Keycloak is Open Source Identity and Access Management for Modern Applications and Services.
It can also act as a Federated OpenID Connect provider. It can connect to a variety of backends. In this deployment it is not connected to a backend, and just uses its own internal format persisted to a local Postgres DB.
This chart can be deployed alongside aether-roc-umbrella or any other umbrella chart that requires an OpenID provider.
Add the Bitnami repo to helm
, if you don't already have them:
helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update
To install the standalone Keycloak server in to a namespace e.g. aether
use:
helm -n aether install keycloak bitnami/keycloak -f keycloak/values.yaml
See the end of this page for uninstall instructions.
This will make it available at http://localhost:80
Now GUI applications with security enabled will redirect to this localhost:80
and when login is successful will redirect to an authenticated GUI.
To test it, browse to http://localhost/realms/master/.well-known/openid-configuration to see the configuration.
On KinD installations this LoadBalancer will not work and instead a port-forward will be needed e.g.
kubectl -n aether port-forward service/keycloak 8080:80
and replace
localhost
in instructions below withlocalhost:8080
There are 7 users in 8 groups with the LDIF defined in values.yaml
User login Group: mixedGroup charactersGroup AetherROCAdmin EnterpriseAdmin starbucks acme defaultent aiab-enterprise =================================================================================================================================================================== Alice Admin alicea@opennetworking.org ✓ ✓ Bob Cratchit bobc@opennetworking.org ✓ ✓ Charlie Brown charlieb@opennetworking.org ✓ Daisy Duke daisyd@opennetworking.org ✓ ✓ ✓ ✓ Elmer Fudd elmerf@opennetworking.org ✓ ✓ ✓ Fred Flintstone fredf@opennetworking.org ✓ ✓ ✓ ✓ Gandalf The Grey gandalfg@opennetworking.org ✓ ✓ ✓
The password for each is password
Verify the login details at http://localhost/realms/master/account/
To use this service with aether-roc-umbrella
chart, deploy in Helm with the following flags:
helm -n aether install aether-roc-umbrella aether/aether-roc-umbrella \ --set onos-config.openpolicyagent.enabled=true \ --set onos-config.openpolicyagent.regoConfigMap=aether-roc-umbrella-opa-rbac \ --set onos-config.openidc.issuer=http://keycloak/realms/master \ --set aether-roc-api.openidc.issuer=http://keycloak/realms/master \ --set aether-roc-gui-v2-1.openidc.issuer=http://localhost/realms/master \ --set prom-label-proxy-acc.config.openidc.issuer=http://keycloak/realms/master \ --set prom-label-proxy-amp.config.openidc.issuer=http://keycloak/realms/master
Note here that the connection to keycloak is inside the cluster for the backend services at
http://keycloak
whereas the GUI connects tohttp://localhost
The Keycloak Admin console can be reached at http://localhost admin/admin
To uninstall:
helm -n aether uninstall keycloak kubectl -n aether delete pvc data-keycloak-postgresql-0