Red Hat Single Sign-On Administration
In other sections of this book you learned about the Keycloak custom resource definition (CRD), which defines the workloads running RH-SSO and the administrator credentials.
After you create a Keycloak custom resource, you must create one or more realms, the clients for those realms, and the users.
The RH-SSO operator defines a CRD for each of those entities, plus one KeycloakBackup CRD.
However, the KeycloakBackup CRD is deprecated and no longer supported in production environments.
The KeycloakRealm resource represents a RH-SSO realm.
It requires an existing Keycloak resource.
You can use the following YAML code to create a KeycloakRealm custom resource.
apiVersion: keycloak.org/v1alpha1 kind: KeycloakRealm metadata: name: rhtraininglabels: app: sso spec: instanceSelector: matchLabels: app: sso
realm:
id: rhtraining
enabled: True displayName: "RH Training Realm" sslRequired: "external" registrationAllowed: True
passwordPolicy: "length(8) and specialChars(1)"
| The name for this custom resource |
| The label selector, which must match a label from an existing |
| All the fields within the |
| The name of the realm. |
| Enables the user registration in the realm. |
| Sets a password policy to force a minimum length of eight characters, and another password policy to force the inclusion of a special character. |
Use the oc create command to create the KeycloakRealm custom resource.
If you store the CRD in a keycloakrealm.yaml file , then you can create a KeycloakRealm custom resource in the rhsso namespace with the following command:
[user@demo ~]$ oc create -f keycloakrealm.yaml -n rhssoNote that if you change any realm configuration by using the RH-SSO Admin Console, then the change persists in the RH-SSO database. However, the change does not reflect in the resource that the operator creates.
The KeycloakClient resource represents a RH-SSO client or application.
It requires an existing KeycloakRealm resource.
You can use the following YAML code to create a KeycloakClient custom resource.
apiVersion: keycloak.org/v1alpha1 kind: KeycloakClient metadata: name: oidc-confidential-clientpublicClient: False
bearerOnly: False serviceAccountsEnabled: True
redirectUris:
- http://finance-webapp.apps.ocp4.example.com/finance/* rootUrl: http://finance-webapp.apps.ocp4.example.com/finance
| The name for the custom resource. |
| The label selector, which must match a label from an existing |
| All the fields within the |
| The client ID in the OIDC standard. |
| The secret for the client.
The RH-SSO operator creates a Kubernetes secret with the following name pattern:
|
| Disables the direct access grant OIDC flow. |
| Set this client as a confidential client. |
| Enable service accounts for this client. |
| The mandatory URIs to return from an authentication and authorization flow. |
If you store the CRD in a keycloakclient.yaml file , then you can create a KeycloakClient custom resource in the rhsso namespace with the following command:
[user@demo ~]$ oc create -f keycloakclient.yaml -n rhssoNote that if you change any client configuration by using the RH-SSO Admin Console, then the change persists in the RH-SSO database. However, the change does not reflect in the resource that the operator creates.
The KeycloakUser resource represents a RH-SSO user.
It requires an existing KeycloakRealm resource.
You can use the following YAML code to create a KeycloakUser custom resource.
apiVersion: keycloak.org/v1alpha1 kind: KeycloakUser metadata: name: user1
| The name for the custom resource. |
| The label selector, which must match a label from an existing |
| All the fields within the |
| List of the user's realm roles. |
If you store the CRD in a keycloakuser.yaml file , then you can create a KeycloakUser custom resource in the rhsso namespace with the following command:
[user@demo ~]$ oc create -f keycloakuser.yaml -n rhssoIf any field in the KeycloakUser resource is not valid, then the user creation fails.
For example, if you use redhat as the password, and the password policies do not allow that word, then the user creation fails.
Note that if you change any client configuration by using the RH-SSO Admin Console, then the change persists in the RH-SSO database. However, the change does not reflect in the resource that the operator creates.
If you choose to deploy RH-SSO by installing the RH-SSO operator, then you must use the Keycloak CRD to create and configure the infrastructure for serving the RH-SSO endpoints.
However, as an RH-SSO administrator, you must choose a coherent way to modify the configuration of the realms, the clients, the roles, and all the other RH-SSO resources.
If you create a realm as a KeycloakRealm resource, then you must modify it only by using the custom resource, not the Admin Console.
For example, if you create a realm by using the RH-SSO admin CLI, then there is not a KeycloakRealm resource available to make modifications on it.
Thus, you can only modify it by using the admin CLI, or the Admin Console.
References
For more information about the RH-SSO Operator CRDs, refer to the Red Hat Single Sign-On Operator chapter in the RH-SSO 7.6 documentation at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_installation_and_configuration_guide/index#operator