3.7.0
What's New in ioFog 3.7.0?Core ConceptsArchitectureQuick Start With Local Deployment
IntroductionDownloadGetting FamiliarResource ManagementConnect/DisconnectLegacy
CLI Reference
iofogctliofogctl attachiofogctl attach agentiofogctl attach edge-resourceiofogctl attach execiofogctl attach exec agentiofogctl attach exec microserviceiofogctl attach volume-mountiofogctl completioniofogctl completion bashiofogctl completion fishiofogctl completion powershelliofogctl completion zshiofogctl configureiofogctl connectiofogctl createiofogctl create namespaceiofogctl deleteiofogctl delete agentiofogctl delete alliofogctl delete application-templateiofogctl delete applicationiofogctl delete catalogitemiofogctl delete certificateiofogctl delete configmapiofogctl delete controlleriofogctl delete edge-resourceiofogctl delete microserviceiofogctl delete namespaceiofogctl delete nats-account-ruleiofogctl delete nats-user-ruleiofogctl delete registryiofogctl delete roleiofogctl delete rolebindingiofogctl delete secretiofogctl delete serviceiofogctl delete serviceaccountiofogctl delete volume-mountiofogctl delete volumeiofogctl deployiofogctl describeiofogctl describe agent-configiofogctl describe agentiofogctl describe application-templateiofogctl describe applicationiofogctl describe certificateiofogctl describe configmapiofogctl describe controlleriofogctl describe controlplaneiofogctl describe edge-resourceiofogctl describe microserviceiofogctl describe namespaceiofogctl describe nats-account-ruleiofogctl describe nats-accountiofogctl describe nats-user-ruleiofogctl describe nats-useriofogctl describe registryiofogctl describe roleiofogctl describe rolebindingiofogctl describe secretiofogctl describe serviceiofogctl describe serviceaccountiofogctl describe system-microserviceiofogctl describe volume-mountiofogctl describe volumeiofogctl detachiofogctl detach agentiofogctl detach edge-resourceiofogctl detach execiofogctl detach exec agentiofogctl detach exec microserviceiofogctl detach volume-mountiofogctl disconnectiofogctl execiofogctl exec agentiofogctl exec microserviceiofogctl getiofogctl legacyiofogctl logsiofogctl moveiofogctl move agentiofogctl move microserviceiofogctl natsiofogctl nats accountsiofogctl nats accounts ensureiofogctl nats operatoriofogctl nats operator describeiofogctl nats usersiofogctl nats users create-mqtt-beareriofogctl nats users createiofogctl nats users credsiofogctl nats users delete-mqtt-beareriofogctl nats users deleteiofogctl pruneiofogctl prune agentiofogctl rebuildiofogctl rebuild microserviceiofogctl rebuild system-microserviceiofogctl renameiofogctl rename agentiofogctl rename applicationiofogctl rename controlleriofogctl rename edge-resourceiofogctl rename microserviceiofogctl rename namespaceiofogctl rollbackiofogctl startiofogctl start applicationiofogctl start microserviceiofogctl stopiofogctl stop applicationiofogctl stop microserviceiofogctl upgradeiofogctl versioniofogctl view
IntroductionPrepare Your NetworkPrepare Realm and OIDC ClientKeycloak DeploymentPrepare Your Remote HostsRemote Control PlaneKubernetes Prepare ClusterExternal Database DeploymentKubernetes iofogctlSetup Your AgentsAirgap Deployment
Securing ClusterRolesRole BindingsCertificates ManagerNATs Account RuleNATs User RuleNATs JWT Authentication
IntroductionAgent ConfigurationAttach/DetachVolumesDocker Image PruningUpgrade/Rollback
IntroductionApplication TemplatesMicroservice Lifecycle ManagementMicroservice LogsMicroservice Move/RenameMicroservice Registry Catalog
YAML KindsControl PlaneAgentApplicationApplication TemplateRegistryCatalogOfflineImageSecretCertificateConfigMapVolumeMountServiceRoleRoleBindingNatsAccountRuleNatsUserRule
ECN Viewer
OverviewConfigurationREST API
OverviewCLI UsageLocal APIConfigurationAgent Logs
HALREST Blue
GuidelinesCode of Conduct

Prepare Realm and OIDC Client

Eclipse ioFog integrates Keycloak as its identity and access management (IAM) solution to provide secure authentication and authorization across the platform. By leveraging Keycloak, ioFog ensures a centralized and scalable approach to manage user identities, roles, and permissions. This integration enables robust Role-Based Access Control (RBAC) for users, ensuring secure access to critical edge infrastructure and applications. With Keycloak, Eclipse ioFog supports Single Sign-On (SSO) and identity federation, streamlining user management while enhancing security, making it an ideal solution for enterprises operating in dynamic and distributed environments.

Roles and permissions

By default preconfigured Eclipse ioFog realm comes with below Realm level roles:

  • pot-Admin
  • pot-SRE
  • pot-Developer
  • pot-Viewer

By default preconfigured Eclipse ioFog realm comes with two client pot-controller and ecn-viewer. ecn-viewerclient comes with Standard Flow , pot-controller client comes with Direct access grants and Service accounts roles

Both pot-controller and ecn-viewer client has tree roles: SRE, Developer and Viewer

Below you can find how realm Level roles are associated with Client level roles.

Realm Role pot-controller ecn-viewer
pot-Admin Admin Admin
pot-SRE SRE SRE
pot-Developer Developer Developer
pot-Viewer Viewer Viewer

Only users with pot-Admin roles can access Keycloak console and add or remove users, configure realm settings.

  • SRE's can deploy, manage and configure both Agents, System Applications, Applications and Microservices.
  • Developer's can deploy, manage and configure Applications and Microservices.
  • Viewer's can only view the cluster resources.

By default users with Developer and Viewer roles need to configure 2FA. If you want to force SRE's to 2FA you need to configure settings on browser dynamic otp flow on Authentication section.

Download PreConfigured Realm Configuration for Eclipse ioFog

You can download preconfigured realm import json for Eclipse ioFog with below command. Replace newRealmValue with the you would like to give for your realm.

wget -q -O - "https://iofog.org/iofog-realm-template.json" | sed 's/\$realm/newRealmValue/g' > datasance-pot-ralm.json
Example
wget -q -O - "https://iofog.org/iofog-realm-template.json" | sed 's/\$realm/test/g' > datasance-pot-realm.json

Import Realm

Import the preconfigured realm json you download in previous step.

Create User

Create user inside imported realm. Create user's password and assign role.

Generate Client Secret

Generate client secret for pot-controller client. Copy and save it, you wil use it while preparing ControlPlane yaml.

Get RealmKey

Get your realKey. Copy and save it, you wil use it while preparing ControlPlane yaml.

Prepare ControlPlane yaml

Now you are ready to deploy ControlPlane with the auth configuration generated on previous steps.

echo "---
apiVersion: iofog.org/v3
kind: KubernetesControlPlane
metadata:
  name: albatros-1
spec:
  iofogUser:
    name: Foo
    surname: Bar
    email: foo@bar.com
    password: testPasword12xlj
  auth:
    url: https://kc-url/
    realm: $realm-name
    realmKey: $realm-key
    ssl: external
    controllerClient: pot-controller
    controllerSecret: $controller-client-secret
    viewerClient: ecn-viewer

Configure ECN-Viewer URL