You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Discussions were disabled, so apologies for posting this as an issue. :)
Most of my company collegues aren't as terminal-savy as me and a former worker had demployed a k3s cluster here. Now I added Headlamp as a nice Web UI to give my collegue an entrypoint into the cluster so they can see what it is doing and the likes.
However, I had wanted to use our existing Keycloak OIDC structure, bound to our AD, to enable seamless SSO. And I can, in fact, click the login button and it "logs me in" - but the browser console tells me that I am unauthenticated.
Granted, I know that it is attempting to authenticate me directly with the API server through OIDC.
Question is, how can I realize that, without having to share a singular service account token around? I shared it with another collegue for now so they can try Headlamp out besides myself, but I would like to integrate it into our existing infrastructure.
Since the container has the service account loaded and a ClusterRoleBinding is established, Headlamp can authenticate with this just fine, in theory.
Is there anything I missed or that I have to do to make it work?
@senpro-ingwersenk Did you follow this docs to setup headlamp with keycloak OIDC? Can you share redact sensitive information and share a screenshot/logs of the error that you see in browser console?
The guide assumes that Keycloak is hosted outside the cluster - which mine is not.
# kubectl get -n keycloak all
NAME READY STATUS RESTARTS AGE
pod/keycloak-9dd979546-rpzp8 3/3 Running 0 2d7h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/keycloak ClusterIP 10.43.212.197 <none> 8080/TCP 271d
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/keycloak 1/1 1 1 271d
NAME DESIRED CURRENT READY AGE
replicaset.apps/keycloak-584bf4c8bf 0 0 0 237d
replicaset.apps/keycloak-5965995bf 0 0 0 84d
replicaset.apps/keycloak-5f65ffd5fb 0 0 0 84d
replicaset.apps/keycloak-6f89f874f 0 0 0 271d
replicaset.apps/keycloak-8694c4785 0 0 0 84d
replicaset.apps/keycloak-9dd979546 1 1 1 2d7h
So I did my best to try and make a configuration and deployment that would get close to this - but logging in via OIDC to Headlamp shows this in my browser console:
When I use the kubectl create token command and use the result of that to log in, it works just fine. But I can not find out the logevity of that token, which is why I would like to just reuse my existing Keycloak - but it is also already inside the cluster, not outside as the guide assumes.
I did try to find similiar options for k3s in particular, but couldn't - but it is likely that I missed it.
@senpro-ingwersenk Hi! Thanks for your efforts to run it. I really wonder why it is important to distinguish between keycloak outside the cluster and inside - I think in both cases you should publish Keycloak outside with Ingress (i.e. Traefik in your case?) and use domain name pointing to ingress. Also please check that the services published with the ingress are accessible from the cluster itself - it could be an issue, particularly when running in clouds like DO.
Hello!
Discussions were disabled, so apologies for posting this as an issue. :)
Most of my company collegues aren't as terminal-savy as me and a former worker had demployed a k3s cluster here. Now I added Headlamp as a nice Web UI to give my collegue an entrypoint into the cluster so they can see what it is doing and the likes.
However, I had wanted to use our existing Keycloak OIDC structure, bound to our AD, to enable seamless SSO. And I can, in fact, click the login button and it "logs me in" - but the browser console tells me that I am unauthenticated.
Granted, I know that it is attempting to authenticate me directly with the API server through OIDC.
Question is, how can I realize that, without having to share a singular service account token around? I shared it with another collegue for now so they can try Headlamp out besides myself, but I would like to integrate it into our existing infrastructure.
Since the container has the service account loaded and a ClusterRoleBinding is established, Headlamp can authenticate with this just fine, in theory.
Is there anything I missed or that I have to do to make it work?
Here is the current deployment, in full:
Full deployment YAML
Thanks and kind regards!
The text was updated successfully, but these errors were encountered: