Skip to content

Deploy Keycloak as an OAuth provider #443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 63 commits into
base: main
Choose a base branch
from
Open

Deploy Keycloak as an OAuth provider #443

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
63 commits
Select commit Hold shift + click to select a range
eaab062
Add OpenID IngressRoute
KavanPrice Mar 13, 2025
fb59dd8
Add Keycloak deployment
KavanPrice Mar 13, 2025
45aac27
Add startup realm importing
KavanPrice Mar 17, 2025
cb867ca
Add oauth to Grafana config
KavanPrice Mar 17, 2025
614a94e
Add keytab volume
KavanPrice Mar 17, 2025
8d0668b
Add requested PR changes
djnewbould Mar 21, 2025
0d0ea83
Add local secret grafana mount
djnewbould Mar 21, 2025
127c692
Add realm creation to service-setup
KavanPrice Mar 25, 2025
f73f3b6
Add service lookup for provided client configs
KavanPrice Mar 25, 2025
da8c668
Add Grafana client config values
KavanPrice Mar 25, 2025
dd65a24
Fix keytab secret names
KavanPrice Mar 25, 2025
4205c43
Add client_secret volume mount
KavanPrice Mar 25, 2025
101fe91
Fix config and add startup backoff
KavanPrice Mar 25, 2025
7200867
Add generic client-secret fetching
KavanPrice Mar 25, 2025
acdc62a
Rename client-secret to be findable by service-setup
KavanPrice Mar 25, 2025
ac7c368
Fix misnamed grafana client ID
KavanPrice Mar 26, 2025
4f6daea
Fix misnamed grafana secret
KavanPrice Mar 26, 2025
b35cf42
Change to use realm instead of base URL in ACS config
KavanPrice Mar 26, 2025
9a80e55
Use setTimeout from timers/promises
KavanPrice Mar 26, 2025
284b8d9
Timeout bugfix
KavanPrice Mar 26, 2025
15ed6a7
Remove unused client keytab
KavanPrice Mar 26, 2025
e935fbb
Add dynamic LocalSecret generation
KavanPrice Mar 26, 2025
e0b480f
Fix helm loop bug
KavanPrice Mar 26, 2025
3493233
Remove `items` from keytabs mount
amrc-benmorrow Mar 27, 2025
e51b307
Allow OpenID errors to cause service-setup to exit
amrc-benmorrow Mar 27, 2025
47fab3e
Reference client secrets correctly
amrc-benmorrow Mar 27, 2025
b4e4963
Merge in testing/v4
amrc-benmorrow Mar 27, 2025
98af79f
Remove Grafana Basic auth middleware
amrc-benmorrow Mar 27, 2025
94e7ed0
Log realm details on creation
amrc-benmorrow Mar 27, 2025
e83d828
Give Keycloack a PVC
amrc-benmorrow Mar 27, 2025
fcb2dc1
Log full client information
amrc-benmorrow Mar 27, 2025
d075eee
Tell Grafana its external root URL
amrc-benmorrow Mar 27, 2025
4f97679
Disable Grafana auth via the middleware
amrc-benmorrow Mar 27, 2025
d9a6c76
Grafana config changes
amrc-benmorrow Mar 27, 2025
688292b
Java doesn't accept KRB5_CONFIG
amrc-benmorrow Mar 27, 2025
fea8727
Keycloak needs to use Recreate strategy
amrc-benmorrow Mar 27, 2025
8c20987
Fix login and logout for basic users
KavanPrice Mar 30, 2025
08a3193
Add client role mapping
KavanPrice Mar 31, 2025
f17aa0e
Add client role creation
KavanPrice Mar 31, 2025
edb12fc
Add admin-cli permissions to create users
KavanPrice Apr 1, 2025
7fa281d
Add default role to client
KavanPrice Apr 1, 2025
5189e03
Add creation of admin user
KavanPrice Apr 1, 2025
c4a33d2
Add client role mapping for admin user
KavanPrice Apr 1, 2025
9d44e3d
Refactor OpenID setup
amrc-benmorrow Apr 3, 2025
cf237dc
Always create client roles
amrc-benmorrow Apr 3, 2025
b7e7294
Use a LocalSecret for the admin service client
amrc-benmorrow Apr 3, 2025
28b296d
Fix some logging
amrc-benmorrow Apr 3, 2025
c177e65
Missing await
amrc-benmorrow Apr 3, 2025
ae0290b
We need to call try_fetch, not native fetch
amrc-benmorrow Apr 3, 2025
c77c634
Error in admin user creation
amrc-benmorrow Apr 3, 2025
62c36cd
The admin@ account is no longer the service account
amrc-benmorrow Apr 3, 2025
01a0585
Log if the admin user doesn't exist
amrc-benmorrow Apr 3, 2025
628e344
UserRepresentation.credentials is an array
amrc-benmorrow Apr 3, 2025
da8e5d9
We must clone a Request to reuse it
amrc-benmorrow Apr 3, 2025
fbfbdfc
Rename the Keycloak bootstrap user
amrc-benmorrow Apr 3, 2025
1461db3
Create admin@ linked to Kerberos
amrc-benmorrow Apr 4, 2025
2034cae
Assign admin user roles correctly
amrc-benmorrow Apr 4, 2025
1d6aea2
Remove Grafana admin user secret
amrc-benmorrow Apr 4, 2025
b063321
We can't remove the grafana-internal admin user
amrc-benmorrow Apr 4, 2025
e263eac
Assign Grafana roles from OAuth
amrc-benmorrow Apr 4, 2025
847a97b
Try to get OpenID roles visible in Grafana
amrc-benmorrow Apr 4, 2025
a379116
Restore OpenID role mapper
amrc-benmorrow Apr 4, 2025
b4f4da2
We need to look up the client ID.
amrc-benmorrow Apr 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions deploy/templates/openid/openid-admin-user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if .Values.openid.enabled }}
{{- if not (lookup "v1" "Secret" .Release.Namespace "openid-admin-user") }}

