Red Hat Single Sign-On Administration

Bookmark this page
P123456
PreviousNext

Lab: Red Hat Single Sign-On on Red Hat OpenShift

  • Deploy and Configure Red Hat Single Sign-On on Red Hat OpenShift.

Outcomes

  • Install Red Hat Single Sign-On on Red Hat OpenShift.

  • Create Keycloak custom resources to configure RH-SSO.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command ensures that RH-SSO is not installed on Red Hat OpenShift and deploys the finance-webapp application.

[student@workstation ~]$ lab start ocp-review

Procedure 5.3. Instructions

  1. Log in to your Red Hat OpenShift cluster as the admin user with the redhat password. Create the rhsso project.

    The web console URL is https://console-openshift-console.apps.ocp4.example.com.

    1. From the workstation machine, navigate to the Red Hat OpenShift web console at https://console-openshift-console.apps.ocp4.example.com. When prompted, click htpasswd_provider and log in as the admin user with the redhat password.

    2. Navigate to HomeProjects and click Create Project. Type rhsso in the Name field and click Create.

  2. Using OperatorHub, install the Red Hat Single Sign-On operator in the ocp4.example.com cluster. Use the rhsso namespace.

    1. Navigate to OperatorsOperatorHub and type Single Sign-On in the Filter by keyword field.

    2. Click Red Hat Single Sign-On Operator, and then click Install.

    3. In the Installed Namespace drop-down menu, ensure that the rhsso namespace is selected. Do not change any field. Then, click Install. The installation can take a few minutes to complete.

    4. Click View Operator to display the Operator details page.

  3. Create the keycloak-db-secret secret in the rhsso namespace that is pointing to the external database by using following parameters:

    Field nameValue
    POSTGRES_DATABASE keycloak
    POSTGRES_EXTERNAL_ADDRESS sso.lab.example.com
    POSTGRES_EXTERNAL_PORT 5432
    POSTGRES_PASSWORD postgres
    POSTGRES_USERNAME postgres

    1. Navigate to WorkloadsSecrets, and ensure that the rhsso namespace is selected.

    2. In the Create drop-down menu select the From YAML option. Then, enter manually the following content:

      kind: Secret
apiVersion: v1
metadata:
  name: keycloak-db-secret
  namespace: rhsso
type: Opaque
stringData:
  POSTGRES_DATABASE: keycloak
  POSTGRES_EXTERNAL_ADDRESS: sso.lab.example.com
  POSTGRES_EXTERNAL_PORT: '5432'
  POSTGRES_PASSWORD: postgres
  POSTGRES_USERNAME: postgres

      Click Create.

  4. Create the do313-keycloak Keycloak custom resource.

    1. Navigate to the OperatorsInstalled Operators menu, and click Red Hat Single Sign-On Operator.

    2. Click Create instance in the Keycloak block.

    3. On the Create Keycloak page, select YAML view to display the web console YAML editor. Update the YAML code as follows and then click Create.

      kind: Keycloak
apiVersion: keycloak.org/v1alpha1
metadata:
  name: do313-keycloak
  labels:
    app: sso
  namespace: rhsso
spec:
  externalAccess:
    enabled: true
  externalDatabase:
    enabled: true
  instances: 1

    4. The do313-keycloak keycloak shows in the Keycloak tab. Wait for the Status to update from Phase:initialising to Phase:reconciling.

      Note

      It takes 5-10 minutes for the Status to update from Phase:initialising to Phase:reconciling.

  5. Create a KeycloakRealm custom resource called review-realm in the ocp4.example.com cluster by using the ~/DO313/labs/ocp-review/01keycloakrealm.yaml file.

    1. Open the terminal application on the workstation machine. Log in to the ocp4.example.com cluster as the admin user.

      [student@workstation ~]$ oc login -u admin -p redhat \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...

