This document outlines the installation of the OpenShift on Power, the installation of the Red Hat Single Sign-On Operator and configuring the two to work together on OCP.

Thanks to Zhimin Wen who helped in my setup of the OIDC with his great work.

Steps

1. Setup OpenShift Container Platform (OCP) 4.x on IBM® Power Systems™ Virtual Server on IBM Cloud using the Terraform based automation code using the documentation provided. You’ll need to update var.tfvars to match your environment and PowerVS Service settings.

terraform init --var-file=var.tfvars
terraform apply --var-file=var.tfvars

2. At the end of the deployment, you see an output pointing to the Bastion Server.

bastion_private_ip = "192.168.*.*"
bastion_public_ip = "158.*.*.*"
bastion_ssh_command = "ssh -i data/id_rsa root@158.*.*.*"
bootstrap_ip = "192.168.*.*"
cluster_authentication_details = "Cluster authentication details are available in 158.*.*.* under ~/openstack-upi/auth"
cluster_id = "ocp-oidc-test-cb68"
install_status = "COMPLETED"
master_ips = [
  "192.168.*.*",
  "192.168.*.*",
  "192.168.*.*",
]
oc_server_url = "https://api.ocp-oidc-test-cb68.*.*.*.*.xip.io:6443"
storageclass_name = "nfs-storage-provisioner"
web_console_url = "https://console-openshift-console.apps.ocp-oidc-test-cb68.*.*.*.*.xip.io"
worker_ips = [
  "192.168.*.*",
  "192.168.*.*",
]

2. Add Hosts Entry

127.0.0.1 console-openshift-console.apps.ocp-oidc-test-cb68.*.xip.io api.ocp-oidc-test-cb68.*.xip.io oauth-openshift.apps.ocp-oidc-test-cb68.*.xip.io

3. Connect via SSH

sudo ssh -i data/id_rsa -L 5900:localhost:5901 -L443:localhost:443 -L6443:localhost:6443 -L8443:localhost:8443 root@*

You’re connecting on the commandline for a reason with ports forwarded since not all ports are open on the Bastion Server.

4. Find the OpenShift kubeadmin password in openstack-upi/auth/kubeadmin-password

cat openstack-upi/auth/kubeadmin-password
eZ2Hq-JUNK-JUNKB4-JUNKZN

5. From Login into the web_console_url, navigate to https://console-openshift-console.apps.ocp-oidc-test-cb68.*.xip.io/

If prompted, accept Security Warnings

6. Login with the Kubeadmin credentials when promtped
7. Click OperatorHub
8. Search for Keycloak
9. Select Red Hat Single Sign-On Operator
10. Click Install
11. On the Install Operator Screen:
    1. Select alpha channel
    2. Select namespace default (if you prefer an alternative namespace, that’s fine this is just a demo)
    3. Click Install
12. Click on Installed Operators
13. Watch rhsso-operator for a completed installation, the status should show Succeeded
14. Once ready, click on the Operator > Red Hat Single Sign-On Operator
15. Click on Keycloak, create Keycloak
16. Enter the following YAML:

apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  name: example-keycloak
  labels:
    app: sso
spec:
  instances: 1
  externalAccess:
    enabled: true

17. Once it’s deployed, click on example-keycloak > YAML. Look for status.externalURL.

status:
  credentialSecret: credential-example-keycloak
  externalURL: 'https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io'

18. Update the /etc/hosts with

127.0.0.1 keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io 

19. Click Workloads > Secrets
20. Click on credential-example-keycloak
21. Click Reveal values

U: admin
P: <<hidden>>

22. For Keycloak, login to https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io/auth/admin/master/console/#/realms/master using the revealed secret
23. Click Add Realm
24. Enter name test.
25. Click Create
26. Click Client
27. Click Create
28. Enter ClientId – test
29. Select openid-connect
30. Click Save
31. Click Keys
32. Click Generate new keys and certificate
33. Click Settings > Access Type
34. Select confidential
35. Enter Valid Redirect URIs https://* we could set this as the OAuth url such as https://oauth-openshift.apps.ocp-oidc-test-cb68.*.xip.io/*
36. Click Credentials (Copy the Secret), such as:

43f4e544-fa95-JUNK-a298-JUNK

35. Under Generate Private Key…
    1. Select Archive Format JKS
    2. Key Password: password
    3. Store Password: password
    4. Click Generate and Download
36. On the Bastion server, create the keycloak secret

oc -n openshift-config create secret generic keycloak-client-secret --from-literal=clientSecret=43f4e544-fa95-JUNK-a298-JUNK
configmap "keycloak-ca" deleted

37. Grab the ingress CA

oc -n openshift-ingress-operator get secret router-ca -o jsonpath="{ .data.tls\.crt }" | base64 -d -i > ca.crt

38. Create the keycloak CA secret

oc -n openshift-config create cm keycloak-ca --from-file=ca.crt
configmap/keycloak-ca created

39. Create the openid Auth Provider

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
    - name: keycloak 
      mappingMethod: claim 
      type: OpenID
      openID:
        clientID: console
        clientSecret:
          name: keycloak-client-secret
        ca:
          name: keycloak-ca
        claims: 
          preferredUsername:
          - preferred_username
          name:
          - name
          email:
          - email
        issuer: https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io/auth/realms/test

40. Logout of the Kubeadmin
41. On Keycloak, Manage > Users, Click add a user with an email and password. Click Save
42. Click Credentials
43. Enter a new password and confirm
44. Turn Temporary Password off
45. Navigate to the web_console_url
46. Select the new IdP
47. Login with the new user

There is a clear support for OIDC Connect already enabled on OpenShift, and this document outlines how to test with Keycloak.

A handy link for debugging is the openid-configuration

Reference

Blog: Keycloak OIDC Identity Provider for OpenShift

Proof-of-Concept: OpenShift on Power: Configuring an OpenID Connect identity provider