There are multiple ways to authenticate in OpenShift.
- htpasswd OAuth Identity Provider
- kubeadmin
- SSO keycloak
This assumes you have already installed the Red Hat Single Sign On (SSO) Operator.
Let's create a YAML file named keycloak.yaml that contains the following.
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
name: sso
labels:
app: sso
spec:
instances: 1
externalAccess:
enabled: True
The oc get operators can be used to confirm that the Red Hat Single Sign On (SSO) Operator has been installed and to determine the namespace the operator is in ("sso" in this example).
]$ oc get operators
NAME AGE
rhsso-operator.sso 11m
And use the oc apply command to create the keycloak resources. It is important here that the keycloak resources are created in the same namespace as the Red Hat Single Sign On (SSO) Operator ("sso" in this example).
oc apply --filename keycloak.yaml --namespace sso
This should create two keycloak pods.
]$ oc get pods --namespace sso
NAME READY STATUS RESTARTS AGE
keycloak-0 1/1 Running 0 2m42s
keycloak-postgresql-f965866f9-xv4qb 1/1 Running 0 2m43s
rhsso-operator-5564c95f95-pktgt 1/1 Running 0 12m
A few keycloak services.
]$ oc get services --namespace sso
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
keycloak ClusterIP 172.30.196.73 <none> 8443/TCP 2m59s
keycloak-discovery ClusterIP None <none> 8080/TCP 2m58s
keycloak-monitoring ClusterIP 172.30.220.16 <none> 9990/TCP 2m58s
keycloak-postgresql ClusterIP 172.30.117.229 <none> 5432/TCP 2m59s
rhsso-operator-metrics ClusterIP 172.30.145.169 <none> 8383/TCP,8686/TCP 12m
A keycloak replica set.
]$ oc get replicasets --namespace sso
NAME DESIRED CURRENT READY AGE
keycloak-postgresql-f965866f9 1 1 1 3m27s
rhsso-operator-5564c95f95 1 1 1 13m
A keycloak stateful set.
]$ oc get statefulsets --namespace sso
NAME READY AGE
keycloak 1/1 3m54s
A keycloak deployment.
]$ oc get deployments --namespace sso
NAME READY UP-TO-DATE AVAILABLE AGE
keycloak-postgresql 1/1 1 1 4m10s
rhsso-operator 1/1 1 1 14m
And two keycloak routes.
]$ oc get routes --namespace sso
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
keycloak keycloak-sso-demo.apps.openshift.example.com keycloak keycloak reencrypt None
keycloak-metrics-rewrite keycloak-sso-demo.apps.openshift.example.com /auth/realms/master/metrics keycloak keycloak reencrypt None
And you should get the SSO console when you go to the route. Nice!
In this example, since "name" in the keycloak.yaml file is "sso" there should be a secret named credential-sso that contains the base 64 encoded username and password to sign into the SSO console.
~]$ oc get secret credential-sso --namespace sso --output yaml
apiVersion: v1
data:
ADMIN_PASSWORD: M2labcJnMl9hVmNXYZE9PQ==
ADMIN_USERNAME: YWzbaZ4=
kind: Secret
metadata:
creationTimestamp: "2024-10-30T01:20:45Z"
labels:
app: keycloak
keycloak: sso
name: credential-sso
namespace: sso
ownerReferences:
- apiVersion: keycloak.org/v1alpha1
blockOwnerDeletion: true
controller: true
kind: Keycloak
name: example-sso
uid: 643e49f3-f390-4caf-a81e-0b9c6527099f
resourceVersion: "355828349"
uid: a822ad9a-7038-4f3b-ab79-5a04b34f1c2f
type: Opaque
The base64 command can be used to decode the username and password.
~]$ oc get secret credential-sso --namespace sso --output jsonpath="{.data.ADMIN_USERNAME}" | base64 --decode
admin
~]$ oc get secret credential-sso --namespace sso --output jsonpath="{.data.ADMIN_PASSWORD}" | base64 --decode
3ibw2g2_aVcQNA==
And then you should be able to sign into the SSO console with the decoded admin username and password.
Did you find this article helpful?
If so, consider buying me a coffee over at 