Login, registration, and role-based authorization is handled via Red Hat SSO (aka Keycloak). SSO is included as part of OpenShift or any middleware product subscription you have from Red Hat - woot!
Because the service mesh will leverage SSO to authenticate users and generate JWT we need to install it. You will install it via Operator into your namespace.
Check out the .yaml files here and customize for this workshop cluster’s domain, and your user project. Note that we have relaxed SSO security settings for the workshop and SSO config should be tightened up for production (e.g. things like CORS and the use of wildcards).
You can do this CLI or web console. If using web console just use the + button at the top then drag’n’drop the file from the steps below.
We create a Keycloak instance using a Kubernetes resource:
oc apply -f ./istio-configuration/sso-keycloak.yaml
oc patch cm/keycloak-probes -p '{"data":{"liveness_probe.sh":"#!/bin/bash\necho pass\n","readiness_probe.sh":"#!/bin/bash\necho pass\n"}}'
Watch the pods for keycloak-0 to become READY 1/1:
oc get pods keycloak-0 -w
NAME READY STATUS RESTARTS AGE
keycloak-0 0/1 Pending 0 0s
keycloak-0 0/1 Init:0/1 0 0s
keycloak-0 0/1 Init:0/1 0 3s
keycloak-0 0/1 Init:0/1 0 4s
keycloak-0 0/1 PodInitializing 0 9s
keycloak-0 1/1 Running 0 10s
We configure via Kubernetes resources to create the realm + roles + clients & users as follows:
sed "s|http://istio-ingressgateway-istio-system.apps.cluster.domain.com|$GATEWAY_URL|" ./istio-configuration/sso-realm.yaml | oc create -f -
oc apply -f ./istio-configuration/sso-user1.yaml
oc apply -f ./istio-configuration/sso-user2.yaml
Open the SSO console. Retrieve the endpoint:
SSO_CONSOLE=$(oc get route keycloak --template='https://{{.spec.host}}')
echo $SSO_CONSOLE
Even after it's running keycloak will continue to initialize for a bit. If you are watching the pod logs you should see a line saying " Admin console listening on" which indicates it's ready for you to login.
Choose one of the options below to find your password:
In the Developer View, click to expand the "Advanced" dropdown
Click "Project Details"
Scroll down a bit and click on "Secrets" from the Inventory panel
Find the secret named "credential-workshop-keycloak" and click on it
Scroll to the bottom and click the "Reveal Values" then copy the password
Run the following to print the secret out:
oc get secret/credential-workshop-keycloak -o yaml
You’ll see something like:
apiVersion: v1
data:
ADMIN_PASSWORD: SVZuM0pZQmNCeGl3bGc9PQ==
ADMIN_USERNAME: YWRtaW4=
kind: Secret
From your output, copy the characters you see next to "ADMIN_PASSWORD: "
Decode the characters by running (replace your copy):
echo <PASTE_YOUR_DATA_HERE> | base64 -d
Copy the password decoded
Goto the SSO web console and login as "admin" with the password you copied
Now that you're logged in, click on "Users" and "View all users"
Select the "demo" user and goto "Credentials"
Set or Reset the password to "demo" (make sure the Temporary check box is set to "off")
Repeat for the user "theterminator" and set the password to "illbeback"
With the user "theterminator" still selected click "Role Mappings"
Click on the "cool-kids" role to highlight it. And click the "Add selected" button to give the role.
On the left side bar click on "Roles" and "View all roles"
On the right side of the screen click on "Add Role"
Type in "cool-kids" and a description, then click "Save"
Now go back to "Users" choose "theterminator" and you should be able to do the realm role mapping
We had been faking login earlier to test our app without requiring SSO. Now let’s get rid of that and redeploy the app_ui service.
Type the following in the CLI:
oc create route reencrypt keycloak-alt --service=keycloak
SSO_SVC=$(oc get route keycloak-alt --template='{{.spec.host}}')
oc set env dc/app-ui FAKE_USER=false SSO_SVC_HOST=$SSO_SVC
https://keycloak-userX.apps.example.redhatgov.io
Domain | ||
Workshop | ||
Student ID |