How to configure sso Keycloak OIDC in k8s with minio - cniackz/public GitHub Wiki

Objective:

To document a way to configure [sso/keycloak,oidc] in k8s minio

Steps:

1. Expose [sso/keycloak,oidc] publicly:

• If using keycloak you can find a way to configure it in this wiki: https://github.com/cniackz/public/wiki/How-to-test-MinIO-SSO-keycloak

• Once it is running, you can use port forward in your modem to expose it

2. Expose the tenant publicly

• Using node port, the service is being exposed in the laptop from kind cluster. But there is a slight difference, don't use localhost here but rather your local IP address so that it can be forwarded as below:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
  apiServerAddress: "127.0.0.1"
  apiServerPort: 6443
nodes:
  - role: control-plane
    extraPortMappings:
    - containerPort: 30080
      hostPort: 30080
      listenAddress: "127.0.0.1"
      protocol: TCP
  - role: worker
    extraPortMappings:
    - containerPort: 30081
      hostPort: 30081
      listenAddress: "192.168.0.13" <------ Notice this is the local IP address of my MacBook Pro
      protocol: TCP
  - role: worker
    extraPortMappings:
    - containerPort: 30082
      hostPort: 30082
      listenAddress: "127.0.0.1"
      protocol: TCP
  - role: worker
    extraPortMappings:
    - containerPort: 30083
      hostPort: 30083
      listenAddress: "127.0.0.1"
      protocol: TCP
  - role: worker
    extraPortMappings:
    - containerPort: 30084
      hostPort: 30084
      listenAddress: "127.0.0.1"
      protocol: TCP

• Then, you expose that to the outside world via your Public IP, same as keycloak above

3. set env vars in the tenant spec:

  env:
  - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
    value: 6aabe0ea-8d5f-412c-99f8-63b999ccd281
  - name: MINIO_IDENTITY_OPENID_SCOPES
    value: openid,profile,email
  - name: MINIO_BROWSER_REDIRECT_URL
    value: "https://72.140.145.27"
  - name: MINIO_SERVER_URL
    value: "https://minio.tenant-lite.svc.cluster.local:443"
  - name: MINIO_IDENTITY_OPENID_CLIENT_ID
    value: account
  - name: MINIO_IDENTITY_OPENID_CONFIG_URL
    value: "http://72.140.145.27/auth/realms/myrealm/.well-known/openid-configuration"

• Explanation: MINIO_BROWSER_REDIRECT_URL is the console UI exposed publicly from node port into the cluster to port forward to the public IP.

• Explanation: MINIO_IDENTITY_OPENID_CONFIG_URL is our keycloak exposed publicly thanks to the port forward and my public ip address, expected is that SSO is configured same way with a public way to connect to similar software, can be auth0 as well.

4. access using sso:

Conclusion:

In conclusion, the configuration is pretty much same as in bare metal, with the only extra challenge of exposing the Tenant to the outside world and to expose the KeyCloak, Auth0 or similar to a public and reachable IP/Domain. But if SSO app or program is ready, then all you need to do is to configure the ingress/nodeport for your tenant and have the certificate/domain to do same with it.