Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Native Kubernetes Deployment + Keycloak as OIDC instead of DEX - avoid looping
See original GitHub issueI tried to deploy the OKD origin-console using this helm chart. & using keycloak realm instead of DEX , on top of a native kubernetes v1.19.13
After installing the chart, my deployment looks like:
- env:
- name: BRIDGE_DOCUMENTATION_BASE_URL
value: https://kubernetes.io/docs/
- name: BRIDGE_DEX_API_HOST
value: https://keycloak.example.co/auth/realms/realm-x
- name: BRIDGE_BASE_ADDRESS
value: https://console.devops.example.co
- name: BRIDGE_USER_AUTH
value: oidc
- name: BRIDGE_K8S_AUTH
value: oidc
- name: BRIDGE_USER_AUTH_OIDC_ISSUER_URL
value: https://keycloak.example.co/auth/realms/realm-x
- name: BRIDGE_USER_AUTH_OIDC_CLIENT_ID
value: console
- name: BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET
value: yyyyyyy-xxxx-zzzz-tttt-xxxxxxxxxx
image: quay.io/openshift/origin-console:4.6.0
The console is able to redirect me to the keycloak login page. However, after a success login, i cannot see everything in the console. I just see infinite loop of page refresh.
These are my questions :
- Is it possible to integrate correctly with Keycloak as OIDC provider instead of Dex ?
- What are the missing env vars ? because after some research, i found someone to refer to other env vars like :
BRIDGE_KUBECTL_CLIENT_ID,BRIDGE_KUBECTL_CLIENT_SECRETwhich i don’t know how to assign a value for them ? - What are the required clusterrolebinding ?
- For the websocket, what’s the required annotations at ingress level, so i can avoid failed websocket ?
- What are the CRDs that i must deploy to the native kubernetes ? so i can take the most benefit from the console . For example, the helm chart mentioned at the beginning deploys the CRD “app” of Openshift.
Note that this configuration is working with me. However, it does not delegate to users with RBAC.
Issue Analytics
- State:
- Created 2 years ago
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi I’m the one who wrote the original helm chart. The key to making it work is that the OIDC token must be generated by the API server. Since this is the OpenShift Console it works off the expectation that the Kubernetes APIServer will accept an OIDC token, which for most distributions it won’t (at least out-of-the-box). When the OIDC token is not accepted, the Console goes into a reload loop which is extremely annoying and hard to debug.
To make this work, you can configure the APIServer directly (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) or use use a proxy (https://github.com/jetstack/kube-oidc-proxy) and point the OpenShift Console and your users at that.
@openshift-bot: Closing this issue.
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.