This document outlines the installation of the OpenShift on Power, the installation of the Red Hat Single Sign-On Operator and configuring the two to work together on OCP.
Thanks to Zhimin Wen who helped in my setup of the OIDC with his great work.
Steps
- Setup OpenShift Container Platform (OCP) 4.x on IBM® Power Systems™ Virtual Server on IBM Cloud using the Terraform based automation code using the documentation provided. You’ll need to update var.tfvars to match your environment and PowerVS Service settings.
terraform init --var-file=var.tfvars
terraform apply --var-file=var.tfvars
- At the end of the deployment, you see an output pointing to the Bastion Server.
bastion_private_ip = "192.168.*.*"
bastion_public_ip = "158.*.*.*"
bastion_ssh_command = "ssh -i data/id_rsa root@158.*.*.*"
bootstrap_ip = "192.168.*.*"
cluster_authentication_details = "Cluster authentication details are available in 158.*.*.* under ~/openstack-upi/auth"
cluster_id = "ocp-oidc-test-cb68"
install_status = "COMPLETED"
master_ips = [
"192.168.*.*",
"192.168.*.*",
"192.168.*.*",
]
oc_server_url = "https://api.ocp-oidc-test-cb68.*.*.*.*.xip.io:6443"
storageclass_name = "nfs-storage-provisioner"
web_console_url = "https://console-openshift-console.apps.ocp-oidc-test-cb68.*.*.*.*.xip.io"
worker_ips = [
"192.168.*.*",
"192.168.*.*",
]
- Add Hosts Entry
127.0.0.1 console-openshift-console.apps.ocp-oidc-test-cb68.*.xip.io api.ocp-oidc-test-cb68.*.xip.io oauth-openshift.apps.ocp-oidc-test-cb68.*.xip.io
- Connect via SSH
sudo ssh -i data/id_rsa -L 5900:localhost:5901 -L443:localhost:443 -L6443:localhost:6443 -L8443:localhost:8443 root@*
You’re connecting on the commandline for a reason with ports forwarded since not all ports are open on the Bastion Server.
- Find the OpenShift kubeadmin password in
openstack-upi/auth/kubeadmin-password
cat openstack-upi/auth/kubeadmin-password
eZ2Hq-JUNK-JUNKB4-JUNKZN
- From Login into the web_console_url, navigate to https://console-openshift-console.apps.ocp-oidc-test-cb68.*.xip.io/
If prompted, accept Security Warnings
- Login with the Kubeadmin credentials when promtped
- Click OperatorHub
- Search for Keycloak
- Select Red Hat Single Sign-On Operator
- Click Install
- On the Install Operator Screen:
- Select alpha channel
- Select namespace default (if you prefer an alternative namespace, that’s fine this is just a demo)
- Click Install
- Click on Installed Operators
- Watch rhsso-operator for a completed installation, the status should show Succeeded
- Once ready, click on the Operator > Red Hat Single Sign-On Operator
- Click on Keycloak, create Keycloak
- Enter the following YAML:
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
name: example-keycloak
labels:
app: sso
spec:
instances: 1
externalAccess:
enabled: true
- Once it’s deployed, click on example-keycloak > YAML. Look for
status.externalURL
.
status:
credentialSecret: credential-example-keycloak
externalURL: 'https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io'
- Update the /etc/hosts with
127.0.0.1 keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io
- Click Workloads > Secrets
- Click on
credential-example-keycloak
- Click Reveal values
U: admin
P: <<hidden>>
- For Keycloak, login to https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io/auth/admin/master/console/#/realms/master using the revealed secret
- Click Add Realm
- Enter name test.
- Click Create
- Click Client
- Click Create
- Enter ClientId – test
- Select openid-connect
- Click Save
- Click Keys
- Click Generate new keys and certificate
- Click Settings > Access Type
- Select confidential
- Enter Valid Redirect URIs
https://*
we could set this as the OAuth url such as https://oauth-openshift.apps.ocp-oidc-test-cb68.*.xip.io/*
- Click Credentials (Copy the Secret), such as:
43f4e544-fa95-JUNK-a298-JUNK
- Under Generate Private Key…
- Select Archive Format JKS
- Key Password: password
- Store Password: password
- Click Generate and Download
- On the Bastion server, create the keycloak secret
oc -n openshift-config create secret generic keycloak-client-secret --from-literal=clientSecret=43f4e544-fa95-JUNK-a298-JUNK
configmap "keycloak-ca" deleted
- Grab the ingress CA
oc -n openshift-ingress-operator get secret router-ca -o jsonpath="{ .data.tls\.crt }" | base64 -d -i > ca.crt
- Create the keycloak CA secret
oc -n openshift-config create cm keycloak-ca --from-file=ca.crt
configmap/keycloak-ca created
- Create the openid Auth Provider
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: keycloak
mappingMethod: claim
type: OpenID
openID:
clientID: console
clientSecret:
name: keycloak-client-secret
ca:
name: keycloak-ca
claims:
preferredUsername:
- preferred_username
name:
- name
email:
- email
issuer: https://keycloak-default.apps.ocp-oidc-test-cb68.*.xip.io/auth/realms/test
- Logout of the Kubeadmin
- On Keycloak, Manage > Users, Click add a user with an email and password. Click Save
- Click Credentials
- Enter a new password and confirm
- Turn Temporary Password off
- Navigate to the web_console_url
- Select the new IdP
- Login with the new user
There is a clear support for OIDC Connect already enabled on OpenShift, and this document outlines how to test with Keycloak.
A handy link for debugging is the openid-configuration
Reference
Blog: Keycloak OIDC Identity Provider for OpenShift
Proof-of-Concept: OpenShift on Power: Configuring an OpenID Connect identity provider