Registry (OCIR). For example, for Ashburn region run docker login iad.ocir.io.

    Enter the username with the auth token in this format if the user is in the default domain <tenancy-namespace>/<username>.

    For non-default IAM domain user, use the format <tenancy-namespace>/<domain_name>/<username>.

    When prompted for password, enter the user's Oracle Cloud Infrastructure auth token.

  6. Tag and push the docker image created in the previous step to OCIR.

    You can either create a new repository in the OCI container registry or use an existing one. The format of the tag should be <region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<version>.

    docker tag idcslogin:latest iad.ocir.io/mytenancy/myrepo/idcslogin:latest docker push iad.ocir.io/mytenancy/myrepo/idcslogin:latest

    The Kubernetes manifest file will use this image when deploying a pod.

  7. Alternatively, you can follow these detailed instructions to push your Docker image to OCI Registry.
The Docker image is pulled into the OCI Registry and ready for deployment.

Set Up Environment Variables

  • Mandatory: IDCS_CLIENT_ID, IDCS_CLIENT_ID, and IDCS_SECRET
  • Optional: IDCS_SELFREGPROFILES to pass a self-registration profile to the sign-in application and DEBUG_LOGIN=true to enable debug logging in NodeJS
  • Production: NODE_ENV=production variable

Use Kubernetes Secrets to store these values and pass them along in the manifest file.

Register the Application

Register a client credentials application in IDCS or Identity Domain so that the custom sign-in application can make calls to the Oracle Identity Cloud Service Authentication REST API and allow users to sign in.

  1. In the Oracle Identity Cloud Service console, expand the Navigation Drawer, and then click Applications.
  2. In the Applications page, click Add.
  3. In the Add Application dialog, click Trusted Application or Confidential Application.
  4. In the Details pane, enter the following values:
    • Name: My Sign-In Application
    • Description: My Sign-In Application
  5. Click Next.
  6. In the Client pane, select Configure this application as a client now, and then select Client Credentials as Allowed Grant Types.
  7. In the Client pane, scroll down and click Add after Grant the client access to Identity Cloud Service Admin APIs.
  8. In the Add App Role dialog, select Signin, Verify Email, Reset Password, Forgot Password, and Self Registration in the list, and then click Add.
  9. Click Next in the Client pane and in the following panes until you reach the last pane.
  10. Click Finish.
  11. In the Application Added dialog, make note of the Client ID and the Client Secret values, and then click Close.
  12. To activate the application, click Activate.
  13. In the Activate Application? dialog, click Activate Application.
    A success message appears.

Create an OKE Cluster

  1. Follow the instructions to create an OKE cluster if you don't already have one.
  2. Ensure you have access to the new cluster using kubectl. Follow steps from the Quick Start section to access your cluster.

Deploy Application to OKE Cluster

To create a Kubernetes deployment manifest file and deploy the application to OKE, follow these steps:

  1. Create a Kubernetes Secret to make all the configuration parameters available to your OKE cluster.
    1. Set up OCI IAM configuration parameters.
      $ kubectl create secret generic idcs_config --from-literal=url=https://<domain instanceid>.identity.oraclecloud.com --from-literal=client-id=<client_id_of_sign_in_app> --from-literal=client-secret=<client_secret_of_sign_in_app>
    2. Create an OCI registry token.
      $ kubectl create secret generic idcs_config --from-literal=url=https://<domain instanceid>.identity.oraclecloud.com --from-literal=client-id=<client_id_of_sign_in_app> --from-literal=client-secret=<client_secret_of_sign_in_app>
    3. The load balancer service SSL key and certificate is required for setting up an HTTPS endpoint for accessing the custom application using the load balancer. Create a new key pair for your load balancer.
    4. Create a Kubernetes secret to make it available to your OKE cluster.
      $ kubectl create secret tls ssl-certificate-secret --key your.key --cert your.crt

      Note:

      Oracle recommends that you set up the load balancer service with the SSL port unless it is for development or quick testing purposes.
  2. Create a Kubernetes deployment manifest file.

    The file contains a pod specification for the custom application and a service specification for the load balancer.

    The configuration parameters such as the OCIR token and OCI IAM configuration are passed as environment variables and the values are picked up from the Kubernetes Secret you created in the previous steps.

    The application's Docker container image path should be the OCIR path to the image.

    The following is a sample YAML file named customlogin.yaml.
    apiVersion: v1
    kind: Pod
    metadata:
      name: login-app
      labels:
        app: customlogin
    spec:
      containers:
        - name: idcslogin
          image: iad.ocir.io/<tenancy namespace>/idcslogin:latest
          imagePullPolicy: Always
          ports:
          - name: httpport
            containerPort: 3000
            protocol: TCP
          env:
          - name: IDCS_URL
            valueFrom:
              secretKeyRef:
                name: idcs-config
                key: url
          - name: IDCS_CLIENT_ID
            valueFrom:
              secretKeyRef:
                name: idcs-config
                key: client-id
          - name: IDCS_CLIENT_SECRET
            valueFrom:
              secretKeyRef:
                name: idcs-config
                key: client-secret
    
      imagePullSecrets:
        - name: ocirsecret
    ---
    
    apiVersion: v1
    kind: Service
    metadata:
      name:
     loginlb
      annotations:
        service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443"
        service.beta.kubernetes.io/oci-load-balancer-tls-secret: ssl-certificate-secret
      labels:
        app: loginlb
    spec:
      selector:
        app: customlogin
      type: LoadBalancer
      ports:
      - name: http
        port: 80
        protocol: TCP
        targetPort: 3000
      - name: https
        port: 443
        protocol: TCP
        targetPort: 3000

    Note:

    To find out the Tenancy Namespace of the current tenancy, open the Profile menu and click Tenancy:. The tenancy namespace is displayed in the Object Storage Namespace field.
  3. Deploy the custom application pod and the load balancer service to your OKE cluster.
    $ kubectl apply -f ./customlogin.yaml
    $ kubectl get all
    Name Ready Status Restarts Age
    pod/login-app 1/1 Running 0 12d
    Name Type Cluster-IP External-IP Port(s) Age
    service/kubernetes ClusterIP 10.96.0.1 None 443/TCP 109d
    service/loginlb LoadBalancer 10.96.45.133 10.1.1.1 80:31420/TCP, 443:30563/TCP 12d

Test Custom Sign-In Experience

Follow these steps to test the sign-in experience using the working sample application you prepared for testing:

  1. Update the sample application to use the newly deployed custom application's load balancer URL.
  2. In your sample application, enter the load balancer URL in the Custom Login URL field. This URL can either be the load balancer public IP address or the FQDN based on your DNS entry.
  3. Access the sample application URL in the browser.

    You should be taken to the custom sign-in application page.