-
Notifications
You must be signed in to change notification settings - Fork 0
How to configure sso Keycloak OIDC in k8s with minio
To document a way to configure [sso/keycloak,oidc] in k8s minio
- Expose [sso/keycloak,oidc] publicly:
-
If using
keycloak
you can find a way to configure it in this wiki: https://github.com/cniackz/public/wiki/How-to-test-MinIO-SSO-keycloak -
Once it is running, you can use port forward in your modem to expose it
- Expose the tenant publicly
- Using node port, the service is being exposed in the laptop from kind cluster. But there is a slight difference, don't use localhost here but rather your local IP address so that it can be forwarded as below:
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
apiServerAddress: "127.0.0.1"
apiServerPort: 6443
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 30080
hostPort: 30080
listenAddress: "127.0.0.1"
protocol: TCP
- role: worker
extraPortMappings:
- containerPort: 30081
hostPort: 30081
listenAddress: "192.168.0.13" <------ Notice this is the local IP address of my MacBook Pro
protocol: TCP
- role: worker
extraPortMappings:
- containerPort: 30082
hostPort: 30082
listenAddress: "127.0.0.1"
protocol: TCP
- role: worker
extraPortMappings:
- containerPort: 30083
hostPort: 30083
listenAddress: "127.0.0.1"
protocol: TCP
- role: worker
extraPortMappings:
- containerPort: 30084
hostPort: 30084
listenAddress: "127.0.0.1"
protocol: TCP
- Then, you expose that to the outside world via your Public IP, same as keycloak above
- set env vars in the tenant spec:
env:
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
value: 6aabe0ea-8d5f-412c-99f8-63b999ccd281
- name: MINIO_IDENTITY_OPENID_SCOPES
value: openid,profile,email
- name: MINIO_BROWSER_REDIRECT_URL
value: "https://72.140.145.27"
- name: MINIO_SERVER_URL
value: "https://minio.tenant-lite.svc.cluster.local:443"
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: account
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: "http://72.140.145.27/auth/realms/myrealm/.well-known/openid-configuration"
-
Explanation:
MINIO_BROWSER_REDIRECT_URL
is the console UI exposed publicly from node port into the cluster to port forward to the public IP. -
Explanation:
MINIO_IDENTITY_OPENID_CONFIG_URL
is our keycloak exposed publicly thanks to the port forward and my public ip address, expected is that SSO is configured same way with a public way to connect to similar software, can be auth0 as well.
- access using sso:
In conclusion, the configuration is pretty much same as in bare metal, with the only extra challenge of exposing the Tenant to the outside world and to expose the KeyCloak, Auth0 or similar to a public and reachable IP/Domain. But if SSO app or program is ready, then all you need to do is to configure the ingress/nodeport for your tenant and have the certificate/domain to do same with it.