Red Hat Single Sign-On Administration

Bookmark this page
P123456
PreviousNext

Chapter 5.  Red Hat Single Sign-On on Red Hat OpenShift

Section Install Red Hat Single Sign-On on Red Hat OpenShift
SectionObjectives
SectionInstallation methods for RH-SSO on Red Hat OpenShift
SectionThe RH-SSO Operator
SectionInstall the RH-SSO Operator
SectionInstall RH-SSO by using the Keycloak Custom Resource
SectionAccess the RH-SSO Admin Console
SectionAdvanced Operations with the Keycloak CRD
Guided Exercise: Install Red Hat Single Sign-On on Red Hat OpenShift
Configure Red Hat Single Sign-On on Red Hat OpenShift
Objectives
Configure Red Hat Single Sign-On on Red Hat OpenShift
Choosing between CRDs versus the Admin Console or the Admin CLI
Guided Exercise: Configure Red Hat Single Sign-On on Red Hat OpenShift
Lab: Red Hat Single Sign-On on Red Hat OpenShift
Summary

Abstract

Goal

Install and configure Red Hat Single Sign-On on Red Hat OpenShift.

Objectives

  • Install and configure Red Hat Single Sign-On on Red Hat OpenShift.

Sections

  • Install Red Hat Single Sign-On on Red Hat OpenShift  (and Guided Exercise)

  • Configure Red Hat Single Sign-On on Red Hat OpenShift  (and Guided Exercise)

Lab

  • Red Hat Single Sign-On on Red Hat OpenShift

Install Red Hat Single Sign-On on Red Hat OpenShift

Objectives

  • Install Red Hat Single Sign-On on Red Hat OpenShift.

Installation methods for RH-SSO on Red Hat OpenShift

As previously stated in this course, RH-SSO runs on bare metal or virtualized environments, and on Red Hat OpenShift.

There are two ways to install RH-SSO on Red Hat OpenShift: the Red Hat OpenShift templates, and the RH-SSO operator.

A Red Hat OpenShift template is a YAML or JSON file consisting of a set of Red Hat OpenShift resources. Templates define parameters that you can use to customize the resource configuration. Red Hat OpenShift processes templates by replacing parameter references with values and creating a customized set of resources. Red Hat provides RH-SSO application templates for deploying in Red Hat OpenShift.

The use of RH-SSO Red Hat OpenShift templates is the most mature way to deploy RH-SSO on Red Hat OpenShift. The templates allow a higher level of customization of the RH-SSO deployment, and deploy the software in different versions of Red Hat OpenShift. However, future versions of RH-SSO will deploy on Red Hat OpenShift only by using the RH-SSO operator. Thus, on this course we only cover the installation and configuration by using the RH-SSO operator.

Refer to the references section to learn more about installing RH-SSO on Red Hat OpenShift by using the Red Hat OpenShift templates.

The RH-SSO Operator

You can create Kubernetes custom resources (CR) that automate administrative tasks by using the RH-SSO operator. You can create custom resources as YAML files that define the parameters for the administrative tasks.

In the case of RH-SSO, the custom resource definitions (CRDs) created by the RH-SSO operator include resources to create and configure instances of RH-SSO servers, realms, clients, and users. The following table summarizes the RH-SSO CRDs for Red Hat OpenShift.

Table 5.1. RH-SSO custom resource definitions

NameDescription
Keycloak Deploys an instance of the RH-SSO server along with all dependencies and core configuration.
KeycloakBackup Expresses a desired state (and reflects the status) of the RH-SSO instance backup. The KeycloakBackup CRD is deprecated and no longer supported in production environments.
KeycloakRealm Configures an RH-SSO realm within a specific targeted RH-SSO instance.
KeycloakClient Configures an RH-SSO client within a specific targeted RH-SSO realm.
KeycloakUser Configures a user account within a specific targeted RH-SSO realm.

The use of the RH-SSO operator to deploy RH-SSO on Red Hat OpenShift gives the following benefits to the RH-SSO administrator:

  • Simple management of the number of RH-SSO instances.

  • Automated management of the HTTP infrastructure. Red Hat OpenShift provides the frontal HTTP layer, which balances requests to the different RH-SSO pods.

  • Simple management of the HTTPS certificates.

  • Automated management and creation of the database on Red Hat OpenShift, for testing purposes.

