Proof-of-Concept: OpenShift on Power: Configuring an OpenID Connect identity provider

This document outlines the installation of the OpenShift on Power, the installation of the Red Hat Single Sign-On Operator and configuring the two to work together on OCP.

Thanks to Zhimin Wen who helped in my setup of the OIDC with his great work.


  1. Setup OpenShift Container Platform (OCP) 4.x on IBM® Power Systems™ Virtual Server on IBM Cloud using the Terraform based automation code using the documentation provided. You’ll need to update var.tfvars to match your environment and PowerVS Service settings.
terraform init --var-file=var.tfvars
terraform apply --var-file=var.tfvars
  1. At the end of the deployment, you see an output pointing to the Bastion Server.
bastion_private_ip = "192.168.*.*"
bastion_public_ip = "158.*.*.*"
bastion_ssh_command = "ssh -i data/id_rsa root@158.*.*.*"
bootstrap_ip = "192.168.*.*"
cluster_authentication_details = "Cluster authentication details are available in 158.*.*.* under ~/openstack-upi/auth"
cluster_id = "ocp-oidc-test-cb68"
install_status = "COMPLETED"
master_ips = [
oc_server_url = "https://api.ocp-oidc-test-cb68.*.*.*.*"
storageclass_name = "nfs-storage-provisioner"
web_console_url = "https://console-openshift-console.apps.ocp-oidc-test-cb68.*.*.*.*"
worker_ips = [
  1. Add Hosts Entry console-openshift-console.apps.ocp-oidc-test-cb68.* api.ocp-oidc-test-cb68.* oauth-openshift.apps.ocp-oidc-test-cb68.*
  1. Connect via SSH
sudo ssh -i data/id_rsa -L 5900:localhost:5901 -L443:localhost:443 -L6443:localhost:6443 -L8443:localhost:8443 root@*

You’re connecting on the commandline for a reason with ports forwarded since not all ports are open on the Bastion Server.

  1. Find the OpenShift kubeadmin password in openstack-upi/auth/kubeadmin-password
cat openstack-upi/auth/kubeadmin-password
  1. From Login into the web_console_url, navigate to https://console-openshift-console.apps.ocp-oidc-test-cb68.*

If prompted, accept Security Warnings

  1. Login with the Kubeadmin credentials when promtped
  2. Click OperatorHub
  3. Search for Keycloak
  4. Select Red Hat Single Sign-On Operator
  5. Click Install
  6. On the Install Operator Screen:
    1. Select alpha channel
    2. Select namespace default (if you prefer an alternative namespace, that’s fine this is just a demo)
    3. Click Install
  7. Click on Installed Operators
  8. Watch rhsso-operator for a completed installation, the status should show Succeeded
  9. Once ready, click on the Operator > Red Hat Single Sign-On Operator
  10. Click on Keycloak, create Keycloak
  11. Enter the following YAML:
kind: Keycloak
  name: example-keycloak
    app: sso
  instances: 1
    enabled: true
  1. Once it’s deployed, click on example-keycloak > YAML. Look for status.externalURL.
  credentialSecret: credential-example-keycloak
  externalURL: 'https://keycloak-default.apps.ocp-oidc-test-cb68.*'
  1. Update the /etc/hosts with keycloak-default.apps.ocp-oidc-test-cb68.* 
  1. Click Workloads > Secrets
  2. Click on credential-example-keycloak
  3. Click Reveal values
U: admin
P: <<hidden>>
  1. For Keycloak, login to https://keycloak-default.apps.ocp-oidc-test-cb68.* using the revealed secret
  2. Click Add Realm
  3. Enter name test.
  4. Click Create
  5. Click Client
  6. Click Create
  7. Enter ClientId – test
  8. Select openid-connect
  9. Click Save
  10. Click Keys
  11. Click Generate new keys and certificate
  12. Click Settings > Access Type
  13. Select confidential
  14. Enter Valid Redirect URIs https://* we could set this as the OAuth url such as https://oauth-openshift.apps.ocp-oidc-test-cb68.**
  15. Click Credentials (Copy the Secret), such as:
  1. Under Generate Private Key…
    1. Select Archive Format JKS
    2. Key Password: password
    3. Store Password: password
    4. Click Generate and Download
  2. On the Bastion server, create the keycloak secret
oc -n openshift-config create secret generic keycloak-client-secret --from-literal=clientSecret=43f4e544-fa95-JUNK-a298-JUNK
configmap "keycloak-ca" deleted
  1. Grab the ingress CA
oc -n openshift-ingress-operator get secret router-ca -o jsonpath="{ .data.tls\.crt }" | base64 -d -i > ca.crt
  1. Create the keycloak CA secret
oc -n openshift-config create cm keycloak-ca --from-file=ca.crt
configmap/keycloak-ca created
  1. Create the openid Auth Provider
kind: OAuth
  name: cluster
    - name: keycloak 
      mappingMethod: claim 
      type: OpenID
        clientID: console
          name: keycloak-client-secret
          name: keycloak-ca
          - preferred_username
          - name
          - email
        issuer: https://keycloak-default.apps.ocp-oidc-test-cb68.*
  1. Logout of the Kubeadmin
  2. On Keycloak, Manage > Users, Click add a user with an email and password. Click Save
  3. Click Credentials
  4. Enter a new password and confirm
  5. Turn Temporary Password off
  6. Navigate to the web_console_url
  7. Select the new IdP
  8. Login with the new user

There is a clear support for OIDC Connect already enabled on OpenShift, and this document outlines how to test with Keycloak.

A handy link for debugging is the openid-configuration


Blog: Keycloak OIDC Identity Provider for OpenShift

Proof-of-Concept: OpenShift on Power: Configuring an OpenID Connect identity provider





Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.