Skip to content

zufardhiyaulhaq/sso-kubernetes-lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

ansible

ansible

 
 

templates

templates

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

droplet.tf

droplet.tf

 
 

output.tf

output.tf

 
 

provider.tf

provider.tf

 
 

variables.tf

variables.tf

 
 

variables.tfvars

variables.tfvars

 
 

version.tf

version.tf

 
 

Repository files navigation

Single Sign On with Kubernetes

This lab created for my presentation in Open Infrastructure & Cloud Native Days Indonesia 2020. This will create a demo related to SSO with keycloak and Kubernetes. This is semi-automation lab, since there is a component that hard to automate.

Requirement:

  • Digital Ocean account You must have active digital ocean account.
  • Domain for keycloak (your keycloak will be access publicly, you can use subdomain) You must have domain for keycloak to access publicly.
  • Public certificate for keycloak (you can use letsencrypt) You can generate certificate using letsencrypt, get the fullchain.pem & privkey.pem

Setup Infrastructure

  • Populate do_token in variables.tfvars with the Digital Ocean token. you can create from the official documentation.
  • Populate do_ssh_key with your public ssh key
  • Populate keycloak management in variables.tfvars with your specific configuration
# Keycloak management
keycloak_domain = ""
keycloak_username = ""
keycloak_password = ""
  • Setup infrastructure
terraform init
terraform apply -var-file="variables.tfvars"

Setup Keycloak

keycloak will be running on docker-compose front with Envoy.

  • Copy fullchain.pem & privkey.pem for your domain to ansible/keycloak/roles/prepare/files/ directory.
  • Create A record for your keycloak domain point to IP public generated by Digital Ocean & terraform
  • Run ansible to deploy keycloak
cd ansible/keycloak/
ansible-playbook deploy.yaml -i hosts/hosts

Keycloak Configuration

  • Create a new realm name IAM.
    • In the left menu, master > add realm.
    • fill the name with IAM.
    • click create button.
  • Create groups kubernetes-admin and kubernetes-viewer.
    • In the left menu, select the proper IAM, go to manage > groups.
    • click new button.
  • Create user admin-user assigned to group kubernetes-admin and read-only-user assigned to group kubernetes-viewer.
    • In the left menu, select the proper IAM, go to manage > users
    • click add user button.
    • add the specific username.
    • click save button.
    • you will redirected to the specific user pages, go to groups.
    • join the specific groups to the user.
    • go to credentials, fill the password and turn off temporary flag. click set password.
  • Add client kubernetes.
    • In the left menu, select the proper IAM, go to configure > clients.
    • click button create.
    • fill client ID with kubernetes.
    • click button save.
  • modify client kubernetes configuration.
    • In the left menu, select the proper IAM, go to configure > clients.
    • select kubernetes client, go to settings tab.
option value
Access type confidential
Valid Redirect URIs *
  • create protocol mapper called user_groups in client kubernetes,
    • In the left menu, select the proper IAM, go to configure > clients.
    • select kubernetes client, go to mappers tab.
option value
name user_groups
mapper_type Group Membership
Token Claim Name user_groups
  • take a note for client kubernetes
    • In the left menu, select the proper IAM, go to configure > clients.
    • select kubernetes client, go to credentials tab.
    • copy the secret

Setup Kubernetes

Kubernetes configure using minikube with none provider. It will automatically configure the API server for OIDC with this following specification:

  • oidc-username-prefix=oidc:
  • oidc-groups-prefix=oidc:
  • oidc-client-id=kubernetes
  • oidc-username-claim=preferred_username
  • oidc-groups-claim=user_groups
  • oidc-issuer-url=https://{{ keycloak_domain }}/auth/realms/IAM

Run the ansible

cd ansible/kubernetes/
ansible-playbook deploy.yaml -i hosts/hosts

after you run the ansible, you will get OIDC kubeconfig in /tmp/client-oidc.kubeconfig. Use this kubeconfig to connect to your cluster/

Setup OIDC Kubeconfig

  • Install kubelogin
kubectl krew install oidc-login
  • open and edit /tmp/client-oidc.kubeconfig add this following configuration. keycloak_client_secret is the secret from kubernetes client in Keycloak.
contexts:
- context:
    cluster: sso-kubernetes
    user: oidc
  name: sso-kubernetes
current-context: sso-kubernetes
users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://{{ keycloak_domain }}/auth/realms/IAM
      - --oidc-client-id=kubernetes
      - --oidc-client-secret={{ keycloak_client_secret }}
      command: kubectl
      env: null
  • using kubeconfig You will be redirected to the keycloak page for login. Use user that already created like admin-user or read-only-user.
KUBECONFIG=/tmp/client-oidc.kubeconfig kubectl get nodes

About

Single Sign On Kubernetes lab with Keycloak

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages