In this article we describe the parameters required to configure Dex to use KeyCloak as an upstream identity provider in Kommander 2.X.
To configure Dex to use KeyCloak to perform the necessary OAuth2 flows to determine the user’s attributes (email, username, etc), the DKP operator should define the following parameters in the kommander configuration file:
apiVersion: config.kommander.mesosphere.io/v1alpha1
kind: Installation
apps:
dex:
values: |
config:
connectors:
- type: oidc
id: keycloak
name: keycloak
config:
issuer: http://<KEYCLOAK FQDN/IPADDR>:PORT/auth/realms/<Realm>
clientID: <Client Name>
clientSecret: <Client Secret>
redirectURI: https://<metal-lb or cloud LB>/dex/callback
scopes:
- openid
- profile
- email
insecureSkipEmailVerified: true
insecureEnableGroups: true
userIDKey: email
userNameKey: email
- issuer: refers to the URL of the provider in this case KeyCloak, and “Local” is the name of the realm in KeyCloak.
- cliendID: this is the client configured in Keycloak
- clientSecret: this secret can be found under the tab “Credentials” in Clients
-
redirectURI: Dex issuer URL plus “callback”, the ip address is the metallb ip address, in case is an on-premise DKP cluster, or the FQDN of the cloud Load Balancer, in case of a cluster deployed in a cloud provider. In any case, the following command can be used to get the endpoint:
kubectl -n kommander get svc kommander-traefik -o go-template='https://{{with index .status.loadBalancer.ingress 0}}{{or .hostname .ip}}{{end}}/dkp/kommander/dashboard{{ "\n"}}'
Once the dex connector configuration is set in the kommander.yaml file, the next step will be to use the DKP command line to deploy/update dex [3] by installing or re-deploying kommander.
Note: To be able to communicate with the cluster via kubectl using a user whose identity is stored in KeyCloak, the user configuration should set the parameter “email verified” set to TRUE/ON.
Tip: cURLing the following endpoint, the user can collect the realm (in this case realm is “Local”) configuration:
curl -s <KeyCloak FQDN/IP Address>:PORT/auth/realms/Local/.well-known/openid-configuration
References:
[1] https://dexidp.io/docs/connectors/oidc/
[2] https://dexidp.io/docs/connectors/oidc/#configuration
[3] https://docs.d2iq.com/dkp/kommander/2.2/install/configuration/#install-with-configuration-file