# openshift使用keycloak登录

参考：

<http://blog.keycloak.org/2015/06/openshift-ui-console-authentication.html>

<https://hub.docker.com/r/jboss/keycloak/>

<https://uptoknow.github.io/post/openshift-with-keycloak-openid/>

<http://blog.keycloak.org/2018/05/keycloak-on-openshift.html>

<https://docs.okd.io/3.11/install_config/configuring_authentication.html#OpenID>

## 创建project

```
oc new-project keycloak
```

## 发布mysql

应用目录选择发布持久化Mysql 5.7

注意：创建时填写默认数据库名称为`keycloak`

## 发布keycloak

```
oc process -n keycloak  -f https://raw.githubusercontent.com/ss75710541/keycloak-with-openshift-auth-provider/master/keycloak-with-openshift-auth-provider.yaml -p KEYCLOAK_IMAGE="docker.io/jboss/keycloak:4.8.3.Final" | oc create -f -
```

修改keycloak环境变量, 增加下面环境变量

```
            - name: DB_DATABASE
              valueFrom:
                secretKeyRef:
                  key: database-name
                  name: mysql
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  key: database-user
                  name: mysql
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: database-password
                  name: mysql
            - name: DB_ADDR
              value: mysql.keycloak.svc
            - name: DB_PORT
              value: '3306'
            - name: DB_VENDOR
              value: mysql
            - name: MYSQL_PORT
              value: '3306'
```

## 修改keycloak证书

生成keycloak相关证书(一般使用tls证书)

### tls证书（默认选择，keycloak 镜像自动转为java使用的证书）

```
#!/bin/bash

domain="keycloak-https-keycloak.apps181.hisun.com"

project=keycloak

# 生成ca key

openssl genrsa -out $project-ca.key 2048

# 创建根证书

openssl req -utf8 -new -nodes -x509 -days 3650 -key $project-ca.key  -out $project-ca.crt -subj "/C=CN/ST=北京/L=北京/O=高阳金信/OU=IT/CN=$domain"

# 创建服务key

openssl genrsa -out $project.key 2048

# 创建服务证书

openssl req -utf8 -new -key $project.key -out $project.csr -subj "/C=CN/ST=北京/L=北京/O=高阳金信/OU=IT/CN=$domain"

# 签名证书

openssl x509 -req -in $project.csr -CA $project-ca.crt -CAkey $project-ca.key -CAcreateserial -out $project.crt -days 3650

# 生成pem

cat $project.crt $project.key > $project.pem
```

创建configmap（文件名称必须为tls.crt 和 tls.key ,否则不识别,所以在创建configmap前先修改文件名称,）

```
cp keycloak.crt tls.crt
cp keycloak.key tls.key
oc create configmap keycloak-certs  --from-file=tls.crt --from-file=tls.key  -n keycloak
```

添加configmap挂载配置

```
...
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /etc/x509/https
              name: keycloak-certs
...

      terminationGracePeriodSeconds: 30
      volumes:
        - configMap:
            defaultMode: 420
            name: keycloak-certs
          name: keycloak-certs
...
```

### 创建jks证书（安装使用麻烦，只做参考，弃用）

```
domain=keycloak-https-keycloak.apps181.hisun.com
passwd=password
project=keycloak
# 生成ca key
openssl genrsa -out $project-ca.key 2048
# 创建根证书
openssl req -utf8 -new -nodes -x509 -days 3650 -key $project-ca.key  -out $project-ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=Hisun/OU=IT/CN=$domain"

keytool -genkey -alias server -keyalg RSA -keystore keycloak.jks -validity 10950 -keypass $passwd -storepass $passwd -dname "CN=$domain, OU=IT, O=Hisun, L=Beijing, ST=Beijing, C=CN"

keytool -storepass $passwd -certreq -alias server -keystore keycloak.jks  > keycloak.careq
cat keycloak.careq

openssl x509 -req -in keycloak.careq -CA $project-ca.crt -CAkey $project-ca.key -CAcreateserial -out $project.crt -days 500

keytool -import -keystore keycloak.jks -file $project-ca.crt -alias root -keypass $passwd -storepass $passwd

keytool -import -alias server -keystore keycloak.jks -file $project.crt -keypass $passwd -storepass $passwd
```

创建configmap

```
oc create configmap keycloak  --from-file=keycloak.jks --from-file=standalone-ha.xml -n keycloak
```

在keycloak的发布yaml中添加configmap挂载配置

```
...
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /opt/jboss/keycloak/standalone/configuration/application.keystore
              name: keycloak
              subPath: keycloak.jks
...

      terminationGracePeriodSeconds: 30
      volumes:
        - configMap:
            defaultMode: 420
            name: keycloak
          name: keycloak
...
```

## 导入openshift realm

访问`https://keycloak-https-keycloak.apps181.hisun.com`

以admin账号登录keycloak ，点添加realm，选择文件导入[realm-openshift.json](https://raw.githubusercontent.com/ss75710541/openshift-docs/master/keycloak/realm-openshift.json)

## 修改clients

### 修改Valid Redirect URIs

选择realm--> Openshift --> Clients --> Settings

修改`Valid Redirect URIs` (根据实际openshift的访问地址修改)

```
https://master181.hisun.com:8443/*
```

### 重置keycloak openshift clinet 密钥

选择realm--> Openshift --> Clients --> Credentials

点击 Regenerate secret 重置密钥

### 添加测试用户

选择realm--> Openshift --> Users --> Add user

### 重置新用户密码

选择 Users --> <新添加的用户名> --> Credentials

## 配置Openshift master

### 配置master config

登录master主机

cd /etc/origin/master/

注：minishift的master目录为`/var/lib/minishift/base/kube-apiserver/`

上传keycloak-ca.crt文件

vi master-config.yaml

找到oauthConfig, identityProviders下添加下面内容

```
  identityProviders:
  - name: keycloak
    challenge: true
    login: true
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      ca: keycloak-ca.crt
      clientID: openshift
      clientSecret: <填写上一步重置后的openshift client密钥>
      claims:
        id:
        - sub
        preferredUsername:
        - preferred_username
        name:
        - name
        email:
        - email
      urls:
        authorize: https://keycloak-https-keycloak.apps181.hisun.com/auth/realms/openshift/protocol/openid-connect/auth
        token: https://keycloak-https-keycloak.apps181.hisun.com/auth/realms/openshift/protocol/openid-connect/token
```

重启master api

```
master-restart api api
```

## 修改openshift logout url

编辑configmap webconsole-config

修改logoutPublicURL 的值为(酌情修改)

```
https://keycloak-https-keycloak.apps181.hisun.com/auth/realms/openshift/protocol/openid-connect/logout?redirect_uri=https://master181.hisun.com:8443/console
```

注意：minishift 的webconsole-config是operator管理的，所以直接修改logoutPublicURL无效，需要停止webconsole-config 的 operator服务才可以，这里暂无完美解决方法

## 支持作者

如果文章对您有帮助，欢迎打赏，谢谢

![支付宝](/files/-LbLkf5wGLqw4_zZhgmC)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://liujinye.gitbook.io/openshift-docs/keycloak/openshift-shi-yong-keycloak-deng-lu.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.