Keycloak OIDC Identity Provider for OpenShift
Let's explore how we can integrate an OpenID Connect (OIDC) implementation, keycloak, as an identity provider for OpenShift, other than the common one such as HTTPasswd, LDAP.
Setup Keycloak on OpenShift
Install the Keycloak operator from the OperatorHub, create a keycloak instance in the namespace of keycloak. We can access the admin web interface once the pods are running. Get the admin user and its password from the corresponding Secret object in the namespace.
Create our own realm, myrealm, first.
Secondly, create the client named idp-4-ocp. In the settings tab, select the “Access Type” as “confidential”. Set the “Validation Redirection URIs” as “https://*” for testing purposes. Once saved, you will see the Credential tabs. Record the secret created for this client, for example, 909e58f1-d373–4af3-ab65-de073a54322a
Create a testing user, ocpuser, set the password in the credential tab.
Create OIDC identity provider
First, create a client secret in the openshift-config namespace using the value recorded in the last step.
oc -n openshift-config create secret generic keycloak-client-secret --from-literal=clientSecret=909e58f1-d373–4af3-ab65-de073a54322aNow capture the CA cert that is used for the kyecloak https access. In the operator version, an OpenShift route is created. In order for the identity provider to trust the certificate used in this route, we need to extract out the CA and add it to the provider's configuration. The route’s cert is signed by the route-ca, extract it out and save it as a file.
oc -n openshift-ingress-operator get secret router-ca -o jsonpath="{ .data.tls\.crt }" | base64 -d -i > ca.crtCreate a config map in the openshift-config namespace,
oc -n openshift-config create cm keycloak-ca --from-file=ca.crtNotice the key is the filename, ca.crt.
Lastly, we can append the new identity provider in the oauth cluster configuration. I have the HTPasswd ID provider already. Add the keycloak OpenID definition as below,
