OpenShift, SSO and KeyCloak and Active Directory | DELL Technologies (2023)

Motivationfor this article. There is no easy-to-follow example of using Keycloak OpenID Connect (OIDC) authentication with OpenShift using Active Directory as the user federation source.

Furthermore,most examples from the internetfor the OIDCI assumethis too;

• The KeyCloak OIDC server certificate is signed by a well-known external certificate authorityO.,
• You already know how to extract a certificate from the Keycloak server and create the ca.crt file in the proper format for OpenShift to interpret.

In my case, the KeyCloak server is a private entity and not exposed to the internet. Also, I will use a self-signed certificate, as the KeyCloak server is internal and accessible via a private IP. So I had to resort to a method that would work with these limitations.

What will we get?

OpenShift OAuth workflow with KeyCloak OIDC and Active Directory user federation.

• In this example, you willconfigure KeyCloak as an OIDC providerfor the provisioned OpenShift cluster
• OThe KeyCloak server will run as a podon the OpenShift cluster in a dedicated project
• Once the KeyCloak server is up and running, we will create a new domain and client configuration for the OpenShift cluster
• Next, we will configure Active Directory user federation with read-only access to allow AD domain users to connect to OpenShift cluster via Keycloak IDP
• Next, we will configure a new OAuth identity provider on the OpenShift cluster to connect to the Keycloak server as defined in the client configuration above
• Finally, we will configure the RBAC permissions on the OpenShift cluster to create a new group and role membership to assign specific users to the cluster admin role

prerequisites

Your OpenShift cluster is configured and ready to go.Make sure the proper RedHat installation process is completed according to your preferred platform and version.https://docs.openshift.com/container-platform/4.10/installing/index.html

you have a wildcardFQDN registryto your DNS server for the OpenShift cluster which maps to the IP address of the Ingress VIP that your applications and Keycloak server will use.

*.aplicativos. . x.x.x.x Exemplo? *.apps.cluster-01.lab.local 192.168.112.177

The stand-alone or single-node cluster deployment model will also work just fine. However, for this article and demo environment, we used a 3-node cluster deployment with programmable master and worker nodes.

In summary, you can perform the following actions on a Linux machine that has the openshift-install binary and access to vCenter Server if you are using IPI in a vSphere environment.

Create the following DNS entry. . x.x.x.x *.apps. . x.x.x.x Download and extract the vCenter certificates - https:// /certs/downloads.zip cp certs/lin/* /etc/pki/ca-trust/source/anchors update-ca-trust extract Create the installation directory and templates configuration mkdir ./openshift-install create install-config --dir? vsphere platform; vCenter; Username admin@vsphere.local? Password [? for help] ************* ? Set ; Default data storage? Virtual IP address for API? Virtual IP address for login? Basic domain? cluster name? Pull the secret [? for help] Edit the install config file only if you want to deploy a 3 node cluster (default will deploy 3 x masters + 3 worker nodes) cd vi install-config.yaml #### edit worker node ## ## copies: 0 ../openshift-install create manifests Note: WARNING Schedule control plane by setting MastersScheulable to true for cluster configurations of Scheduler Start cluster deployment (total build time about 20-30 minutes) cd . . ./openshift cluster --dir --log -level = info

Once the cluster is successfully deployed and completed, you can use the generated kubeconfig file to authenticate and connect to the cluster via the kubectl cli tool

export KUBECONFIG=~/ /auth/kubeconfig kubectl download nodes;

Additionally, we will use the oc tool provided by RedHat to perform CLI-based actions on the cluster. Download the oc toolset and install as appropriate (e.g.https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable/openshift-client-linux.tar.gz)

oc login You must obtain an API token by accessing https://oauth-openshift.apps. . /oauth/token/request Use the kubeadmin password provided when completing the cluster deployment to log in and retrieve the "kubeadmin" token and password: "xxxxx-xxxxx-xxxxx-xxxxx" Display the token and copy the complete command to do login to oc cluster login --token=sha256~xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --server=https://api. . :6443 the c gets nodes

We are now ready to proceed with KeyCloak server deployment and configuration.

Stage 1: Deploy KeyCloak Server Group

we will make use of itoctool to create a new project and deploy the Keycloak server from a github repository as documented in the following guide (https://www.keycloak.org/getting-started/getting-started-openshift)

oc new project keycloakoc process -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/openshift-examples/keycloak.yaml \ -p KEYCLOAK_ADMIN=admin \ -p KEYCLOAK_ADMIN_PASSWORDNAMESPACESPACE \ -p keycloak \| oc create -f You should see the following outputservice/keycloak createroute.route.openshift.io/keycloak createddeploymentconfig.apps.openshift.io/keycloak create Wait a few minutes and verify that the group is created and runningoc gets pods You should see something status similar belowNAME READY STATUS REBOOT AGEkeycloak-1-deploy 0/1 Completed 0 1mkeycloak-1-l9kdx 1/1 Running 0 1mRun the following command to extract the URLs for the Keycloak admin and account consolesKEYCLOAK_URL=https:// $oc route keycloak --template='{ { .spec.host }}') &&echo "" &&echo "Keycloak: $KEYCLOAK_URL" &&echo "Keycloak Admin Console: $KEYCLOAK_URL/admin" &&echo "Keycloak Account Console: $KEYCLOAK_URL /account " &&echo " "

Step 2 Create Domain and Client on KeyCloak Server

You can browse to the KeyCloak Admin Console FQDN and login to the Admin Console with the URL retrieved in the previous step and the credentials below.

https://keycloak-keycloak.apps. . /Administrator

User name:Administrator
Password:Administrator

After successfully logging in, you can change your admin password by accessing the account management console using the link in the upper right corner of the screen.

