Proof-of-Concept: OpenShift on Power: Configuring an OpenID Connect identity provider

This document outlines the installation of the OpenShift on Power, the installation of the Red Hat Single Sign-On Operator and configuring the two to work together on OCP.

Thanks to Zhimin Wen who helped in my setup of the OIDC with his great work.

Steps

  1. Setup OpenShift Container Platform (OCP) 4.x on IBM® Power Systems™ Virtual Server on IBM Cloud using the Terraform based automation code using the documentation provided. You’ll need to update var.tfvars to match your environment and PowerVS Service settings.
terraform init --var-file=var.tfvars
terraform apply --var-file=var.tfvars
  1. At the end of the deployment, you see an output pointing to the Bastion Server.
bastion_private_ip = "192.168.*.*"
bastion_public_ip = "158.*.*.*"
bastion_ssh_command = "ssh -i data/id_rsa root@158.*.*.*"
bootstrap_ip = "192.168.*.*"
cluster_authentication_details = "Cluster authentication details are available in 158.*.*.* under ~/openstack-upi/auth"
cluster_id = "ocp-oidc-test-cb68"
install_status = "COMPLETED"
master_ips = [
  "192.168.*.*",
  "192.168.*.*",
  "192.168.*.*",
]
oc_server_url = "https://api.ocp-oidc-test-cb68.*.*.*.*.xip.io:6443"
storageclass_name = "nfs-storage-provisioner"
web_console_url = "https://console-openshift-console.apps.ocp-oidc-test-cb68.*.*.*.*.xip.io"
worker_ips = [
  "192.168.*.*",
  "192.168.*.*",
]
  1. Add Hosts Entry
127.0.0.1 console-openshift-console.apps.ocp-oidc-test-cb68.*.xip.io api.ocp-oidc-test-cb68.*.xip.io oauth-openshift.apps.ocp-oidc-test-cb68.*.xip.io
  1. Connect via SSH
sudo ssh -i data/id_rsa -L 5900:localhost:5901 -L443:localhost:443 -L6443:localhost:6443 -L8443:localhost:8443 root@*

You’re connecting on the commandline for a reason with ports forwarded since not all ports are open on the Bastion Server.

  1. Find the OpenShift kubeadmin password in openstack-upi/auth/kubeadmin-password
cat openstack-upi/auth/kubeadmin-password
eZ2Hq-JUNK-JUNKB4-JUNKZN
  1. From Login into the web_console_url, navigate to https://console-openshift-console.apps.ocp-oidc-test-cb68.*.xip.io/

If prompted, accept Security Warnings

  1. Login with the Kubeadmin credentials when promtped
  2. Click OperatorHub
  3. Search for Keycloak
  4. Select Red Hat Single Sign-On Operator
  5. Click Install
  6. On the Install Operator Screen:
    1. Select alpha channel
    2. Select namespace default (if you prefer an alternative namespace, that’s fine this is just a demo)
    3. Click Install
  7. Click on Installed Operators
  8. Watch rhsso-operator for a completed installation, the status should show Succeeded
  9. Once ready, click on the Operator > Red Hat Single Sign-On Operator
  10. Click on Keycloak, create Keycloak
  11. Enter the following YAML:
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  name: example-keycloak
  labels:
    app: sso
spec:
  instances: 1
  externalAccess:
    enabled: true
  1. Once it’s deployed, click on example-keycloak > YAML. Look for status.externalURL.
status:
  credentialSecret: credential-example-keycloak
  externalURL: 'https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io'
  1. Update the /etc/hosts with
127.0.0.1 keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io 
  1. Click Workloads > Secrets
  2. Click on credential-example-keycloak
  3. Click Reveal values
U: admin
P: <<hidden>>
  1. For Keycloak, login to https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io/auth/admin/master/console/#/realms/master using the revealed secret
  2. Click Add Realm
  3. Enter name test.
  4. Click Create
  5. Click Client
  6. Click Create
  7. Enter ClientId – test
  8. Select openid-connect
  9. Click Save
  10. Click Keys
  11. Click Generate new keys and certificate
  12. Click Settings > Access Type
  13. Select confidential
  14. Enter Valid Redirect URIs https://* we could set this as the OAuth url such as https://oauth-openshift.apps.ocp-oidc-test-cb68.*.xip.io/*
  15. Click Credentials (Copy the Secret), such as:
43f4e544-fa95-JUNK-a298-JUNK
  1. Under Generate Private Key…
    1. Select Archive Format JKS
    2. Key Password: password
    3. Store Password: password
    4. Click Generate and Download
  2. On the Bastion server, create the keycloak secret
oc -n openshift-config create secret generic keycloak-client-secret --from-literal=clientSecret=43f4e544-fa95-JUNK-a298-JUNK
configmap "keycloak-ca" deleted
  1. Grab the ingress CA
oc -n openshift-ingress-operator get secret router-ca -o jsonpath="{ .data.tls\.crt }" | base64 -d -i > ca.crt
  1. Create the keycloak CA secret
oc -n openshift-config create cm keycloak-ca --from-file=ca.crt
configmap/keycloak-ca created
  1. Create the openid Auth Provider
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
    - name: keycloak 
      mappingMethod: claim 
      type: OpenID
      openID:
        clientID: console
        clientSecret:
          name: keycloak-client-secret
        ca:
          name: keycloak-ca
        claims: 
          preferredUsername:
          - preferred_username
          name:
          - name
          email:
          - email
        issuer: https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io/auth/realms/test
  1. Logout of the Kubeadmin
  2. On Keycloak, Manage > Users, Click add a user with an email and password. Click Save
  3. Click Credentials
  4. Enter a new password and confirm
  5. Turn Temporary Password off
  6. Navigate to the web_console_url
  7. Select the new IdP
  8. Login with the new user

There is a clear support for OIDC Connect already enabled on OpenShift, and this document outlines how to test with Keycloak.

A handy link for debugging is the openid-configuration

Reference

Blog: Keycloak OIDC Identity Provider for OpenShift

Proof-of-Concept: OpenShift on Power: Configuring an OpenID Connect identity provider

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.