8. Deployment of Intercom Service#
The Intercom Service is an intermediary for communication between applications like Nextcloud, OX App Suite, and Matrix. It’s part of the Nubus for Kubernetes architecture, but not part of the default deployment.
This section describes the deployment of the Intercom Service in a Kubernetes cluster for Nubus. It covers the mandatory configuration settings and the deployment commands.
See also
- Intercom Service
in Univention Nubus for Kubernetes - Architecture Manual [2] for information about purpose and architecture of the Intercom Service.
- univention_ics Repository at OpenCoDE
for the repository of the Helm Chart.
8.1. Mandatory settings for Intercom Service#
Intercom Service needs various settings for the Helm Chart for its deployment.
The Helm Chart key-value pairs listed are mandatory.
You need to define them in your custom_values_ics.yaml deployment file before you can deploy
Intercom Service.
You also need to ensure that you use a separate deployment file than for Nubus.
Listing 8.1 shows an example that you can copy as basis for your adjustments. It’s recommended that you deactivate all services in Intercom Service and only activate the ones, you really use. Intercom Service has enabled all services by default.
ics:
default:
domain: "ics.example.com"
secrets: "some_secret_for_ics"
oidc:
secret: "some_secret_for_ics_OIDC_client"
portal:
apiKey:
name: "nubus-portal-server-central-navigation-shared-secret"
key: "authenticator.secret"
url: "portal.example.com"
redis:
password: "some_password_for_redis"
ingress:
host: "ics.example.com"
provisioning:
config:
nubusBaseUrl: "ics.example.com"
keycloak:
username: "kcadmin"
credentialSecret:
name: "nubus-keycloak-credentials"
key: "admin_password"
ics_client:
credentialSecret:
name: ""
key: ""
keycloak:
enabled: true
realm: "nubus"
subdomain: "id.example.com"
matrix:
enabled: false
nordeck:
enabled: false
portal:
enabled: false
openxchange:
enabled: false
nextcloud:
enabled: false
- ics.default.domain#
Defines the base domain for the sub domains of the apps.
- ics.secrets#
Defines the value of the shared secret with other services. Intercom Service also uses this setting to sign the session cookie.
It needs to have the same value as
provisioning.config.ics_client.clientSecret.
- ics.issuerBaseUrl#
Defines the base URL of the issuer. You either define
ics.keycloak.urlandics.keycloak.realmorissuerBaseUrl.
- ics.keycloak.url#
Defines the URL to Keycloak as FQDN. It’s mutual exclusive with
ics.keycloak.subdomain.- Example:
https://id.example.com
- ics.keycloak.realm#
Defines the Keycloak realm for Intercom Service.
- ics.keycloak.subdomain#
Defines the subdomain where Intercom Service can reach Keycloak. Set the value to combined values of
global.subDomains.keycloakandglobal.domain.- Example:
id.example.com.
- ics.oidc.secret#
Intercom Service registers itself as OIDC client to Keycloak. This setting defines the secret for the Intercom Service OIDC client.
- ics.portal.apiKey#
Defines the API key to the Nubus Portal Service. Provide a mapping with the following content:
name:<release-name>-portal-server-central-navigation-shared-secretkey:authenticator.secret
- ics.portal.url#
Defines the URL of the Nubus Portal Service. Set the value to the combined values of
global.subDomains.portalandglobal.domain- Example:
portal.example.com
- ics.redis.password#
Defines the password for the Redis cache service. You need to define the password in the deployment file.
- ics.ingress.host#
Defines the FQDN for Intercom Service. The user’s browser must resolve it, because the browser is the client that uses Intercom Service functionality.
- Example:
ics.example.com
Mostly, the client to the services is the user’s browser and not the services in the cluster network themselves.
- provisioning.config.nubusBaseUrl#
Set it to the same value as
ics.ingress.hostin URL format.- Example:
https://ics.example.com
- provisioning.config.keycloak.username#
The username to a user account in Keycloak that has permission to create a client in Keycloak. Intercom Service uses this user account to create the client in Keycloak on its own.
- provisioning.config.keycloak.credentialSecret#
In Nubus the secret
<release-name>-keycloak-credentialscontains the value in the keyadmin_password. You can either set the value here or provide a pointer to the secret in the secret map. Provide a map withnameandkey, as shown in the example in Listing 8.1.
- provisioning.config.keycloak.password#
Define the value for the
provisioning.config.keycloak.usernamein this setting or useprovisioning.config.keycloak.credentialSecret.- Recommendation:
- provisioning.config.ics_client.credentialSecret#
Defines where to find the secret for the Intercom Service client. Provide a map with
nameandkey, as shown in the example in Listing 8.1.It needs to have the same value as
ics.secretsandprovisioning.config.ics_client.clientSecret.
- provisioning.config.ics_client.clientSecret#
Define the value for the Intercom Service client secret.
It needs to have the same value as
ics.secrets.- Recommendation:
8.2. Deploy Intercom Service#
To deploy Intercom Service, use the following steps:
Make sure you configured the mandatory settings in your
custom_values_ics.yamldeployment file for Intercom Service.Define the environment variables for the Helm chart command, as shown in Listing 8.2.
$ export RELEASE_NAME="nubus-ics"
Deploy Intercom Service with Helm using the command in Listing 8.3.
$ helm upgrade \ --install \ --values custom_values_ics.yaml \ "$RELEASE_NAME" \ oci://artifacts.software-univention.de/nubus/charts/intercom-service