Skip to main content

How to configure Dex to use KeyCloak as its upstream Identity provider in Kommander 2.X

Sadiel Ortega
  • Updated

In this article we describe the parameters required to configure Dex to use KeyCloak as an upstream identity provider in Kommander 2.X.

 

To configure Dex to use KeyCloak to perform the necessary OAuth2 flows to determine the user’s attributes (email, username, etc), the DKP operator should define the following  parameters in the kommander configuration file: 

apiVersion: config.kommander.mesosphere.io/v1alpha1
kind: Installation
apps:
  dex:
    values: |
      config:
        connectors:
        - type: oidc
          id: keycloak
          name: keycloak
          config:
            issuer: http://<KEYCLOAK FQDN/IPADDR>:PORT/auth/realms/<Realm>
            clientID: <Client Name>
            clientSecret: <Client Secret>
            redirectURI: https://<metal-lb or cloud LB>/dex/callback
            scopes:
            - openid
            - profile
            - email
            insecureSkipEmailVerified: true
            insecureEnableGroups: true
            userIDKey: email
            userNameKey: email
  • issuer: refers to the URL of the provider in this case KeyCloak, and “Local” is the name of the realm in KeyCloak.
  • cliendID: this is the client configured in Keycloak
  • clientSecret: this secret can be found under the tab “Credentials” in Clients
  • redirectURI: Dex issuer URL plus “callback”, the ip address is the metallb ip address, in case is an on-premise DKP cluster, or the FQDN of the cloud Load Balancer, in case of a cluster deployed in a cloud provider. In any case, the following command can be used to get the endpoint:
     
    kubectl -n kommander get svc kommander-traefik -o go-template='https://{{with index .status.loadBalancer.ingress 0}}{{or .hostname .ip}}{{end}}/dkp/kommander/dashboard{{ "\n"}}' 

Once the dex connector configuration is set in the kommander.yaml file, the next step will be to use the DKP command line to deploy/update dex [3] by installing or re-deploying kommander.

 

NoteTo be able to communicate with the cluster via kubectl using a user whose identity is stored in KeyCloak, the user configuration should set the parameter “email verified” set to TRUE/ON. 

 

Tip: cURLing the following endpoint, the user can collect the realm (in this case realm is “Local”) configuration:


curl -s <KeyCloak FQDN/IP Address>:PORT/auth/realms/Local/.well-known/openid-configuration

 

 

 

References:
[1] https://dexidp.io/docs/connectors/oidc/

[2] https://dexidp.io/docs/connectors/oidc/#configuration

[3] https://docs.d2iq.com/dkp/kommander/2.2/install/configuration/#install-with-configuration-file