apiVersion: v1
kind: Secret
metadata:
name: "openid-admin-user"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
username: {{ (printf "admin@%s" (.Values.identity.realm | required "values.identity.realm is required!") | b64enc) | quote }}
password: {{ (printf "" | b64enc) | quote }}

{{- end }}
{{- end -}}
23 changes: 23 additions & 0 deletions deploy/templates/openid/openid-ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{{ if .Values.openid.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: openid-ingressroute
namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- {{ .Values.acs.secure | ternary "websecure" "web" }}
routes:
- match: Host(`openid.{{.Values.acs.baseUrl | required "values.acs.baseUrl is required"}}`)
kind: Rule
services:
- name: openid
port: 80
namespace: {{ .Release.Namespace }}
{{- if .Values.acs.secure }}
tls:
secretName: {{ coalesce .Values.openid.tlsSecretName .Values.acs.tlsSecretName }}
domains:
- main: openid.{{.Values.acs.baseUrl | required "values.acs.baseUrl is required"}}
{{- end -}}
{{- end -}}
89 changes: 89 additions & 0 deletions deploy/templates/openid/openid.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
{{ if .Values.openid.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: openid
namespace: {{ .Release.Namespace }}
labels:
component: openid
spec:
replicas: {{ .Values.openid.replicas | default 1 }}
selector:
matchLabels:
component: openid
template:
metadata:
labels:
component: openid
factory-plus.service: openid
spec:
{{- with .Values.acs.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: openid
image: "{{ .Values.openid.image.repository }}:{{ .Values.openid.image.tag }}"
imagePullPolicy: {{ .Values.openid.image.pullPolicy }}
args: ["start-dev", "--import-realm"]
env:
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: openid-admin-user
key: username
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: openid-admin-user
key: password
- name: KC_PROXY
value: "edge"
- name: KC_HEALTH_ENABLED
value: "true"
- name: KRB5_CONFIG
value: /config/krb5-conf/krb5.conf
ports:
- name: http
containerPort: 8080
readinessProbe:
httpGet:
path: /health/ready
port: 9000
volumeMounts:
- name: realm-config
mountPath: /opt/keycloak/data/import
readOnly: true
- name: krb5-conf
mountPath: /config/krb5-conf
- name: krb5-keytab
mountPath: /etc/keytabs
volumes:
- name: realm-config
configMap:
name: keycloak-realm-config
- name: krb5-conf
configMap:
name: krb5-conf
- name: krb5-keytabs
secret:
secretName: krb5-keytabs
items:
- path: client
key: sv1openid
- path: server
key: http.openid
---
apiVersion: v1
kind: Service
metadata:
name: openid
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
factory-plus.service: openid
{{- end }}
Loading