Skip to content

Commit

Permalink
Add keycloak operator and instance
Browse files Browse the repository at this point in the history
Change Keycloak oidc to service account

Add scripting to update keycloak idp with oidc secret

Change job to sync wave instead of posthook

Update script and job

Try to make keycloak job a hook

Parameterize vars

Demonstrate patching resources for urls

Add simple keycloak install and update readme

Restructuring keycloak to rhsso and cleanup

Update rhsso README

Remove test applications from rhsso

Remove extraneous file
  • Loading branch information
joshuacanter committed Dec 9, 2024
1 parent d8ab40a commit ca84bfb
Show file tree
Hide file tree
Showing 25 changed files with 1,231 additions and 0 deletions.
7 changes: 7 additions & 0 deletions .wordlist-txt
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ Jupyter
KServe
Kafka
Keycloak
KeycloakRealm
Kibana
KieApp
Koku
Expand Down Expand Up @@ -114,6 +115,7 @@ OperatorGroup
PCI
PV
PolicyReport
PostSync
Prometheus
Quarkus
RBAC
Expand Down Expand Up @@ -174,7 +176,9 @@ auth
authorino
autocompletion
aws
backend
backticks
baseUrls
buildah
canada
ceph
Expand Down Expand Up @@ -241,6 +245,7 @@ js
json
kafka
kataconfig
keycloak
kiali
knative
kubeadmin
Expand Down Expand Up @@ -276,6 +281,7 @@ oc
ocp
ocs
odf
oidc
olm
openAPI
opendatahub
Expand Down Expand Up @@ -336,6 +342,7 @@ triton
truly
txt
un
uris
url
vLLM
vSphere
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@ spec:
values:
name: openshift-servicemesh-operator
path: components/operators/openshift-servicemesh/operator/overlays/stable
- cluster: local
url: https://kubernetes.default.svc
values:
name: composer-ai-rhsso
path: components/operators/rhsso/aggregate/overlays/aws

# - cluster: local
# url: https://kubernetes.default.svc
Expand Down
43 changes: 43 additions & 0 deletions components/operators/rhsso/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# keycloak

Installs the Red Hat SSO (keycloak) operator and/or instance.

## Usage

### Install the operator

The current *overlays* available are for the following channels:

* [stable](operator/overlays/stable)

```
oc apply -k rhsso/operator/overlays/stable
```


### Install an instance of Keycloak

```
oc apply -k rhsso/instance/overlays/<overlay-name>
```
The current overlays are available for the following cases:

* [keycloak-standalone](instance/overlays/keycloak-standalone) - A base Keycloak instance with no realm configuration
* [aws-ocp-oidc](instance/overlays/aws-ocp-oidc) - A Keycloak instance base with a component configuring a realm containing a backend client and configuration for an OpenShift IDP

### Install all components

```
oc apply -k rhsso/aggregate/overlays/<overlay-name>
```

#### Oidc Client Component

This component installs the instance of Keycloak and the sets up the following items to use OpenShift as and IDP as well as setting up a client for the backend service to use.

The following items are created:
* `KeycloakRealm` `openshift-realm` - Defines the `openshift-ai` realm as well as the `backend-service` client and `openshift-v4` idp. Contains baseUrls and secrets that must be changed for the application to authenticate correctly. See patch-realm.yaml for example substitutions. NOTE: The KeycloakRealm will only create the initial realm. If the realm already exists, changes to the CR [will not update the realm in Keycloak](https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html/server_installation_and_configuration_guide/operator#realm-cr).
* `ServiceAccount` `openshift-oidc` - A service account used as an oidc provider. This allows Keycloak to use OpenShift as an IDP. One or more annotations for redirect uris must correctly point back to Keycloak. See patch-sa.yaml for example substitutions. See [Service accounts as OAuth clients](https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/authentication_and_authorization/using-service-accounts-as-oauth-client#service-accounts-as-oauth-clients_using-service-accounts-as-oauth-client) for more details.
* `Secret` `openshift-oidc-secret` - A secret providing a long lasting token for the `openshift-oidc` service account. This is required as Keycloak requires a token in the OpenShift IDP configuration. See [Service Accounts Admin](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#create-token) for more details.
* `Role` and `RoleBinding` giving permissions to the Job to read secrets required to use the Keycloak API to update secrets and config.
* `Job` `update-idp-credentials` - A Job that runs as a PostSync hook in Argo in order to update required secrets and redirect/baseUrls within the Keycloak realm.
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

resources:
- ../../../operator/overlays/stable
- ../../../instance/overlays/aws-ocp-oidc
10 changes: 10 additions & 0 deletions components/operators/rhsso/instance/base/keycloak.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
name: composer-ai-rhsso
labels:
app: composer-ai-rhsso
spec:
externalAccess:
enabled: true
instances: 1
5 changes: 5 additions & 0 deletions components/operators/rhsso/instance/base/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- keycloak.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

resources:
- oidc-service-account.yaml
- oidc-role.yaml
- oidc-rolebinding.yaml
- realm.yaml
- token-secret.yaml
- oidc-update-job.yaml

namespace: composer-ai-rhsso

configMapGenerator:
- name: oidc-job-cm
files:
- update-oidc.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: openshift-oidc-role
namespace: composer-ai-rhsso
rules:
- verbs:
- get
apiGroups:
- ''
resources:
- secrets
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: openshift-oidc-role
namespace: composer-ai-rhsso
subjects:
- kind: ServiceAccount
name: openshift-oidc
namespace: composer-ai-rhsso
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openshift-oidc-role
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
kind: ServiceAccount
apiVersion: v1
metadata:
name: openshift-oidc
namespace: composer-ai-rhsso
annotations:
serviceaccounts.openshift.io/oauth-redirecturi.first: MY_OAUTH_ENDPOINT
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: batch/v1
kind: Job
metadata:
name: update-idp-credentials
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
template:
spec:
restartPolicy: Never
containers:
- name: update-idp
image: registry.redhat.io/openshift4/network-tools-rhel9:latest
command: ["/bin/sh", "-c", "/etc/scripts/update-oidc.sh"]
env:
- name: KEYCLOAK_URL
value: MY_KEYCLOAK_URL
volumeMounts:
- name: update-script
mountPath: /etc/scripts
serviceAccountName: openshift-oidc
volumes:
- name: update-script
configMap:
name: oidc-job-cm
defaultMode: 0550
Loading

0 comments on commit ca84bfb

Please sign in to comment.