  • Automated updates.

The Red Hat OpenShift operators approach allows you to configure many aspects of the RH-SSO instances declaratively, enabling you to do it in an automated way without human intervention. However, the above set of CRDs does not allow you to fully configure RH-SSO.

In some cases, such as when creating and manipulating groups, roles, and other configuration settings, you must do it by communicating directly to the RH-SSO instance, either by means of the RH-SSO Admin Console, the kcadm.sh CLI tool, or the REST API.

After you create CRs, you can manage them by using the oc command or the RH-SSO Admin Console. If you modify a CR by using the oc command, then you can see the modifications in the RH-SSO Admin Console. However, if you modify an RH-SSO resource through the RH-SSO Admin Console, then you do not see the modifications in the CR. Thus, use only one of the methods.

Install the RH-SSO Operator

You can install the RH-SSO Operator by using either the Red Hat OpenShift web console or the oc command-line tools.

Install the RH-SSO operator with the Red Hat OpenShift Web Console

Log in to your Red Hat OpenShift cluster web console. Navigate to OperatorsOperatorHub to display the list of operators and type Single Sign-On in the Filter by keyword field. Click Red Hat Single Sign-On Operator, and then click Install.

Figure 5.1: RH-SSO operator install

You can choose the installation options in the Install Operator wizard.

Update channel

The RH-SSO operator has alpha and stable, two update channels. Red Hat recommends to use the stable channel.

Installation mode

A specific namespace on the cluster installation mode is selected by default for the RH-SSO operator.

Installed namespace

Select a namespace to install the operator workload to the selected namespace.

Update approval

Red Hat OpenShift updates operators automatically when new versions are available. The manual approval option requires manual intervention to approve the update.

Click Install. The installation can take a few minutes to complete.

Install the RH-SSO Operator with the Command Line Interface

The RH-SSO operator installation requires a namespace, an operator group and a subscription. Create a new rhsso-operator.yaml YAML file with the following content.

apiVersion: project.openshift.io/v1
kind: Project 1
metadata:
  name: <namespace>

---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup 2
metadata:
  namespace: <namespace>
  name: rhsso-operator
spec:
  targetNamespaces:
  -  <namespace>

---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription 3
metadata:
  namespace: <namespace>
  name: rhsso-operator
spec: 4
  channel: stable
  installPlanApproval: Automatic
  name: rhsso-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace

1

The YAML code creates a namespace where you install the RH-SSO operator.

2

The YAML code creates an operatorgroup.

3

This YAML code creates the RH-SSO subscription.

4

You can specify the channel, and the installPlanApproval for the RH-SSO subscription.

Use the oc create command to create a namespace, an operatorgroup, and a subscription.

[user@demo ~]$ oc create -f rhsso-operator.yaml
namespace/rhsso created
operatorgroup.operators.coreos.com/rhsso-operator created
subscription.operators.coreos.com/rhsso-operator created

You can verify the installation by using the oc get command.

[user@demo ~]$ oc get csv -n rhsso
NAME                            ...   VERSION         ...   PHASE
rhsso-operator.7.6.1-opr-004    ...   7.6.1-opr-004   ...   Succeeded

Install RH-SSO by using the Keycloak Custom Resource

After the RH-SSO operator installation, you can create the Keycloak custom resource. The Keycloak CR installs RH-SSO on Red Hat OpenShift and creates the following Kubernetes services and components:

Figure 5.2: Keycloak Services and Components

Table 5.2. Keycloak Services and Components

KindDescription
SecretsThe keycloak-db-secret stores the database name, the username, the hostname and the password. You can use this secret to connect the RH-SSO instances to a database external to the operator. The credentials-<CR-Name> secret stores the log in credentials for the RH-SSO Admin Console.
Workloads keycloak-postgresql deployment installs the PostgreSQL database. Keycloak deploys as a Kubernetes stateful set. The Kubernetes stateful set resource provides guarantees about the ordering and uniqueness of the pods.
ServicesThe keycloak service connects the RH-SSO pods through HTTPS. The keycloak-postgresql service exposes the connection to the database to other resources within Red Hat OpenShift. The keycloak-discovery is a service for internal communication between the RH-SSO pods within the stateful set.
RouteThe keycloak route provides the URL to access the RH-SSO Admin Console and the SSO standards endpoints. It performs load balancing for the requests to all the pods in the keycloak service.

