Security - Auth Policy Prep

Return to Workshop

Single Sign-On

Login, registration, and role-based authorization is handled via Red Hat SSO (aka Keycloak). SSO is included as part of OpenShift or any middleware product subscription you have from Red Hat - woot!


Because the service mesh will leverage SSO to authenticate users and generate JWT we need to install it. You will install it via Operator into your namespace.

Customize the Resources

Check out the .yaml files here and customize for this workshop cluster’s domain, and your user project. Note that we have relaxed SSO security settings for the workshop and SSO config should be tightened up for production (e.g. things like CORS and the use of wildcards).

Create an Instance of SSO / Configuration

You can do this CLI or web console. If using web console just use the + button at the top then drag’n’drop the file from the steps below.

We create a Keycloak instance using a Kubernetes resource:
oc apply -f ./istio-configuration/sso-keycloak.yaml
oc patch cm/keycloak-probes -p '{"data":{"":"#!/bin/bash\necho pass\n","":"#!/bin/bash\necho pass\n"}}'
Watch the pods for keycloak-0 to become READY 1/1:
oc get pods keycloak-0 -w
NAME                                       READY   STATUS      RESTARTS   AGE
keycloak-0                                 0/1     Pending       0          0s
keycloak-0                                 0/1     Init:0/1      0          0s
keycloak-0                                 0/1     Init:0/1      0          3s
keycloak-0                                 0/1     Init:0/1      0          4s
keycloak-0                                 0/1     PodInitializing   0          9s
keycloak-0                                 1/1     Running           0          10s

We configure via Kubernetes resources to create the realm + roles + clients & users as follows:
sed "s||$GATEWAY_URL|" ./istio-configuration/sso-realm.yaml | oc create -f -
oc apply -f ./istio-configuration/sso-user1.yaml
oc apply -f ./istio-configuration/sso-user2.yaml

Login to the SSO Admin Console

Open the SSO console. Retrieve the endpoint:
SSO_CONSOLE=$(oc get route keycloak --template='https://{{}}')

Even after it's running keycloak will continue to initialize for a bit. If you are watching the pod logs you should see a line saying " Admin console listening on" which indicates it's ready for you to login.

Your admin username is `admin` and the password is autogenerated. These are in a secret called: `credential-workshop-keycloak`
Choose one of the options below to find your password:
In the Developer View, click to expand the "Advanced" dropdown
Click "Project Details"
Scroll down a bit and click on "Secrets" from the Inventory panel
Find the secret named "credential-workshop-keycloak" and click on it
Scroll to the bottom and click the "Reveal Values" then copy the password
Run the following to print the secret out:
oc get secret/credential-workshop-keycloak -o yaml

You’ll see something like:

apiVersion: v1
kind: Secret
From your output, copy the characters you see next to "ADMIN_PASSWORD: "
Decode the characters by running (replace your copy):
echo <PASTE_YOUR_DATA_HERE> | base64 -d
Copy the password decoded
Goto the SSO web console and login as "admin" with the password you copied

Editing Config with the SSO Web Console

Now that you're logged in, click on "Users" and "View all users"
Select the "demo" user and goto "Credentials"
Set or Reset the password to "demo" (make sure the Temporary check box is set to "off")
Repeat for the user "theterminator" and set the password to "illbeback"

Now we will create some roles for our users in the SSO Web Console

With the user "theterminator" still selected click "Role Mappings"
Click on the "cool-kids" role to highlight it. And click the "Add selected" button to give the role.
On the left side bar click on "Roles" and "View all roles"
On the right side of the screen click on "Add Role"
Type in "cool-kids" and a description, then click "Save"
Now go back to "Users" choose "theterminator" and you should be able to do the realm role mapping

Tell the APP UI to use this SSO service

We had been faking login earlier to test our app without requiring SSO. Now let’s get rid of that and redeploy the app_ui service.

Type the following in the CLI:
oc create route reencrypt keycloak-alt --service=keycloak 
SSO_SVC=$(oc get route keycloak-alt --template='{{}}')
oc set env dc/app-ui FAKE_USER=false SSO_SVC_HOST=$SSO_SVC

Access Info / API documentation

Workshop Details

Domain Red Hat Logo
Student ID

Return to Workshop