Openshift SSO authentication

April 13, 2019

Page content

Configure Openshift Cluster to use Keycloak as a user backend for login with oauth2 and SSO.

Parts of the Openshift series

Part1: Install Opeshift
Part2: How to Enable Auto Approval of CSR in Openshift v3.11
Part3: Add new workers to Openshift cluster
Part4: Chane the certificates of the Openshift cluster
Part5: LDAP authentication for Openshift
Part6: Keycloak SSO authentication for Openshift
Part7: Gitlab SSO authentication for Openshift
Part8a: Ceph persistent storage for Openshift
Part8b: vSphere persistent storage for Openshift
Part9: Helm on Openshift
Part10: Tillerless Helm on Openshift
Part11: Use external docker registry on Openshift
Part12: Secondary router on Openshift
Part13a: Use Letsencrypt on Openshift
Part13b: Install cert-managger on Openshift
Part14: Create Openshift operators
Part15: Convert docker-compose file to Opeshift
Part16a: Opeshift elasticsearch search-guard error
Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)

With Ansible-openshift you can not change the authetication method after Install !! If you installed the cluster with htpasswd, then change to LDAP the playbook trys to add a second authentication methot for the config. It is forbidden to add a second type of identity provider in the version 3.11 of Ansible-openshift. To solv this problem we must change the configuration manually.

Environment

192.168.1.40    deployer
192.168.1.41    openshift01 # master node
192.168.1.42    openshift02 # infra node
192.168.1.43    openshift03 # worker node

Configuration on Keycloak

create new client on keycloak in relm mydomain
Client ID: openshift
Clyent Protocol: openid-connect
Access type: confidential
Valid Redirect URIs: https://master.openshift.mydomain.itra/*
delete other urls

# On Credentials tap copy the secret to clientSecrethez in config.

Configurate The cluster

# on all openshift hosts
nano /etc/origin/master/master-config.yaml
...
  identityProviders:
  - name: keycloak
    challenge: false
    login: true
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      clientID: openshift
      clientSecret: ef03ffe6-854a-48b4-a26d-190c2861e3c8
      claims:
        id:
        - sub
        preferredUsername:
        - preferred_username
        name:
        - name
        email:
        - email
      urls:
        authorize: https://sso.devopstales.intra/auth/realms/mydomain/protocol/openid-connect/auth
        token: https://sso.devopstales.intra/auth/realms/mydomain/protocol/openid-connect/token
        logoutURL: "https://sso.devopstales.intra/auth/realms/mydomain/protocol/openid-connect/logout?redirect_uri=https://master.openshift.mydomain.itra/console"
  - challenge: true

Reconfigurate the cluster

# on all openshift hosts
master-restart api
master-restart controllers