    2. Change to the ~/DO313/labs/ocp-review/ directory.

      [student@workstation ~]$ cd ~/DO313/labs/ocp-review/

    3. Review the file called 01keycloakrealm.yaml to deploy the keycloakRealm custom resource.

      [student@workstation ocp-review]$ cat 01keycloakrealm.yaml
...output omitted...
apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  name: review-realm
  namespace: rhsso
  labels:
    app: sso
    realm: review-realm
spec:
  instanceSelector:
    matchLabels:
      app: sso
  realm:
    id: review-realm
    realm: review-realm
    enabled: True
    displayName: "Review Realm"

      The YAML file creates a realm called review-realm in RH-SSO.

    4. Use the oc command to create the review-realm KeycloakRealm custom resource in the rhsso namespace.

      [student@workstation ocp-review]$ oc create -f 01keycloakrealm.yaml
keycloakrealm.keycloak.org/review-realm created

  6. Create a KeycloakClient custom resource called review-client in the ocp4.example.com cluster by using the ~/DO313/labs/ocp-review/02keycloakclient.yaml file. Update the ~/DO313/labs/ocp-review/03keycloakclient.yaml file to create the review-client client and review-client-secret client secret in RH-SSO.

    1. Edit the 02keycloakclient.yaml file to change the following parameters:

      Field nameValue
      name review-client
      clientId review-client
      secret review-client-secret 
      [student@workstation ocp-review]$ vim 02keycloakclient.yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  name: review-client
  namespace: rhsso
  labels:
    app: sso
    realm: review-realm
    client: review-client
spec:
  realmSelector:
    matchLabels:
      app: sso
      realm: review-realm
  client:
    clientId: review-client
    secret: review-client-secret
    defaultClientScopes:
      - email
      - offline_access
      - profile
      - roles
    implicitFlowEnabled: False
    standardFlowEnabled: True
    redirectUris:
      - http://finance-webapp-review-project.apps.ocp4.example.com/finance/*
    rootUrl: http://finance-webapp-review-project.apps.ocp4.example.com/finance

      The YAML file creates the review-client client in RH-SSO.

      Note

      The finance-webapp application is configured to use the review-client-secret for the quarkus.oidc.credentials.secret.

    2. Use the oc command to create the review-client KeycloakClient custom resource in the rhsso namespace.

      [student@workstation ocp-review]$ oc create -f 02keycloakclient.yaml
keycloakclient.keycloak.org/review-client created

  7. Create a KeycloakUser custom resource called review-user in the ocp4.example.com cluster by using the ~/DO313/labs/ocp-review/03keycloakuser.yaml file. Update the ~/DO313/labs/ocp-review/03keycloakuser.yaml file to create and enable the developer user with the redhat password in RH-SSO.

    1. Edit the 03keycloakuser.yaml file to change the following parameters:

      Field nameValue
      name review-user
      username developer
      credentials:value redhat
      user:enabled True
      [student@workstation ocp-review]$ vim 03keycloakuser.yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakUser
metadata:
  name: review-user
  namespace: rhsso
  labels:
    app: sso
    realm: review-realm
spec:
  realmSelector:
    matchLabels:
      app: sso
      realm: review-realm
  user:
    username: developer
    credentials:
      - temporary: False
        type: password
        value: redhat
    firstName: developer
    lastName: developer
    email: developer@example.com
    enabled: True
    emailVerified: True
    realmRoles:
      - offline_access

      The YAML file creates the review-user KeycloakUser custom resource. The KeycloakUser custom resource creates and enables a developer user with the redhat password in the RH-SSO.

    2. Use the oc command to create the review-user KeycloakUser custom resource in the rhsso namespace.

      [student@workstation ocp-review]$ oc create -f 03keycloakuser.yaml
keycloakuser.keycloak.org/review-user created

  8. Access the finance-webapp application and retrieve the user access token. The finance-webapp application URL is http://finance-webapp-review-project.apps.ocp4.example.com/finance.

    1. Navigate to the finance-webapp application at http://finance-webapp-review-project.apps.ocp4.example.com/finance.

    2. Click Show my access token to access the token.

    3. Log in as the developer user with redhat as the password. If the configuration is correct, then the page displays the developer user access token.

      Access token

    4. Close all the Firefox windows and change to the /home/student directory.

      [student@workstation ocp-review]$ cd ~
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade ocp-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish ocp-review

This concludes the section.

PreviousNext
Revision: do313-7.6-bc10333