EKS Anywhere., enabling KeyCloak OIDC SSO configuration on the clusters
This article is part of the series EKS Anywhere, extending the Hybrid cloud momentum | by Ambar Hassani | Apr, 2022 | Medium
Our scenario includes a KeyCloak server with a self-signed certificate and we enable the OIDC settings on a running EKS Anywhere cluster. for SSO authentication.
Pre-requisites
- The KeyCloak OIDC server has been created as per this article
- The ubuntu OS template for the clusters has been created as per this article
The above two steps are crucial to ensure that the self-signed SSL certificate of the KeyCloak server is already present in the trust store of the ubuntu OS templates that will run on the EKS Anywhere cluster nodes
Step-1 Prepare the cluster template for OIDC configuration.
Please note that the below variables and sed replacements need to be per your environment, especially the last statement where I specify the replacement of the vSphere folder name.
CLUSTER_NAME=oidctestcluster01
API_SERVER_IP=172.24.165.11
cd $HOME
cp $HOME/eks-anywhere/cluster-samples/cluster-sample.yaml $CLUSTER_NAME-eks-a-cluster.yaml
sed -i "s/workload-cluster-name/$CLUSTER_NAME/g" $HOME/$CLUSTER_NAME-eks-a-cluster.yaml
sed -i "s/management-cluster-name/$CLUSTER_NAME/g" $HOME/$CLUSTER_NAME-eks-a-cluster.yaml
sed -i "s/api-server-ip/$API_SERVER_IP/g" $HOME/$CLUSTER_NAME-eks-a-cluster.yaml
sed -i "s/test-eks-anywhere/eks-anywhere/g" $HOME/$CLUSTER_NAME-eks-a-cluster.yamlOnce the above steps are executed, we will have a YAML file for our cluster that will be named as oidctestcluster01
Now we will need to insert the OIDC configuration statements in this YAML file. To do so, edit the YAML file
nano $HOME/$CLUSTER_NAME-eks-a-cluster.yamlInsert the below code block just below the spec statement at the start of the YAML file. This block will provide the lookup information to the OIDC configuration. Ensure that YAML formatting is preserved exactly like the below code
identityProviderRefs:
- kind: OIDCConfig
name: oidctestcluster01-oidcAfter the above edit, the start of the YAML file will look like the below visual
ubuntu@eksa-admin:~$ more oidctestcluster01-eks-a-cluster.yaml
apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: Cluster
metadata:
name: oidctestcluster01
spec:
identityProviderRefs:
- kind: OIDCConfig
name: oidctestcluster01-oidcNext, we will insert the below code block that provides the actual configuration for the OIDC settings. This code block can be at the end of the cluster’s YAML file. Please change the FQDN of the KeyCloak server as per your environment
apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: OIDCConfig
metadata:
name: oidctestcluster01-oidc
spec:
clientId: "kube"
groupsClaim: "groups"
issuerUrl: "https://keycloak.thecloudgarage.com/auth/realms/master"
usernameClaim: "email"You can have a look at the finished template
https://gist.github.com/thecloudgarage/cfe05835f8b06ddbfcf6ce9885e34066
Step-2 Create the OIDC enabled cluster with the modified YAML file
cd $HOME
eksctl anywhere create cluster -f $HOME/$CLUSTER_NAME-eks-a-cluster.yamlOnce the cluster gets created, the Kube API server pods that run on the cluster will automatically be configured with the OIDC settings inserted above. This can be viewed by describing any of the API server pods on the cluster.
A brief video overviewing the entire procedure is shown below
Our OIDC enabled EKS Anywhere cluster is fully ready, and we can validate the SSO logins via KeyCloak and RBAC in the next article
cheers,
Ambar@thecloudgarage
#iwork4dell