See the references section for more information about the stateful set, secret, services, and route Kubernetes components.

Important

The RH-SSO operator only supports a PostgreSQL database as either the internal or external database. The external PostgreSQL database can run on the same Red Hat OpenShift cluster, on another Red Hat OpenShift cluster, or on a different bare-metal or virtualized platform.

You can install the RH-SSO custom resource by using either the Red Hat OpenShift web console or the oc command-line tools.

Install RH-SSO with the Command Line

The following YAML code creates a Keycloak custom resource.

kind: Keycloak
apiVersion: keycloak.org/v1alpha1
metadata:
  name: do313-keycloak 1
  labels:
    app: sso
  namespace: rhsso
spec:
  externalAccess: 2
    enabled: true
    host: <custom host>.apps.ocp4.example.com
  instances: 1 3
  keycloakDeploymentSpec: 4
    imagePullPolicy: Always
  postgresDeploymentSpec: 5
    imagePullPolicy: Always

1

Name of the Keycloak custom resource.

2

If externalAccess is enabled, then the operator creates the route for RH-SSO. The host field gives the option to create a custom host URL.

3

Number of instances for high availability mode.

4

Defines specifications for Keycloak deployment.

5

Defines specifications for PostgreSQL deployment.

Use the oc create command to create a Keycloak custom resource.

[user@demo ~]$ oc create -f do313-keycloak.yaml

You can verify the installation by using the oc get command to retrieve the Keycloak resource.

[user@demo ~]$ oc get keycloak/do313-keycloak -o yaml
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  creationTimestamp: "2023-01-17T16:53:17Z"
  generation: 1
  labels:
    app: sso
  name: do313-keycloak
  namespace: rhsso
  resourceVersion: "135473"
  uid: a52cd419-9f0d-4473-9005-bd422280dac7
spec:
  externalAccess:
    enabled: true
  instances: 1
status:
  credentialSecret: credential-do313-keycloak
  externalURL: https://keycloak-rhsso.apps.ocp4.example.com
  internalURL: https://keycloak.rhsso.svc:8443
  message: ""
  phase: reconciling
  ready: true
  secondaryResources:
    ConfigMap:
    - keycloak-probes
    Deployment:
    - keycloak-postgresql
    Ingress:
    - keycloak
    PersistentVolumeClaim:
    - keycloak-postgresql-claim
    PrometheusRule:
    - keycloak
    Route:
    - keycloak
    - keycloak-metrics-rewrite
    Secret:
    - credential-do313-keycloak
    - keycloak-db-secret
    Service:
    - keycloak-postgresql
    - keycloak
    - keycloak-discovery
    - keycloak-monitoring
    ServiceMonitor:
    - keycloak-service-monitor
    StatefulSet:
    - keycloak
  version: main

The do313-keycloak custom resource is in the reconciling phase, and the YAML output shows resources created by Keycloak CR in the secondaryResources section.

Install the RH-SSO Keycloak Custom Resource by using the Red Hat OpenShift Web Console

Navigate to OperatorsInstalled Operators to display the list of installed operators, and then click Red Hat Single Sign-On Operator. Click Create instance in the Keycloak block.

Figure 5.3: RH-SSO Keycloak create

On the Create Keycloak page, select YAML view to display the web console YAML editor. Update the YAML and then click Create.

Figure 5.4: RH-SSO Keycloak create YAML

The do313-keycloak custom resource shows in the Keycloak tab. Wait for the Status to update from Phase:initialising to Phase:reconciling.

Access the RH-SSO Admin Console

The keycloak route has the RH-SSO URL for the Admin Console, and the credential-<CR> secret has the RH-SSO login credentials.

On the Keycloaks page, click do313-keycloak to display the details of the do313-keycloak custom resource. Select the Resources tab, and click the credential-do313-keycloak secret to retrieve the credentials details. On the Secret details page, scroll down to locate Data, and click Reveal values.

Figure 5.5: The RH-SSO Keycloak custom resource credentials.

The ADMIN_USERNAME value shows admin as the username. Copy the ADMIN_PASSWORD value to use in the log in step.

Navigate to NetworkingRoutes to display the list of routes for the rhsso project.

Click the keycloak route to display the route details. The Location field provides a link to the RH-SSO Admin Console.

