Use Keycloak

  2 minute read  

keycloak

Now KubeOps-platform introduces keycloak, an one authentication and login system to use all the dashboards without the need of entering your credentials.

Install keycloak

you need kubeopsctl for installing keycloak: you need the parameter keycloak set to true:

...
keycloak: false # mandatory
...

later, you have configuration parameters for keycloak:

...

keycloakValues:
  namespace: "kubeops" # Optional, default is "keycloak"
  storageClass: "rook-cephfs" # Optional, default is "rook-cephfs"
  keycloak:
    auth:
      adminUser: admin # Optional, default is admin
      adminPassword: admin # Optional, default is admin
      existingSecret: "" # Optional, default is ""
  postgresql:
    auth:
      postgresPassword: "" # Optional, default is ""
      username: bn_keycloak # Optional, default is "bn_keycloak"
      password: "" # Optional, default is ""
      database: bitnami_keycloak # Optional, default is "bitnami_keycloak"
      existingSecret: "" # Optional, default is ""
...

Configure Dashboards for Keycloak

For Harbor

  1. Log in to the Harbor web console.
  2. Navigate to Administration > Configuration > Auth.
  3. Select OIDC as the Auth mode.
  4. Enter the required information from Keycloak:

  • OIDC Provider Name: Keycloak

  • OIDC Endpoint: (your Keycloak server URL)

  • OIDC Client ID: (The client ID you created in Keycloak for Harbor)

  • OIDC Client Secret: (The client secret you created in Keycloak for Harbor)

    Harbor-configuration-Example

  1. Confirm the settings and test the login via Keycloak.

For Prometheus

  1. Keycloak supports OAuth2, which can be used for authentication with Prometheus. To do this, you must change the configuration of Prometheus to use the OAuth2 flow.
  2. in the prometheus.yml configuration file, you can add the authentication parameters under the oauth2 key:
scrape_configs:
  - job_name: 'example-job'
    oauth2:
      client_id: 'your-client-id'
      client_secret: 'your-client-secret
      token_url: 'http://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/token'

For OpenSearch

  1. install the OpenSearch Security Plugin if it is not already installed.
  2. modify the OpenSearch security configuration file (config.yml) to use OIDC (OpenID Connect) for authentication:
authc:
  openid_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: openid
      challenge: false
      config:
        subject_key: preferred_username
        roles_key: roles
        openid_connect_url: http://keycloak.example.com/auth/realms/your-realm/.well-known/openid-configuration