openshift使用keycloak登录

参考：

http://blog.keycloak.org/2015/06/openshift-ui-console-authentication.html

https://hub.docker.com/r/jboss/keycloak/

https://uptoknow.github.io/post/openshift-with-keycloak-openid/

http://blog.keycloak.org/2018/05/keycloak-on-openshift.html

https://docs.okd.io/3.11/install_config/configuring_authentication.html#OpenID

创建project

oc new-project keycloak

发布mysql

应用目录选择发布持久化Mysql 5.7

注意：创建时填写默认数据库名称为keycloak

发布keycloak

oc process -n keycloak  -f https://raw.githubusercontent.com/ss75710541/keycloak-with-openshift-auth-provider/master/keycloak-with-openshift-auth-provider.yaml -p KEYCLOAK_IMAGE="docker.io/jboss/keycloak:4.8.3.Final" | oc create -f -

修改keycloak环境变量, 增加下面环境变量

            - name: DB_DATABASE
              valueFrom:
                secretKeyRef:
                  key: database-name
                  name: mysql
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  key: database-user
                  name: mysql
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: database-password
                  name: mysql
            - name: DB_ADDR
              value: mysql.keycloak.svc
            - name: DB_PORT
              value: '3306'
            - name: DB_VENDOR
              value: mysql
            - name: MYSQL_PORT
              value: '3306'

修改keycloak证书

生成keycloak相关证书(一般使用tls证书)

tls证书（默认选择，keycloak 镜像自动转为java使用的证书）

#!/bin/bash

domain="keycloak-https-keycloak.apps181.hisun.com"

project=keycloak

# 生成ca key

openssl genrsa -out $project-ca.key 2048

# 创建根证书

openssl req -utf8 -new -nodes -x509 -days 3650 -key $project-ca.key  -out $project-ca.crt -subj "/C=CN/ST=北京/L=北京/O=高阳金信/OU=IT/CN=$domain"

# 创建服务key

openssl genrsa -out $project.key 2048

# 创建服务证书

openssl req -utf8 -new -key $project.key -out $project.csr -subj "/C=CN/ST=北京/L=北京/O=高阳金信/OU=IT/CN=$domain"

# 签名证书

openssl x509 -req -in $project.csr -CA $project-ca.crt -CAkey $project-ca.key -CAcreateserial -out $project.crt -days 3650

# 生成pem

cat $project.crt $project.key > $project.pem

创建configmap（文件名称必须为tls.crt 和 tls.key ,否则不识别,所以在创建configmap前先修改文件名称,）

cp keycloak.crt tls.crt
cp keycloak.key tls.key
oc create configmap keycloak-certs  --from-file=tls.crt --from-file=tls.key  -n keycloak

添加configmap挂载配置

...
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /etc/x509/https
              name: keycloak-certs
...

      terminationGracePeriodSeconds: 30
      volumes:
        - configMap:
            defaultMode: 420
            name: keycloak-certs
          name: keycloak-certs
...

创建jks证书（安装使用麻烦，只做参考，弃用）

domain=keycloak-https-keycloak.apps181.hisun.com
passwd=password
project=keycloak
# 生成ca key
openssl genrsa -out $project-ca.key 2048
# 创建根证书
openssl req -utf8 -new -nodes -x509 -days 3650 -key $project-ca.key  -out $project-ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=Hisun/OU=IT/CN=$domain"

keytool -genkey -alias server -keyalg RSA -keystore keycloak.jks -validity 10950 -keypass $passwd -storepass $passwd -dname "CN=$domain, OU=IT, O=Hisun, L=Beijing, ST=Beijing, C=CN"

keytool -storepass $passwd -certreq -alias server -keystore keycloak.jks  > keycloak.careq
cat keycloak.careq

openssl x509 -req -in keycloak.careq -CA $project-ca.crt -CAkey $project-ca.key -CAcreateserial -out $project.crt -days 500

keytool -import -keystore keycloak.jks -file $project-ca.crt -alias root -keypass $passwd -storepass $passwd

keytool -import -alias server -keystore keycloak.jks -file $project.crt -keypass $passwd -storepass $passwd

创建configmap

oc create configmap keycloak  --from-file=keycloak.jks --from-file=standalone-ha.xml -n keycloak

在keycloak的发布yaml中添加configmap挂载配置

...
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /opt/jboss/keycloak/standalone/configuration/application.keystore
              name: keycloak
              subPath: keycloak.jks
...

      terminationGracePeriodSeconds: 30
      volumes:
        - configMap:
            defaultMode: 420
            name: keycloak
          name: keycloak
...

导入openshift realm

访问https://keycloak-https-keycloak.apps181.hisun.com

以admin账号登录keycloak ，点添加realm，选择文件导入realm-openshift.json

修改clients

修改Valid Redirect URIs

选择realm--> Openshift --> Clients --> Settings

修改Valid Redirect URIs (根据实际openshift的访问地址修改)

https://master181.hisun.com:8443/*

重置keycloak openshift clinet 密钥

选择realm--> Openshift --> Clients --> Credentials

点击 Regenerate secret 重置密钥

添加测试用户

选择realm--> Openshift --> Users --> Add user

重置新用户密码

选择 Users --> <新添加的用户名> --> Credentials

配置Openshift master

配置master config

登录master主机

cd /etc/origin/master/

注：minishift的master目录为/var/lib/minishift/base/kube-apiserver/

上传keycloak-ca.crt文件

vi master-config.yaml

找到oauthConfig, identityProviders下添加下面内容

  identityProviders:
  - name: keycloak
    challenge: true
    login: true
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      ca: keycloak-ca.crt
      clientID: openshift
      clientSecret: <填写上一步重置后的openshift client密钥>
      claims:
        id:
        - sub
        preferredUsername:
        - preferred_username
        name:
        - name
        email:
        - email
      urls:
        authorize: https://keycloak-https-keycloak.apps181.hisun.com/auth/realms/openshift/protocol/openid-connect/auth
        token: https://keycloak-https-keycloak.apps181.hisun.com/auth/realms/openshift/protocol/openid-connect/token

重启master api

master-restart api api

修改openshift logout url

编辑configmap webconsole-config

修改logoutPublicURL 的值为(酌情修改)

https://keycloak-https-keycloak.apps181.hisun.com/auth/realms/openshift/protocol/openid-connect/logout?redirect_uri=https://master181.hisun.com:8443/console

注意：minishift 的webconsole-config是operator管理的，所以直接修改logoutPublicURL无效，需要停止webconsole-config 的 operator服务才可以，这里暂无完美解决方法

支持作者

如果文章对您有帮助，欢迎打赏，谢谢

支付宝