This lab created for my presentation in Open Infrastructure & Cloud Native Days Indonesia 2020. This will create a demo related to SSO with keycloak and Kubernetes. This is semi-automation lab, since there is a component that hard to automate.
Requirement:
- Digital Ocean account You must have active digital ocean account.
- Domain for keycloak (your keycloak will be access publicly, you can use subdomain) You must have domain for keycloak to access publicly.
- Public certificate for keycloak (you can use letsencrypt)
You can generate certificate using letsencrypt, get the
fullchain.pem
&privkey.pem
- Populate
do_token
invariables.tfvars
with the Digital Ocean token. you can create from the official documentation. - Populate
do_ssh_key
with your public ssh key - Populate keycloak management in
variables.tfvars
with your specific configuration
# Keycloak management
keycloak_domain = ""
keycloak_username = ""
keycloak_password = ""
- Setup infrastructure
terraform init
terraform apply -var-file="variables.tfvars"
keycloak will be running on docker-compose front with Envoy.
- Copy
fullchain.pem
&privkey.pem
for your domain toansible/keycloak/roles/prepare/files/
directory. - Create A record for your keycloak domain point to IP public generated by Digital Ocean & terraform
- Run ansible to deploy keycloak
cd ansible/keycloak/
ansible-playbook deploy.yaml -i hosts/hosts
- Create a new realm name
IAM
.- In the left menu,
master
>add realm
. - fill the name with
IAM
. - click
create
button.
- In the left menu,
- Create groups
kubernetes-admin
andkubernetes-viewer
.- In the left menu, select the proper IAM, go to
manage
>groups
. - click
new
button.
- In the left menu, select the proper IAM, go to
- Create user
admin-user
assigned to groupkubernetes-admin
andread-only-user
assigned to groupkubernetes-viewer
.- In the left menu, select the proper IAM, go to
manage
>users
- click
add user
button. - add the specific username.
- click
save
button. - you will redirected to the specific user pages, go to
groups
. - join the specific groups to the user.
- go to
credentials
, fill the password and turn off temporary flag. clickset password
.
- In the left menu, select the proper IAM, go to
- Add client
kubernetes
.- In the left menu, select the proper IAM, go to
configure
>clients
. - click button
create
. - fill
client ID
withkubernetes
. - click button
save
.
- In the left menu, select the proper IAM, go to
- modify client
kubernetes
configuration.- In the left menu, select the proper IAM, go to
configure
>clients
. - select
kubernetes
client, go tosettings
tab.
- In the left menu, select the proper IAM, go to
option | value |
---|---|
Access type | confidential |
Valid Redirect URIs | * |
- create protocol mapper called
user_groups
in clientkubernetes
,- In the left menu, select the proper IAM, go to
configure
>clients
. - select
kubernetes
client, go tomappers
tab.
- In the left menu, select the proper IAM, go to
option | value |
---|---|
name | user_groups |
mapper_type | Group Membership |
Token Claim Name | user_groups |
- take a note for client
kubernetes
- In the left menu, select the proper IAM, go to
configure
>clients
. - select
kubernetes
client, go tocredentials
tab. - copy the secret
- In the left menu, select the proper IAM, go to
Kubernetes configure using minikube with none
provider. It will automatically configure the API server for OIDC with this following specification:
- oidc-username-prefix=oidc:
- oidc-groups-prefix=oidc:
- oidc-client-id=kubernetes
- oidc-username-claim=preferred_username
- oidc-groups-claim=user_groups
- oidc-issuer-url=https://{{ keycloak_domain }}/auth/realms/IAM
Run the ansible
cd ansible/kubernetes/
ansible-playbook deploy.yaml -i hosts/hosts
after you run the ansible, you will get OIDC kubeconfig in /tmp/client-oidc.kubeconfig
. Use this kubeconfig to connect to your cluster/
- Install kubelogin
kubectl krew install oidc-login
- open and edit
/tmp/client-oidc.kubeconfig
add this following configuration.keycloak_client_secret
is the secret fromkubernetes
client in Keycloak.
contexts:
- context:
cluster: sso-kubernetes
user: oidc
name: sso-kubernetes
current-context: sso-kubernetes
users:
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://{{ keycloak_domain }}/auth/realms/IAM
- --oidc-client-id=kubernetes
- --oidc-client-secret={{ keycloak_client_secret }}
command: kubectl
env: null
- using kubeconfig
You will be redirected to the keycloak page for login. Use user that already created like
admin-user
orread-only-user
.
KUBECONFIG=/tmp/client-oidc.kubeconfig kubectl get nodes