Once redirected to the account management console, click on the Sign in link located under Account Security

And update your password with a new password

You can then navigate back to the admin console using the link in the top right corner of the screen

We will now create a new domain by hovering over the Master dropdown in the top left corner and clicking on the Add Domain button

Give the domain a name and make sure the activate button is enabled before clicking the create button

Next we will create a new client to be used by the OpenShift cluster.

Go to the Clients tab using the left menu and click on the Create button in the upper right corner of the Clients page

Provide a Client ID and make a note of the exact name, as we will need it later in configuring OpenShift OAuth.

Select the openid-connect protocol and leave the Root URL blank before clicking Save

After saving the client, you will see more options that can be imported.

Leave the defaults except the following.

• Type of access: confidential
• Valid redirect URIs:https://oauth-openshift.apps. . /oauth2callback/keycloak

Save the settings before continuing

Do not create users or groups as we will be using Active Directory user accounts and group/RBAC roles will be defined in the OpenShift cluster later in this article.

Step 3 Configure an ldap user federation provider to connect Keycloak to Active Directory

prerequisites

Before beginning this step, you must retrieve the following details from the Active Directory server.

• A user account to connect the Keycloak server to the domain
  (this can be a service account or any user that already exists. For example, admin)
• A valid membership DN for the service account. It can be retrieved by running the following command on the AD controller
  • dsquery username

• A valid User DN which is usually the Default Users folder unless a specific setting is implemented

Example Default Users DN;CN=Users,DC=lab,DC=local

After collecting the above information, you can proceed as follows

Go to the User Federation page and add a new ldap provider as shown below.

Make sure the Enabled and Import Users buttons are enabled

Select edit mode as READ_ONLY

Select your Active Directory vendor from the drop-down list

Enter login URL as ldap://

Then enter the User DN, Bind DN, and Bind Credentials in the fields and test the connection and authentication to make sure they are correct

All other fields can be left at default and saved when completed

Step 4: Configure OAuth Settings on the OpenShift Cluster

The OAuth configuration is specific to the client configured on the Keycloak server. If you want to add another cluster, repeat step 2 and create a new client for each OpenShift cluster.

Now we need to retrieve the SSL certificate from the Keycloak server, as we will be importing this certificate into the OpenShift cluster as a trusted certificate.

On a Linux host, run the following command.

eco | openssl s_client -showcerts -connection keycloak-keycloak.apps. . :443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > keycloak.crt

The above command will create a file called keycloak.crt that contains the certificate chain for the self-signed Keycloak certificate.

Download this file to your desktop as we will be using it to upload to OpenShift via the web console.

Log into the OpenShift console using the URL provided by the installer during deployment and the kubeadmin username/password
(for example.https://console-openshift-console.apps. . )

Once logged into the console, go to the Administration -> Cluster Settings page and go to the Configuration tab

Scroll down and click on the OAuth link

You should now see the option to add a new identity provider by selecting the dropdown at the bottom of the screen

Click the dropdown menu and select OpenID Connect

Now we need to get the Keycloak client secret credentials we created earlier. Log into the Keycloak admin console and find the credentials tab in the client configuration.

Copy the secret string and paste it into the OpenShift OAuth configuration under client secret.

Enter the IDP name as keycloak and provide the same Client ID configured in Keycloak server.

Enter the URL of the publisher as
https:// /reinos/

Finally, click on the browse button and upload the keycloak.crt file with the certificate we extracted in the previous step and click on the Add button.

Step 5: Configure RBAC on the OpenShift Cluster to Grant Cluster Admin Rights to Specific Users

Now that we have the OAuth identity provider configured and Keycloak integrated with Active Directory, we need to define how a user can be assigned different RBAC roles and permissions.

In this example, we will create a group and assign role membership to the Cluster Administrator role. We can then add users to the group and they will inherit the cluster admin role. RBAC can be implemented in many different ways, but this is a simple example of a starter POC that shows the implementation of OIDC leveraging AD users and OpenShift controlled RBAC.

In the OpenShift console, go to User Management -> Groups

Click Create Group and fill in the yaml definition with a group name and the Active Directory user accounts you want to grant cluster admin access to

Create the group, go to configuration and go to the RoleBindings tab

Create a new binding, select Bind Cluster-Wide Roles and provide a name, then select the Cluster Management Role from the Role Name drop-down menu

Final stage - test

At this stage, all configurations are completed with a perfect access test procedure for our users with their respective rights. We will do this by connecting to an AD user who has not been added to the Cluster Administrators group and a user who has been added to the group to compare the different access rights.

First exit the console and reload the console page to confirm the new IDP is available as shown below.

Click the keycloak button to connect to an AD user.

We will use test_user in this example as a standard user with no additional privileges.

You will notice after logging in that the user does not have access to existing projects or administrative functions such as cluster level settings

Now log out of that user and log in with another user added to the cluster-admins group.

You should immediately notice the difference and the cluster admin user will have full rights to the entire cluster.

To betakes us to the end of the article and the implementation of OIDC SSO with Keycloak and Active Directory. I hope you enjoyed the demo and that it will be useful in your own POC deployments, labs, and production environments.

Be careful

Theo