Skip to main content
Version: 26.1

Deployment

Before deploying the Authorization Hub, ensure the following prerequisites are met:

  • KubernetesOpens in a new tab

    A running K8s cluster (version 1.25 recommended) is required for deployment. This can be a local Minikube cluster for testing or a cloud cluster for production.

  • HelmOpens in a new tab

    Helm version 3.8 must be installed locally to manage the charts.

  • kubectlOpens in a new tab

    Installed and configured to access your K8s cluster.

  • PostgreSQLOpens in a new tab (optional)

    An external Postgres instance. If you don't have one, a local Postgres pod can be provisioned, as described in the Deployment section.

  • Sufficient resources

    A minimum of 4 CPUs and 8GB of RAM is required for local clusters running the full microservices stack. The ADM pod defaults to a 2GB memory limit, which supports ALFA policies up to approximately 8MB. If your policy files exceed this size, increase the ADM pod memory limit and ensure the cluster has sufficient memory.

  • Authorization Hub license

    Contact the Axiomatics Customer SupportOpens in a new tab to obtain a license file (axiomatics_HUB.license) for your deployment.

Preparation

The Authorization Hub is downloaded using the AWS CLI. If you have not already done so, install AWS CLI following the instructions in AWS documentation.

  1. Configure the Axiomatics AWS CLI account using the aws configure command, as explained in the AWS documentation. This procedure requires an Access key ID and a Secret access key, which will have been provided to you by Axiomatics.

  2. Download the Authorization Hub distribution.

    aws s3api get-object --bucket axiomatics-customer-artifacts --key releases/com/axiomatics/hub/26.1.0/hub-26.1.0.zip hub-26.1.0.zip

  3. Log in to the Amazon ECR registry provided by Axiomatics.

    aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin 748131003707.dkr.ecr.eu-central-1.amazonaws.com

Deployment

Important

Replace all $CHANGE_ME placeholders in the commands below with your actual values before running them.

  1. Copy axiomatics_HUB.license into the /configurations directory.

  2. Create a secret to pull the images from the ECR registry.

    kubectl create secret docker-registry regcred \
    --docker-server=748131003707.dkr.ecr.eu-central-1.amazonaws.com \
    --docker-username=AWS --docker-password=$(aws ecr get-login-password --region eu-central-1)

  3. Create a generic secret containing values for the Keycloak pod.

    kubectl create secret generic keycloak \
      --from-literal=hub_client_secret=$CHANGE_ME \
      --from-literal=principal_client_secret=$CHANGE_ME \
      --from-literal=keycloak_smtp_host=$CHANGE_ME \
      --from-literal=keycloak_smtp_port=587 \
      --from-literal=keycloak_smtp_user=$CHANGE_ME \
      --from-literal=keycloak_smtp_password=$CHANGE_ME \
      --from-literal=keycloak_smtp_from=$CHANGE_ME

    Optionally, enable emails locally using a test Gmail SMTP app through https://myaccount.google.com/apppasswords.

  4. Create a secret with the PostgreSQL database credentials.

    kubectl create secret generic db-connection \
      --from-literal=dbusername=$CHANGE_ME \
      --from-literal=dbpassword=$CHANGE_ME \
      --from-literal=dbhost=postgres \
      --from-literal=dbport=5432

  5. Create a secret with the Tenant admin credentials. Authorization Hub bootstraps this user on first startup.

    note

    The password must comply with the Password policy.

    kubectl create secret generic principal \
      --from-literal=tenant_admin_email=$CHANGE_ME \
      --from-literal=tenant_admin_password=$CHANGE_ME

  6. Navigate to kubernetes/charts and install the Helm chart.

    helm install hub \
    -f hub/values.yaml hub \
    --set registry=748131003707.dkr.ecr.eu-central-1.amazonaws.com/axiomatics/ \
    --set hubHostname=$CHANGE_ME \
    --set 'imagePullSecrets[0].name=regcred'

    If you don't have an external database, add -f hub/values-local-database.yaml after the second line to deploy a PostgreSQL pod automatically.

Local testing deployment

For testing purposes only, you can run a deployment locally using minikube. First step is to start minikube.

minikube start --memory=8000 --cpus=4

Follow the same procedure as described above, but include the following additions:

  1. During the Helm chart installation in step 6, edit the command as follows:

    helm install hub \
    -f hub/values.yaml hub \
    --set registry=748131003707.dkr.ecr.eu-central-1.amazonaws.com/axiomatics/ \
    --set hubHostname=$CHANGE_ME \
    --set 'imagePullSecrets[0].name=regcred' \
    --set services.apiGateway.service.type=LoadBalancer \
    --set hubProtocol=http

  2. In a separate terminal window, start the minikube tunnel.

    minikube tunnel

    You must keep this tunnel running to maintain access to your local test environment.

Next step

Once the Authorization Hub is deployed, you should configure user authentication before you begin inviting users. Read the User authentication section for details.