Install Keycloak on APPUiO Zone

This guide describes the steps required to install the APPUiO IdP onto one of the APPUiO Zones (clusters).

This page is meant to be growing and doesn’t contain the final configuration at this time. Also, this page currently configures Keycloak for VSHN AG’s purposes. Replace IDs and URLs as needed for your setup.

Prerequisites

  • oc version 4.8 or above

  • working Commodore setup

Configure component-keycloak

  1. Login to the cluster as cluster admin with oc

  2. Add component configuration to Project Syn cluster catalog

    VSHN employees can refer to this step for a shortcut. Be sure to come back here for the next steps.

    		 
    applications:
  - keycloak as appuio-keycloak
parameters:
  appuio_keycloak:
    namespace: appuio-keycloak
    fqdn: id.appuio.cloud
    extraInitContainers:
      install-extensions:
        image: quay.io/appuio/appuio-keycloak-extensions:latest
        command:
          - sh
        args:
          - -c
          - |
            echo "Copying extension..."
            cp -R /extensions/* /deployments
        volumeMounts:
          - name: extensions
            mountPath: /deployments
    extraVolumes:
      extensions:
        emptyDir: {}
    extraVolumeMounts:
      extensions:
        mountPath: /opt/jboss/keycloak/standalone/deployments
    helm_values:
      image:
        tag: 15.0.0
      ingress:
        servicePort: http
      podSecurityContext: null
      securityContext: null
      pgchecker:
        securityContext: null
      postgresql:
        securityContext:
          enabled: false
        volumePermissions:
          securityContext:
            runAsUser: auto
          shmVolume:
            chmod:
              enabled: false

  3. Compile and push the cluster catalog

  4. Wait for Keycloak to start up and visit id.appuio.cloud.

Configure Keycloak

These steps configure Keycloak on a global level and have to be done once per APPUiO Cloud environment.

  1. Extract the password from the keycloak-admin-user secret.

    oc --as cluster-admin -n appuio-keycloak-test get secret keycloak-admin-user -o jsonpath='{.data.KEYCLOAK_PASSWORD}' | base64 -d; echo

  2. Login to Keycloak as user admin with the password printed before

  3. Create a new Realm called appuio-cloud

  4. Create a realm role called appuio-zone-access

  5. Create a sync user as described in Configure Group Sync with Keycloak

    VSHN employees can refer to this step instead.

  6. Configure the browser login flow as described in Setup role-based access control for APPUiO Cloud

For each APPUiO Zone to be added, follow the dedicated Add a Cluster to APPUiO Cloud guide.