{"id":18804923,"url":"https://github.com/mrbobbytables/oidckube","last_synced_at":"2025-10-07T23:18:10.656Z","repository":{"id":87135069,"uuid":"135077243","full_name":"mrbobbytables/oidckube","owner":"mrbobbytables","description":"Wrapper for minikube that provisions and integrates it with Keycloak","archived":false,"fork":false,"pushed_at":"2020-04-01T09:25:23.000Z","size":29,"stargazers_count":41,"open_issues_count":1,"forks_count":15,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-13T19:12:21.587Z","etag":null,"topics":["keycloak","kubernetes","minikube","oidc"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mrbobbytables.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-27T19:56:55.000Z","updated_at":"2024-08-23T10:47:05.000Z","dependencies_parsed_at":"2023-03-18T07:00:35.542Z","dependency_job_id":null,"html_url":"https://github.com/mrbobbytables/oidckube","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mrbobbytables/oidckube","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrbobbytables%2Foidckube","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrbobbytables%2Foidckube/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrbobbytables%2Foidckube/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrbobbytables%2Foidckube/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mrbobbytables","download_url":"https://codeload.github.com/mrbobbytables/oidckube/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrbobbytables%2Foidckube/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278861080,"owners_count":26058641,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keycloak","kubernetes","minikube","oidc"],"created_at":"2024-11-07T22:41:02.933Z","updated_at":"2025-10-07T23:18:10.605Z","avatar_url":"https://github.com/mrbobbytables.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# oidckube\n\nOidckube functions as a wrapper around [minikube](https://github.com/kubernetes/minikube) that will initialize, deploy,\nand partially configure the instance to use [Keycloak](https://www.keycloak.org/); an Open Source Identity and Access\nManagement tool as an Authentication Source. The Keycloak manifests are based off the\n[Keycloak Helm Chart](https://github.com/kubernetes/charts/tree/master/incubator/keycloak).\n\n## Requirements\n\n* [minikube](https://github.com/kubernetes/minikube)\n* [Virtualbox](https://www.virtualbox.org/wiki/Downloads)\n* [cfssl and cfssljson](https://pkg.cfssl.org/)\n* [jq](https://stedolan.github.io/jq/download/)\n\n**NOTE:** This script only supports Virtualbox as the virtualization provider for minikube \n(use `minikube config set vm-driver virtualbox` to override). If the cfssl and jq \nrequirements are not found, it will attempt to download and install them locally into the `bin` sub-directory.\n\n## Usage\n\n1. Within the project directory, create a `config` file based off the supplied config example (`config.example`). If\nyou opt to forgo doing so, one based off the `config.example` file will be generated automatically. This file is used\nby both `oidckube.sh` and `login.sh` to configure and authenticate to Keycloak.\n\n|         Variable         |       Default       |                                                              Description                                                             |\n|:------------------------:|:-------------------:|:------------------------------------------------------------------------------------------------------------------------------------:|\n|    `KEYCLOAK_ADDRESS`    | `keycloak.devlocal` | Address for the locally deployed instance of Keycloak                                                                                |\n|   `KEYCLOAK_AUTH_REALM`  |        `k8s`        | Name of the realm within Keycloak used for Kubernetes Authentication                                                                 |\n|   `KEYCLOAK_CLIENT_ID`   |      `oidckube`     | Name of the OIDC client used for Kubernetes Authentication                                                                           |\n| `KEYCLOAK_CLIENT_SECRET` |                     | OIDC Secret associated with the Client ID. **NOTE:** This cannot be populated ahead of time, and is is generated by Keycloak itself. |\n\n2. Run `./oidckube.sh init`. This will automate the certificate generation, CA certificate insertion, deploy\nKeycloak, and configure minikube to use the Host's DNS resolver.\n3. Modify your system's `/etc/hosts` file with the information printed out from the previous step. This will allow \nboth your host and minikube instance to reference the `KEYCLOAK_ADDRESS`.\n4. Login to keycloak administrator portal by going to `https://\u003cKEYCLOAK_ADDRESS\u003e` e.g. `https://keycloak.devlocal`,\nand use the credentials `keycloak` / `keycloak` **NOTE:** Keycloak takes a few moments to start after minikube comes up\nand may not be immediately accessible once booted.\n5. Create a new auth realm using the same name as defined in the `KEYCLOAK_AUTH_REALM` config. **NOTE:** If you are\nusing the default config, at this time you may import the `k8s-realm-example.json` to skip the group and client\nconfiguration (you will however have to generate a new client secret). For the import, select only `Import groups`, \n`Import clients`, and `Import client roles`, then set it to `skip` if the resource already exists.\n6. Navigate to the `clients` section and create a new client.\n7. Give it the same name as defined in the `KEYCLOAK_CLIENT_ID` config.\n8. At the new client configuration page, If you'd like to change the Authorization type from `Public` to `Confidential`\nchange the `Access Type` to be `confidential`, and configure the `Valid Redirect URI` to be\n`https://\u003cKEYCLOAK_ADDRESS\u003e/*`. Then press `Save`. Otherwise, you may leave it as is. If you did change it to\n`Confidential`, click on the Credentials Tab and generate a new secret, then copy the Secret and update the config file\nsetting `KEYCLOAK_CLIENT_SECRET` to the newly generated value.\n9. Click on the `Mappers` Tab and then `Create`.\n10. Call this new mapping `groups`, set the `Mapper Type` to `Group Membership` and `Token Claim Name` to `groups`,\nthen save.\n11. Add a second Mapping, called `email_verified`. Set the `Mapper Type` to `Hardcoded claim`, the `Token Claim Name`\nto `email_verified`, `Claim value` to `true`, and `Claim JSON Type` to `boolean`. This is **ONLY** required in\nversions of Kubernetes less than 1.11. For information regarding this claim, see this Github Issue:\n[kubernetes/kubernetes#59496](https://github.com/kubernetes/kubernetes/issues/59496).\n12. Navigate to the `Groups` section and create 2 new groups: `cluster-users` and `cluster-admins`. These map to the\ncluster role bindings created during initialization (`manifests/crb-users.yaml` and `manifests/crb-admins.yaml`).\n13. Goto `Users` and create two new users giving them fake emails e.g. `admin@keycloak.devlocal` and \n`user@keycloak.devlocal`, assigning them a password under the `Credentials` tab, and lastly add one to each of the\ngroups created in the previous step. At this point, Keycloak is now configured. **NOTE:** If you would like to\nassign the user an optional TOTP, you may impersonate them from the `Users` view and configure their `Authenticator`.\n14. Shut down the VM with `./oidckube.sh stop`. This is needed to reconfigure the `kube-apiserver`.\n15. Run `./oidckube.sh start` to start the minikube instance up with the generated OIDC config. Give it time to fully\nboot up.\n16. Run `./login.sh`. It will prompt you for a username, password and an optional TOTP code. Use the email address of\none of the accounts created earlier. the `./login.sh` script will add the user automatically to your kube config.\n17. Create a new context using the newly added account. e.g:\n```\n$ kubectl config set-context oidckube-user --cluster=minikube --user=user@keycloak.devlocal --namespace=default\n\u003cor\u003e\n$ kubectl config set-context oidckube-admin --cluster=minikube --user=admin@keycloak.devlocal --namespace=default\n```\nBoth the instance of minikube and your local client should be configured to use oidc for server authentication.\nThe cluster role bindings map the group `cluster-users` to the `view` cluster role, and `cluster-admins` to the\n`cluster-admin` role.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrbobbytables%2Foidckube","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmrbobbytables%2Foidckube","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrbobbytables%2Foidckube/lists"}