An Interest In:
Web News this Week
- March 6, 2024
- March 5, 2024
- March 4, 2024
- March 3, 2024
- March 2, 2024
- March 1, 2024
- February 29, 2024
Integrate Keycloak and Kubeapps on AWS EKS
In this article, I am going to show you how to integrate keycloak with kubeapps on AWS EKS.
Steps:
Create EKS Cluster
Register a domain in route53 or create a subdomain, ex: example.com
Request a certificate from ACM
Install Keycloak
helm repo add bitnami https://charts.bitnami.com/bitnamihelm install my-release bitnami/keycloak --version 9.8.1
No needs to use the service Loadbalancer for keycloak as we will use the Nginx ingress controller.
Let's switch the service of keycloak to ClusterIP.
kubectl patch svc my-release-keycloak -p '{"spec": {"type": "ClusterIP"}}'
Note the admin password of keycloak
kubectl get secrets/my-release-keycloak -o jsonpath='{.data.admin-password}' | base64 --decode
- Install Nginx Ingress ControllerUpdate the AWS ACM certificate on the below installation
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginxhelm repo updatehelm install nginx ingress-nginx/ingress-nginx --set controller.service.type=LoadBalancer --set controller.service.targetPorts.https=http --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"="arn:aws:acm:eu-west-1:XXXX:certificate/XXXX-XXX-XXX-XXXX-XXXXX" --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol"=http --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-ports"=443 --set-string controller.config.use-forwarded-headers="true" --version 4.2.3
- Create ingress for keycloak
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/ssl-redirect: "true" name: keycloak namespace: defaultspec: rules: - host: auth.example.com http: paths: - backend: service: name: my-release-keycloak port: number: 80 path: / pathType: ImplementationSpecific
Login to the keycloak console https://auth.example.com, with username: user and password in the keycloak installation step.
Create a new realm, name it kubeapps
Groups Claim
By default, there is no "groups" scope/claim. We will create a global client scope for groups.
In the admin console:
- Click "Client Scopes" from the left navigator menu
- Click on "Create" from the table (top right corner)
- Provide a name, ensure the protocol is set to "openid-connect" and that the option "Include in Token Scope" is on.
Once the client scope is created, you should be redirected to a page with several tabs. Navigate to the "Mappers" tab as we need to create a mapper to populate the value of the associated claim:
- Click on the "Mappers" tab
- Click on "Create" from the table to create a new mapper
- Configure:
- Enter a name
- Select "Group Membership" as the claim type
- Enter "groups" as the token claim name
- Ensure the "Full group path" is OFF
- Keep the other knobs as ON
- Click Save'
Kubeapps Client on Keycloak
- Click "Clients" from the left navigator
- Click "Create" from the table
Enter an "id" and Save (e.g. kubeapps)
Once created, configure the authentication as follows:Ensure the protocol is set to "openid-connect"
Configure the "Access Type" to be "confidential". This will add a new "Credentials" tab from which you can get the client secret
Ensure "Standard Flow Enabled" is enabled, this is required for the login screen.
"Direct Access Grants Enabled" can be disabled.
In the "Valid Redirect URIs" field, enter "https://kubeapps.example.com/*" as a placeholder.
Save
Note: take copy of the secret in Credentials
As for the cluster clients, we need to configure the client scopes:
- Click the "Client Scopes" tab
- Ensure the "email" scope is available either in the "Assigned Default Client Scopes" list or the "Assigned Optional Client Scopes" list
- The "groups" client scope should be available in the lists on the left.
- Add it either to the "Assigned Default Client Scopes" list or the "Assigned Optional Client Scopes" list.
Note the issuer URL from keycloak Realm
Realm Settings Endpoints OpenID Endpoint Configuration then copy the issuer URL
ex: https://auth.example.com/realms/kubeapps
On the EKS Cluster:
To the EKS cluster and then to Authentication
Add the identity provider like the following:
Issuer URL: https://auth.example.com/realms/kubeapps
Client ID: kubernetes
the process takes around 20 minutes.
Back to Keycloak
Create a new Client
- Click "Clients" from the left navigator
- Click "Create" from the table
- Enter an "id" kubernetes and Save
Once created, configure the authentication as follows:
- Ensure the protocol is set to "openid-connect"
- Configure the "Access Type" to be "confidential"
- turn on the "Standard Flow Enabled"
- Ensure "Direct Access Grants Enabled" is enabled, as this is how we can get the tokens via API
- Save
On Kubeapps client
Clients Mappers Create
Install Kubeapps
Update the following:
- clientSecret gets it from the above step Kubeapps Client on keycloak
- issuer-url and redirect-url for your domain.
helm repo add bitnami https://charts.bitnami.com/bitnamihelm install kubeapps bitnami/kubeapps \ --set authProxy.enabled=true \ --set authProxy.provider=oidc \ --set authProxy.clientID=kubeapps \ --set authProxy.clientSecret=<secret client credentials in the kubeapps client> \ --set authProxy.cookieSecret=$(echo "not-good-secret" | base64) \ --set authProxy.extraFlags="{--cookie-secure=false,--oidc-issuer-url=https://auth.example.com/realms/kubeapps,--redirect-url=https://kubeapps.example.com/oauth2/callback}" \
Create an ingress for kubeapps
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: annotations: nginx.ingress.kubernetes.io/proxy-buffer-size: 10k name: kubeapps namespace: defaultspec: ingressClassName: nginx rules: - host: kubeapps.example.com http: paths: - backend: service: name: kubeapps port: number: 80 pathType: ImplementationSpecific
Important to add proxy-buffer-size on the ingress controller otherwise you will get an error that says "upstream sent too big header while reading response header from upstream"
Create a new user on the keycloak, make sure you add email, and Email Verified is on.
Last step we need to add a role binding to access the Kubernetes cluster, update the user id in ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: managedFields: - apiVersion: rbac.authorization.k8s.io/v1 name: cluster-adminroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-adminsubjects:- apiGroup: rbac.authorization.k8s.io kind: User name: https://auth.example.com/realms/kubeapps#f5092396-d3b8-452c-9d1a-2b1dfbd58718
Finally, log in to Kubeapps at https://kubeapps.example.com
Sources:
https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html
https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/howto/OIDC/OAuth2OIDC-keycloak.md
Original Link: https://dev.to/aws-builders/integrate-keycloak-and-kubeapps-on-aws-eks-3fpm
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To