UNCLASSIFIED

Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
KEYCLOAK.md 2.78 KB
Newer Older
Ryan Garcia's avatar
[BB-844] - SSO Feature and haproxy addition  
Ryan Garcia committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 
# Istio Addon Specific Keycloak Configuration

# Table of Contents
- Keycloak configuration
- Istio configuration

## Keycloak Configuration

#### Kiali
1. Create a kiali client
   - Change the following configuration items
      - access type: confidential _this will enable a "Credentials" tab within the client configuration page_
      - Direct Access Grants Enabled: Off
      - Valid Redirect URIs: https://kiali.${DOMAIN}/login
      - Base URL: https://kiali.${DOMAIN}
    - Take note of the client secret in the credential tab

#### Jaeger
1. Create a jaeger client
   - Change the following configuration items
      - access type: confidential _this will enable a "Credentials" tab within the client configuration page_
      - Direct Access Grants Enabled: Off
      - Valid Redirect URIs: https://tracing.${DOMAIN}/login
      - Base URL: https://tracing.${DOMAIN}
    - Take note of the client secret in the credential tab


## Kiali and Jaeger Configuration
Configuration of Keycloak/OIDC auth in front of Prometheus+Alertmanager requires the following:

1. [Authservice](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice) Installed in your cluster and individual chains for Prometheus+Alertmanager configured:
```
authservice:
  enabled: true
  values:
    chains:
      kiali:
        match:
          header: ":authority"
          prefix: "kiali.DOMAIN"
        client_id: kiali (configured above)
        client_secret: secret-text
        callback_uri: https://kiali.DOMAIN/login
        cookie_name_prefix: hello_world
        logout_path: /logout
      jaeger:
        match:
          header: ":authority"
          prefix: "tracing.DOMAIN"
        client_id: jaeger (configured above)
        client_secret: secret-text
        callback_uri: https://jaeger.DOMAIN/login
        cookie_name_prefix: hello_world
        logout_path: /logout
```
* When used in conjunction with Bigbang Umbrella, see the `istio.sso` section of values.yaml to configure sso in Umbrella.  The umbrella configures Authservice with these values.
* Jaeger/tracing chain looks identical just with jaeger specific client_id, client_secret, prefix, and callback_uri.

2. Utilize the sso options for this monitoring package:
```
sso:
  enabled: false
  namespace: istio-addons-sso
  selector:
    key: protect
    value: keycloak
```
* Setting sso.enabled to true installs an HAProxy container in the defined namespace which works in conjunction with Authservice to place an OIDC redirect in front of Kiali+Jaeger.
* When sso.enabled is set to true, the Kiali+Jaeger VirtualServices are replaced with ones that route to the HAProxy Deployment rather than directly to the services themselves.
* The selector value MUST correspond to the same "selector" value set for Authservice. Default for all is the label: "protect: keycloak"

UNCLASSIFIED