Deploy Account Management
Before you can deploy Account Management, ensure that you complete all the steps outlined in the Account Management Deployment Overview section:
- Confirming the Kubernetes cluster HTTPS certificate is valid
- Gathering all necessary Account Management deployment settings
- Building Account Management Docker images
- Provisioning supporting infrastructure
To deploy Account Management, run the Jenkins job create-or-delete-account-management-stack. This job takes several parameters, described below.
When the job completes successfully, review the logs to find Terraform outputs that contain useful information such as the endpoint to the Account Management API.
warning
When deploying Account Management (AM) with the amStackResourcingProfile Jenkins job parameter set to prod-small, one of the am-api pods could fail with an error about getting the Liquibase lock. You can work around this by deploying Account Management again.
Jenkins Job Parameters
The following parameters are available in the Jenkins job create-or-delete-account-management-stack:
plan_mode
If plan_mode is set, the Jenkins build plans the Terraform changes. The job pauses until you confirm that you want to proceed with the changes. You can run the job in plan mode when both applying and destroying resources.
destroy_mode
If destroy_mode is set, Terraform runs in destroy mode. Destroy mode also deletes the Terraform workspace and Kubernetes namespace if these are empty.
amStackResourcingProfile
The resourcing profile of your am-stack.
TF_VAR_docker_tag
The Account Management Docker images to use. Must match the value used when building the Account Management Docker images.
TF_VAR_allowed_cidrs
A comma-separated list of CIDRs allowed to access Account Management services.
important
When you deploy Account Management, the job adds the Kubernetes cluster EIPs to the allowed CIDRs list.
allowOpenAccess
Verification that you are deploying Elastic Path Account Management with the Jenkins job parameter TF_VAR_allowed_cidrs set with the CIDR 0.0.0.0/0. Set this parameter to true to acknowledge that you allow the Elastic Path Account Management services to be accessible by the open internet.
TF_VAR_kubernetes_nickname
The Kubernetes namespace in which to deploy the Account Management stack.
Ensure that the nickname matches the nickname of the database and the ActiveMQ service.
TF_VAR_include_keycloak (Optional)
Whether to include a Keycloak Helm release with the deployment.
warning
Only use this Keycloak deployment as a mock identity provider in demo deployments.
For more information about how the mock identity provider is configured, see Configuring Keycloak.
note
This parameter is required if external OIDC (OpenID Connect) parameters are not set.
TF_VAR_private_jwt_key
A private JWT key. For more information about generating the key, see the Account Management documentation.
TF_VAR_api_access_token (Optional)
An API access token that can authenticate all API calls to Account Management. Will be generated if not provided.
TF_VAR_oidc_discovery_url (Optional)
The OpenID Connect discovery URL of an identity provider.
note
This parameter is required if TF_VAR_include_keycloak is false.
TF_VAR_oidc_client_id (Optional)
The OpenID Connect client ID of an identity provider.
note
This parameter is required if TF_VAR_include_keycloak is false.
TF_VAR_oidc_client_secret (Optional)
The OpenID Connect client secret of an identity provider.
note
This parameter is required if TF_VAR_include_keycloak is false.
TF_VAR_oidc_token_scope (Optional)
The OpenID Connect token scope of an identity provider.
TF_VAR_oidc_group_key (Optional)
The OpenID Connect group key of an identity provider.
note
This parameter is required if TF_VAR_include_keycloak is false.
TF_VAR_oidc_group_value_for_associates (Optional)
The OpenID Connect group value for Associate type Account Management users.
note
This parameter is required if TF_VAR_include_keycloak is false.
TF_VAR_oidc_group_value_for_seller_users (Optional)
The OpenID Connect group value for Seller type Account Management users.
note
This parameter is required if TF_VAR_include_keycloak is false.
TF_VAR_kubernetes_cluster_name
The name of the Kubernetes cluster in which to deploy the Account Management stack.
TF_VAR_extra_env_vars_secret (Optional)
The Kubernetes secret name that contains extra environment variables that inject into the Account Management stack.
cloudops_for_kubernetes_branch
The CloudOps for Kubernetes branch to use when cloning the Jenkinsfile and Terraform configuration that define how the infrastructure is deployed.
Configuring Keycloak
The Jenkins job create-or-delete-account-management-stack can include a Keycloak deployment intended for use as a mock identity provider.
warning
Only use this Keycloak deployment as a mock identity provider in demo deployments.
Keycloak is configured by a Docker container that runs as a Kubernetes Job. New, random credentials are generated each time a job is run. You can find the username and password of the admin Keycloak user and the mock Seller Admin user in the Terraform outputs section of the Jenkins job logs.
Deploy with different resourcing profiles
This option deploys an Account Management stack under a specific resourcing profile. The default resourcing profile in the Jenkins job create-or-delete-account-management-stack is prod-small. Details on the resource assigned for each application are under each resourcing profile defined in cloudops-for-kubernetes/terraform/am-stack/am-resourcing-profile.tf.
Deploy with additional environment variables
This option allows you to pass in additional environment variables when deploying an Account Management stack. You must create a Kubernetes secret with the desired environment variables and set the Jenkins parameter TF_VAR_extra_env_vars_secret to the name of that secret.