forked from redhat-ai-services/ai-accelerator
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change Keycloak oidc to service account Add scripting to update keycloak idp with oidc secret Change job to sync wave instead of posthook Update script and job Try to make keycloak job a hook Parameterize vars Demonstrate patching resources for urls Add simple keycloak install and update readme Restructuring keycloak to rhsso and cleanup Update rhsso README Remove test applications from rhsso Remove extraneous file
- Loading branch information
1 parent
d8ab40a
commit ca84bfb
Showing
25 changed files
with
1,231 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# keycloak | ||
|
||
Installs the Red Hat SSO (keycloak) operator and/or instance. | ||
|
||
## Usage | ||
|
||
### Install the operator | ||
|
||
The current *overlays* available are for the following channels: | ||
|
||
* [stable](operator/overlays/stable) | ||
|
||
``` | ||
oc apply -k rhsso/operator/overlays/stable | ||
``` | ||
|
||
|
||
### Install an instance of Keycloak | ||
|
||
``` | ||
oc apply -k rhsso/instance/overlays/<overlay-name> | ||
``` | ||
The current overlays are available for the following cases: | ||
|
||
* [keycloak-standalone](instance/overlays/keycloak-standalone) - A base Keycloak instance with no realm configuration | ||
* [aws-ocp-oidc](instance/overlays/aws-ocp-oidc) - A Keycloak instance base with a component configuring a realm containing a backend client and configuration for an OpenShift IDP | ||
|
||
### Install all components | ||
|
||
``` | ||
oc apply -k rhsso/aggregate/overlays/<overlay-name> | ||
``` | ||
|
||
#### Oidc Client Component | ||
|
||
This component installs the instance of Keycloak and the sets up the following items to use OpenShift as and IDP as well as setting up a client for the backend service to use. | ||
|
||
The following items are created: | ||
* `KeycloakRealm` `openshift-realm` - Defines the `openshift-ai` realm as well as the `backend-service` client and `openshift-v4` idp. Contains baseUrls and secrets that must be changed for the application to authenticate correctly. See patch-realm.yaml for example substitutions. NOTE: The KeycloakRealm will only create the initial realm. If the realm already exists, changes to the CR [will not update the realm in Keycloak](https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html/server_installation_and_configuration_guide/operator#realm-cr). | ||
* `ServiceAccount` `openshift-oidc` - A service account used as an oidc provider. This allows Keycloak to use OpenShift as an IDP. One or more annotations for redirect uris must correctly point back to Keycloak. See patch-sa.yaml for example substitutions. See [Service accounts as OAuth clients](https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/authentication_and_authorization/using-service-accounts-as-oauth-client#service-accounts-as-oauth-clients_using-service-accounts-as-oauth-client) for more details. | ||
* `Secret` `openshift-oidc-secret` - A secret providing a long lasting token for the `openshift-oidc` service account. This is required as Keycloak requires a token in the OpenShift IDP configuration. See [Service Accounts Admin](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#create-token) for more details. | ||
* `Role` and `RoleBinding` giving permissions to the Job to read secrets required to use the Keycloak API to update secrets and config. | ||
* `Job` `update-idp-credentials` - A Job that runs as a PostSync hook in Argo in order to update required secrets and redirect/baseUrls within the Keycloak realm. |
9 changes: 9 additions & 0 deletions
9
components/operators/rhsso/aggregate/overlays/aws/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
commonAnnotations: | ||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true | ||
|
||
resources: | ||
- ../../../operator/overlays/stable | ||
- ../../../instance/overlays/aws-ocp-oidc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: keycloak.org/v1alpha1 | ||
kind: Keycloak | ||
metadata: | ||
name: composer-ai-rhsso | ||
labels: | ||
app: composer-ai-rhsso | ||
spec: | ||
externalAccess: | ||
enabled: true | ||
instances: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
resources: | ||
- keycloak.yaml |
17 changes: 17 additions & 0 deletions
17
components/operators/rhsso/instance/components/ocp-oidc-client/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: kustomize.config.k8s.io/v1alpha1 | ||
kind: Component | ||
|
||
resources: | ||
- oidc-service-account.yaml | ||
- oidc-role.yaml | ||
- oidc-rolebinding.yaml | ||
- realm.yaml | ||
- token-secret.yaml | ||
- oidc-update-job.yaml | ||
|
||
namespace: composer-ai-rhsso | ||
|
||
configMapGenerator: | ||
- name: oidc-job-cm | ||
files: | ||
- update-oidc.sh |
12 changes: 12 additions & 0 deletions
12
components/operators/rhsso/instance/components/ocp-oidc-client/oidc-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
kind: Role | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: openshift-oidc-role | ||
namespace: composer-ai-rhsso | ||
rules: | ||
- verbs: | ||
- get | ||
apiGroups: | ||
- '' | ||
resources: | ||
- secrets |
13 changes: 13 additions & 0 deletions
13
components/operators/rhsso/instance/components/ocp-oidc-client/oidc-rolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
kind: RoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: openshift-oidc-role | ||
namespace: composer-ai-rhsso | ||
subjects: | ||
- kind: ServiceAccount | ||
name: openshift-oidc | ||
namespace: composer-ai-rhsso | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: openshift-oidc-role |
7 changes: 7 additions & 0 deletions
7
components/operators/rhsso/instance/components/ocp-oidc-client/oidc-service-account.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
kind: ServiceAccount | ||
apiVersion: v1 | ||
metadata: | ||
name: openshift-oidc | ||
namespace: composer-ai-rhsso | ||
annotations: | ||
serviceaccounts.openshift.io/oauth-redirecturi.first: MY_OAUTH_ENDPOINT |
27 changes: 27 additions & 0 deletions
27
components/operators/rhsso/instance/components/ocp-oidc-client/oidc-update-job.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: update-idp-credentials | ||
annotations: | ||
argocd.argoproj.io/hook: PostSync | ||
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation | ||
spec: | ||
template: | ||
spec: | ||
restartPolicy: Never | ||
containers: | ||
- name: update-idp | ||
image: registry.redhat.io/openshift4/network-tools-rhel9:latest | ||
command: ["/bin/sh", "-c", "/etc/scripts/update-oidc.sh"] | ||
env: | ||
- name: KEYCLOAK_URL | ||
value: MY_KEYCLOAK_URL | ||
volumeMounts: | ||
- name: update-script | ||
mountPath: /etc/scripts | ||
serviceAccountName: openshift-oidc | ||
volumes: | ||
- name: update-script | ||
configMap: | ||
name: oidc-job-cm | ||
defaultMode: 0550 |
Oops, something went wrong.