Skip to content

procedures: Update OpenShift Keycloak OIDC installation to reflect automatic detection #3114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tolusha wants to merge 1 commit into from
Closed

procedures: Update OpenShift Keycloak OIDC installation to reflect automatic detection #3114

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 4 additions & 62 deletions ...tration-guide/pages/proc_installing-che-on-openshift-with-keycloak-as-oidc.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
:_content-type: PROCEDURE
:description: To manage user authentication through a centralized identity provider, deploy {prod-short} on OpenShift with {keycloak} as the external OIDC provider.
:keywords: install, openshift, keycloak, oidc, identity provider
:description: To manage user authentication through a centralized identity provider, deploy {prod-short} on OpenShift with {keycloak} as the external OIDC provider. {prod-short} automatically detects and configures OIDC settings from the OpenShift cluster authentication configuration.
:keywords: install, openshift, keycloak, oidc, identity provider, automatic detection
:navtitle: Install {prod-short} on OpenShift with {keycloak} as external identity provider
:page-aliases: installing-che-on-openshift-with-keycloak-as-oidc.adoc

[id="proc_installing-che-on-openshift-with-keycloak-as-oidc"]
= Install {prod-short} on OpenShift with {keycloak} as external identity provider

[role="_abstract"]
To manage user authentication through a centralized identity provider, deploy {prod-short} on an {orch-name} cluster with {keycloak} as the external OpenID Connect (OIDC) provider.
To manage user authentication through a centralized identity provider, deploy {prod-short} on an {orch-name} cluster with {keycloak} as the external OpenID Connect (OIDC) provider. {prod-short} automatically detects and configures OIDC settings from the OpenShift cluster authentication configuration.

.Prerequisites

Expand All @@ -18,17 +18,6 @@ To manage user authentication through a centralized identity provider, deploy {p

.Procedure

. Define the environment variables:
+
[source,bash,subs="+quotes,+attributes"]
----
# The {keycloak} realm used for {orch-name} authentication:
OPENSHIFT_REALM=__<realm>__

# The {keycloak} URL:
KEYCLOAK_URL=__<keycloak_url>__
----

. Create a `{prod-id-short}` client in the {keycloak} Admin Console:
+
--
Expand Down Expand Up @@ -103,25 +92,6 @@ where:
+
`__<client_secret>__`:: The client secret value from the `{prod-id-short}` client in {keycloak}.

. Optional: Create the `ConfigMap` with a {keycloak} certificate in the `{prod-namespace}` namespace. If {keycloak} uses a certificate that is already trusted by {orch-name}, skip this step.
+
[source,bash,subs="+attributes"]
----
openssl s_client \
-connect "$(echo "$KEYCLOAK_URL" | sed 's|https://||'):443" \
-showcerts < /dev/null \
| sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
> keycloak-ca.crt

{orch-cli} create configmap keycloak-certs \
--from-file=keycloak-ca.crt=keycloak-ca.crt \
-n {prod-namespace} && \
{orch-cli} label configmap keycloak-certs \
app.kubernetes.io/part-of=che.eclipse.org \
app.kubernetes.io/component=ca-bundle \
-n {prod-namespace}
----

. Prepare the `CheCluster` patch:
+
[source,bash,subs="+attributes"]
Expand All @@ -134,7 +104,6 @@ spec:
auth:
oAuthClientName: {prod-id-short}
oAuthSecret: oauth-secret
identityProviderURL: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM"
gateway:
oAuthProxy:
cookieExpireSeconds: 300
Expand All @@ -144,37 +113,10 @@ spec:
env:
- name: OAUTH2_PROXY_CODE_CHALLENGE_METHOD
value: S256
- name: OAUTH2_PROXY_BACKEND_LOGOUT_URL
value: "$KEYCLOAK_URL/realms/$OPENSHIFT_REALM/protocol/openid-connect/logout?id_token_hint=\{id_token}"
components:
cheServer:
extraProperties:
CHE_OIDC_GROUPS__CLAIM: '<GROUPS_CLAIM>'
CHE_OIDC_GROUPS__PREFIX: '<GROUPS_PREFIX>'
CHE_OIDC_USERNAME__CLAIM: '<USERNAME_CLAIM>'
CHE_OIDC_USERNAME__PREFIX: '<USERNAME_PREFIX>'
EOF
----
+
where:
+
`CHE_OIDC_GROUPS__CLAIM`:: The claim to use for extracting user groups.
+
`CHE_OIDC_GROUPS__PREFIX`:: The prefix to add to group names. Empty string means no prefix.
+
`CHE_OIDC_USERNAME__CLAIM`:: The claim to use for extracting the username.
+
`CHE_OIDC_USERNAME__PREFIX`:: The prefix to add to usernames. Empty string means no prefix.
+
[NOTE]
====
These values must match the corresponding claim and prefix settings configured in the `authentication.config/cluster` resource. To view the current cluster configuration, run:

[source,bash,subs="+attributes"]
----
{orch-cli} get authentication.config/cluster -o yaml
----
====
NOTE: {prod-short} automatically detects the identity provider URL, issuer certificate, and claim mappings from the OpenShift cluster authentication configuration. No manual configuration is required.

. Create the {prod-short} instance with `{prod-cli}`:
+
Expand Down
Loading