Ensure docker
, k3d
and ngrok
are installed.
brew update
brew install --cask docker ngrok
brew install k3d
Versions in use:
$ docker version
Client:
Cloud integration: 1.0.14
Version: 20.10.6
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
$ k3d version
k3d version v4.4.6
k3d cluster create keycloak --servers 1 \
--port 443:443@loadbalancer \
--port 80:80@loadbalancer \
--api-port 6443 --k3s-server-arg '--no-deploy=traefik'
Run ngrok http 80
to create a temporary domain, tunneling your port 80
traffic.
We'll set a fake domain in our /etc/hosts
just for kicks:
echo "127.0.0.1 k3d.local" | sudo tee -a /etc/hosts
Use official Helm repo:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
Install chart:
helm install ingress-nginx ingress-nginx/ingress-nginx \
--wait --version 3.34.0 --set-string controller.config.ssl-redirect=false
Running curl http://k3d.local
should respond with "404 Not Found".
Let's use codecentric Helm repo:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
Create a keycloak-values.yaml
with custom values:
image:
tag: 14.0.0
postgresql:
enabled: false
ingress:
enabled: true
rules:
- host: 4eeaf28b49b8.ngrok.io
paths: [ / ]
tls: []
console:
enabled: true
rules:
- host: 4eeaf28b49b8.ngrok.io
paths: [ /auth/admin ]
tls: []
extraEnv: |
- name: KEYCLOAK_FRONTEND_URL
value: https://4eeaf28b49b8.ngrok.io/auth
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_USER
value: admin
- name: KEYCLOAK_PASSWORD
value: admin
Install chart:
helm install keycloak codecentric/keycloak \
--version 11.0.1 -f keycloak-values.yaml --wait
A realm in Keycloak is the equivalent of a tenant. It allows creating isolated
groups of applications and users. By default there is a single realm in Keycloak
called master
. This is dedicated to manage Keycloak and should not be used for
your own applications. Let’s create our first realm.
- Open browser at https://4eeaf28b49b8.ngrok.io and click on "Administrative Console"
- Login with
admin
/admin
- Hover the mouse over the drop-down in the top-left corner where it says
Master
, then click onAdd realm
- Fill in the form with the following values:
- Name:
myrealm
- Name:
- Click
Create
Initially there are no users in a new realm, so let’s create one:
- Open the Keycloak Admin Console
- Click
Users
(left-hand menu)- Click
Add user
(top-right corner of table)
- Click
- Fill in the form with the following values:
- Username:
myuser
- First Name: Your first name
- Last Name: Your last name
- Username:
- Click
Save
The user will need an initial password set to be able to login. To do this:
- Click
Credentials
(top of the page) - Fill in the
Set Password
form with a password - Click
ON
next toTemporary
to prevent having to update password on first login
Let’s now try to login to the account console to verify the user is configured correctly.
- Open the Keycloak Account Console at https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/account
- Login with
myuser
and the password you created earlier
You should now be logged-in to the account console where users can manage their accounts.
Let’s try to secure our first application. First step is to register this application with your Keycloak playground instance:
- Open the Keycloak Admin Console
- Click 'Clients'
- Fill in the form with the following values:
- Client ID:
myclient
- Client Protocol:
openid-connect
- Root URL:
https://www.keycloak.org/app/
- Client ID:
- Click
Save
To make it easy for you we have a SPA testing application available on the Keycloak website.
Open https://www.keycloak.org/app/. Change
Keycloak URL
to the URL of your Keycloak instance. Click Save
.
Now you can click Sign in
to authenticate to this application using the
Keycloak server you started earlier.
First, Create new client in your Keycloak.
- Open the Keycloak Admin Console
- Click 'Clients'
- Fill in the form with the following values:
- Client ID:
myapp
- Client Protocol:
openid-connect
- Root URL:
http://4eeaf28b49b8.ngrok.io/oauth2
- Client ID:
- Click
Save
- Change:
- Access Type 'Confidential'
- Valid Redirect URIs, add '*'
- Click
Save
- Take note of the Secret in the credential tab of the client under the tab 'Credentials'.
- Create a mapper with Mapper Type 'Group Membership' and Token Claim Name 'groups'.
Use official Helm repo:
helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
helm repo update
Create a oauth2proxy-values.yaml
with custom values:
image:
tag: "v7.1.3"
ingress:
enabled: true
path: /oauth2
hosts:
- 4eeaf28b49b8.ngrok.io
config:
clientID: myapp
clientSecret: "<client secret from 'credentials' tab in myapp client>"
cookieSecret: "UlpPOE8wWUo3cmZtRGxDRllXUmd2bEhaN1VXcGxFclI="
extraArgs:
provider: keycloak
scope: address
login-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/auth
redeem-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/token
profile-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/userinfo
validate-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/userinfo
Install chart:
helm install oauth2-proxy oauth2-proxy/oauth2-proxy \
--version 3.3.2 -f oauth2proxy-values.yaml --wait
Now navigate to https://4eeaf28b49b8.ngrok.io/oauth2 and complete sign-in.
You can protect any ingress resource with OAuth2 for example:
---
apiVersion: networking/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://auth{{ .Values.dnsDomain }}/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://auth{{ .Values.dnsDomain }}/oauth2/start?rd=https%3A%2F%2F$host$request_uri"