How to deploy and configure keycloak¶

Goals¶

Keycloak installation¶

Install following operators via OperatorHub
- CloudNativePG (Cerified Operator)
- Keycloak Operator (Red Hat Operator)

Spinup PostgreSQL database via CloudNativePG¶

In my setup we use SAN Storage (iscsi) provided from a Netapp via Trident and the database should run on my control plan/master nodes.

postgresql cluster cr

kind: Cluster
apiVersion: postgresql.cnpg.io/v1
metadata:
  name: pq-for-rhbk
  namespace: rhbk-operator
spec:
  affinity:
    nodeSelector:
      node-role.kubernetes.io/master: ""
    tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
  instances: 3
  logLevel: info
  primaryUpdateStrategy: unsupervised
  storage:
    size: 3Gi
    storageClass: coe-netapp-san
  walStorage:
    size: 3Gi
    storageClass: coe-netapp-san

Spinup Keycloak¶

I'm using a customer DNS name, sso.coe.muc.redhat.com DNS configuration:

1	`sso.coe.muc.redhat.com. 86400 IN CNAME *.apps.isar.coe.muc.redhat.com.`

SSL Certificate for sso.coe.muc.redhat.com is stared in Vault and copied into a secret via ExternalSecret Operator

ExternalSecret

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: cert-wildcard-coe
  namespace: rhbk-operator
spec:
  data:
  - remoteRef:
      key: coe-lab/wildcard-cert-coe
      property: wildcard-coe.chain.cert
    secretKey: tls.crt
  - remoteRef:
      key: coe-lab/wildcard-cert-coe
      property: wildcard-coe.key
    secretKey: tls.key
  refreshInterval: 12h
  secretStoreRef:
    kind: ClusterSecretStore
    name: redhat-vault
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: cert-wildcard-coe
    template:
      type: kubernetes.io/tls

Deploy Red Hat Build of Keycloak

Keycloak

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: coe-sso
  namespace: rhbk-operator
spec:
  instances: 2
  db:
    vendor: postgres
    host: pq-for-rhbk-rw
    database: app
    usernameSecret:
      name: pq-for-rhbk-app
      key: username
    passwordSecret:
      name: pq-for-rhbk-app
      key: password
  http:
    tlsSecret: cert-wildcard-coe
  hostname:
    hostname: sso.coe.muc.redhat.com

GitOpsified deployment is here: https://github.com/stormshift/clusters/tree/main/isar-apps/keycloak

Keycloak Configuration¶

Login into keycloak, in my case https://sso.coe.muc.redhat.com

Get the initial admin user and password:

# Username
$ oc get secrets -n rhbk-operator  coe-sso-initial-admin  -o jsonpath="{.data.username}" | base64 -d;echo
admin

# Password
$ oc get secrets -n rhbk-operator  coe-sso-initial-admin  -o jsonpath="{.data.password}" | base64 -d;echo
cbd4f....

Create a new realm `coe-sso`¶

Create realm

Screenshot
Realm name: coe-sso

Add group `idp-coe-sso`¶

Select Groups on the left
Click Greate group
Fill out the form, Name: idp-coe-sso
Click Create

Add identity provider¶

Go to "Identity providers" and select one provider of choice - in my case Google.

Screenshot
Fill out the form in your Keycloak instance:
- Copy the Redirect URI and paste it into Google's Authorised redirect URIs part, details: Red Hat SSO - via Google¶
- Copy & Paste Client ID and Client Secret from Google to Keycloak
- Click Add
  
  Screenshot

Configure Identity provider¶

Advanced settings -> Switch on Trust Email

Screenshot
Add Hardcoded Group mapper,
- Go to your identity provider, click Mappers tab next to Settings tab
- Fill out the form:
  
  Screenshot

Create another realm `coe-sso-admin`¶

Idea here is having a second realm analog to the first one, but it creates user with -admin post-fix to the username.

Create a new realm and add identity provider, as described above.
Add a Username Template Importer mapper
- Go to your identity provider, click Mappers tab next to Settings tab
- Fill out the form:
- Template: ${CLAIM.email}-admin
  
  ??? note "Screenshot"
  1
  ![](images/add-identity-provider-mapper.png)

Click Authentication at the left menu
Select Tab Flows
Click Flow name browser

Screenshot
Configure Identity Provider Redirector

Screenshot

Screenshot

Create Client for OpenShift Cluster¶

Click Clients
Select Tab Client list
Click Create client
General Settings
- Important is here Client ID, this is needed for OpenShift OAuth config later
Screenshot
Capability config

Screenshot
Login settings
- Valid redirect URIs: https://oauth-openshift.apps.$cluster-name$.$basedomain$:443/oauth2callback/*
- Web origins: https://oauth-openshift.apps.$cluster-name$.$basedomain$:443
Screenshot
Click Create
Select tab Client scopes
Click $NAME-dedicted client scope
Click Configure a new mapper
Click Group Membership

Screenshot
Fill out form

Screenshot
Go back to Client details
Select tab Credentials
Store/Copy Client secret this is needed for OpenShift OAuth config later

Configure Keycloak at your OpenShift Cluster¶

Go to Administration -> Cluster Settings -> Configuration -> OAuth

Added YAML and add OpenID Connect provider:

- mappingMethod: add
    name: COE-SSO-Admin
    openID:
      ca:
        # Configmap with root ca, key: ca.crt
        name: openid-ca-gnmjm
      claims:
        email:
        - email
        groups:
        - groups
        name:
        - name
        preferredUsername:
        - preferred_username
      clientID: isar.coe.muc.redhat.com
      clientSecret:
        # Secret with client secret, key: clientSecret
        name: openid-client-secrot-coe-sso-admin
      issuer: https://sso.coe.muc.redhat.com/realms/coe-sso-admin
    type: OpenID

Resources¶

2024-02-14 2024-02-14 Contributors: