This demo starts an OpenShift cluster configured to authenticate with Keycloak. It also starts Keycloak on the OpenShift cluster.
There is some configuration of the demo available in the config file.
OpenShift 3.9 does not contain the features required to integrate with Keycloak. In order to run this demo, you need
to use the latest version of oc client (at the moment of writing this doc, it's v3.10.0-rc.0). The other alternative is
building oc locally (but this is beyond of the scope of this doc).
To start the demo simply run:
./openshift-start-configured-cluster
This will use oc cluster to write configuration to a temporary directory. It will then configure webhookTokenAuthenticators for kube-apiserver, openshift-apiserver and openshift-controller-manager. Finally it will start the OpenShift cluster that should now be secured with Keycloak.
Before trying it out make sure Keycloak is fully running. You can check this by running token. If it returns a bearer token it's up and running.
To try things out run (this will run oc get sa with a token obtained from Keycloak using the simple utility token):
./openshift-api-try
You should see the following:
Error from server (Forbidden): serviceaccounts is forbidden: User "admin" cannot list serviceaccounts in the namespace "myproject": User "admin" cannot list serviceaccounts in project "myproject"
Run the following to give access to the user:
oc adm policy add-cluster-role-to-user system:master <username>
If you get an Unauthorized message instead something is wrong. To debug what's going on run:
./openshift-api-logs
This will show the logs from the OpenShift API, there should be some information here to help debug the problem.
To allow the admin user from Keycloak to run oc get sa run the following:
oc --token=$(kcinit token) get sa
You should now be able to run ./openshift-api-try and get a list of service accounts from OpenShift.
An example is in examples/oauthproxy.yaml that creates a deployment in your cluster using oauthproxy as a side car that intercepts requests to a pod in order
to authenticate users using Keycloak:
oc create -f examples/oauthproxy.yaml
-
The demo is currently not working with secure routes. Currently if using secured routes for Keycloak the OpenShift API complains about the certificate not being valid. Keycloak is using edge termination and the certificate should be signed by the default OpenShift CA, but this is still not valid.
-
The demo is not using a released version of Keycloak, but rather an image on Docker Hub built from the
openshift-integrationbranch. This image will be updated regularly until the required features are included in a Keycloak release. -
Improve how the token is retrieved to invoke
oc. Currently tokens are retrieved with a small utility, this should most likely be replaced withkcinit. -
Can't delete temporary OpenShift configuration directory. This results in some temporary files in
tmpbeing left after doingoc cluster down. These should be cleared by the OS when restarted though. -
Replace OSIN fully. This would allow
oc loginwithout using the token util and also allow using Keycloak to login to the OpenShift web console.