Figure 5.6: RH-SSO Keycloak route

You can also retrieve the RH-SSO URL and login credentials from the command line.

[user@demo ~]$ oc get route/keycloak -n rhsso
NAME       HOST/PORT                                ...       TERMINATION   WILDCARD
keycloak   keycloak-rhsso.apps.ocp4.example.com   ...       reencrypt     None
[user@demo ~]$ oc -n rhsso extract secrets/credential-do313-keycloak --to=-
# ADMIN_PASSWORD
uSgqJTe_tHoo9A==
# ADMIN_USERNAME
admin

Click the link to access the RH-SSO Admin Console in a new tab. On the RH-SSO Admin Console, click Administration Console. Then, log in as the admin user with the password retrieved in the preceding step.

Advanced Operations with the Keycloak CRD

Connect to an external database

The RH-SSO operator deploys an instance of PostgreSQL on Red Hat OpenShift. This database is only for testing purposes. Thus, Red Hat recommends replacing it with a production ready external database when deploying RH-SSO in real Red Hat OpenShift clusters. The external database can run on Red Hat OpenShift, or on a different platform.

You can configure the Keycloak CR to define an external database. If the externalDatabase flag in the Keycloak CR is true, then the Keycloak CR reads the keycloak-db-secret parameters to connect to the database. If the flag is true, then the RH-SSO operator creates a keycloak-postgresql service pointing to an external location.

The following is an example of a Kubernetes secret that defines the parameters to connect to an external database:

kind: Secret
apiVersion: v1
metadata:
  name: keycloak-db-secret
stringData:
  POSTGRES_DATABASE: keycloak
  POSTGRES_EXTERNAL_ADDRESS: database_url
  POSTGRES_EXTERNAL_PORT: '5432'
  POSTGRES_PASSWORD: db_password
  POSTGRES_USERNAME: db_user
type: Opaque

The following is an example of a Keycloak CR that sets the flag of the external database:

kind: Keycloak
apiVersion: keycloak.org/v1alpha1
metadata:
name: rh-sso-instance-name
  labels:
    app: sso
spec:
  externalAccess:
    enabled: true
  externalDatabase:
    enabled: true
  instances: 1
Fine configuration of the Keycloak resource

The references section contains the links to perform some advanced operations, such as setting the compute resource requests and limits for the RH-SSO workloads, or adding certificate files to the RH-SSO list of trusted certificates.

References

For more information about the RH-SSO installation by using OpenShift templates, refer to the Red Hat Single Sign-On for OpenShift guide in the RH-SSO 7.6 documentation at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/red_hat_single_sign-on_for_openshift/index

For more information about the RH-SSO Operator installation, refer to the Installing the Red Hat Single Sign-On Operator on a cluster section in the Red Hat Single Sign-On Operator chapter in the RH-SSO 7.6 documentation at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_installation_and_configuration_guide/index#installing-operator

For more information about the OpenShift Operators, refer to the Operators section in the Operators chapter in the Red Hat OpenShift Container Platform 4.10 documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/operators/index

Knowledgebase: "What is the correct channel to use with the Red Hat Single Sign-On (RH SSO) Operator?"

For more information about supported platforms, tested configurations, tested integrations, and OpenShift configurations, see "Supported Configurations: Red Hat Single Sign-On 7.6"

For more information on secrets, refer to the Understanding secrets section in the Working with pods chapter in the Red Hat OpenShift Container Platform 4.10 Nodes documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/nodes/index#nodes-pods-secretsabout_nodes-pods-secrets

For more information on how to manage routes, refer to Configuring Routes chapter in the Red Hat OpenShift Container Platform 4.10 Networking documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/networking/index#configuringroutes

For more information about stateful sets, see "StatefulSets"

For more information about how to connect RH-SSO to an external database with the operator, refer to the Connecting to an external database section in the Red Hat Single Sign-On Operator chapter in the Red Hat Single Sign-On 7.6 documentation at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_installation_and_configuration_guide/index#external_database

Knowledgebase: "How to configure CPU and Memory limits and requests in the Red Hat Single Sign-On (RH SSO) Operator?"

Knowledgebase: "RH-SSO Operator instance: How to add certificates to the RH-SSO truststore"

PreviousNext
Revision: do313-7.6-bc10333