Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/keycloak/openshift-integration

Last synced: about 1 month ago
JSON representation

Host: GitHub
URL: https://github.com/keycloak/openshift-integration
Owner: keycloak
Archived: true
Created: 2018-06-15T04:45:20.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2018-12-12T13:55:05.000Z (over 5 years ago)
Last Synced: 2024-03-25T20:18:24.907Z (3 months ago)
Language: Shell
Size: 30.3 KB
Stars: 18
Watchers: 15
Forks: 14
Open Issues: 0
Metadata Files:
- Readme: README.md

Lists

awesome-keycloak - Keycloak Open-Shift integration

README

# Openshift Integration

## Overview

This demo starts an OpenShift cluster configured to authenticate with Keycloak. It also starts Keycloak on the OpenShift cluster.

## Config

There is some configuration of the demo available in the `config` file.

## Use OpenShift Client Tools v.3.10+

OpenShift 3.9 does not contain the features required to integrate with Keycloak. In order to run this demo, you need
to use the latest version of `oc` client (at the moment of writing this doc, it's v3.10.0-rc.0). The other alternative is
building `oc` locally (but this is beyond of the scope of this doc).

## Start the demo

To start the demo simply run:

./openshift-start-configured-cluster

This will use oc cluster to write configuration to a temporary directory. It will then configure webhookTokenAuthenticators for kube-apiserver, openshift-apiserver and openshift-controller-manager. Finally it will start the OpenShift cluster that should now be secured with Keycloak.

## Try it out

Before trying it out make sure Keycloak is fully running. You can check this by running `token`. If it returns a bearer token it's up and running.

To try things out run (this will run `oc get sa` with a token obtained from Keycloak using the simple utility `token`):

./openshift-api-try

You should see the following:

Error from server (Forbidden): serviceaccounts is forbidden: User "admin" cannot list serviceaccounts in the namespace "myproject": User "admin" cannot list serviceaccounts in project "myproject"

Run the following to give access to the user:

oc adm policy add-cluster-role-to-user system:master

If you get an `Unauthorized` message instead something is wrong. To debug what's going on run:

./openshift-api-logs

This will show the logs from the OpenShift API, there should be some information here to help debug the problem.

To allow the `admin` user from Keycloak to run `oc get sa` run the following:

oc --token=$(kcinit token) get sa

You should now be able to run `./openshift-api-try` and get a list of service accounts from OpenShift.

## Using Openshift oauth-proxy to authenticate using Keycloak

An example is in `examples/oauthproxy.yaml` that creates a deployment in your cluster using oauthproxy as a side car that intercepts requests to a pod in order
to authenticate users using Keycloak:

oc create -f examples/oauthproxy.yaml

## Notes

* The demo is currently not working with secure routes. Currently if using secured routes for Keycloak the OpenShift API complains about the certificate not being valid. Keycloak is using edge termination and the certificate should be signed by the default OpenShift CA, but this is still not valid.

* The demo is not using a released version of Keycloak, but rather an image on Docker Hub built from the `openshift-integration` branch. This image will be updated regularly until the required features are included in a Keycloak release.

* Improve how the token is retrieved to invoke `oc`. Currently tokens are retrieved with a small utility, this should most likely be replaced with `kcinit`.

* Can't delete temporary OpenShift configuration directory. This results in some temporary files in `tmp` being left after doing `oc cluster down`. These should be cleared by the OS when restarted though.

* Replace OSIN fully. This would allow `oc login` without using the token util and also allow using Keycloak to login to the OpenShift web console.