Authenticating applications using OpenID Connect on K8s using Sidecar - Part 1

Jul 4, 2020 · 2 min read · k8s open-id oauth2 keyclock kubernetes

I am going to author multiple articles under application authentication using popular industry standard method known as OAuth2.0. I will be using OpenID connect in this example.

In Part-1, I will be covering deploying opensource keycloak (Identity and access management software) on kubernetes and adding users to access the sample web application.

  • Deploy Keycloak on k8s
  • Add user to Keycloak
  • Configure an OpenID-Connect Client

OAuth2.0 is better choice for identifying personal user accounts and granting permissions. It consists of two tokens viz., access tokens and refresh tokens

Deploy Keycloak on k8s.

1kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml

Keycloak uses H2 as default database. You may choose Postgress DB or similar database in Production.

You will see the following logs once the keycloak server pod is up and running

111:42:36,205 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
211:42:36,215 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
311:42:36,216 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
411:42:36,216 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 10.0.2 (WildFly Core 11.1.1.Final) started in 100207ms - Started 689 of 994 services (708 services are lazy, passive or on-demand)

To validate everything is running as expected

 1kubectl get all
 2
 3NAME                            READY   STATUS    RESTARTS   AGE
 4pod/keycloak-857c59449b-9c2fq   1/1     Running   0          67m
 5
 6NAME                 TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
 7service/keycloak     LoadBalancer   10.152.183.160   <pending>     8080:31910/TCP   67m
 8
 9NAME                       READY   UP-TO-DATE   AVAILABLE   AGE
10deployment.apps/keycloak   1/1     1            1           67m
11
12NAME                                  DESIRED   CURRENT   READY   AGE
13replicaset.apps/keycloak-857c59449b   1         1         1       67m

To open the keycloak dashboard locally you need to port-forward the keycloak service to your local machine.

PS: I am running microk8s and hence I need to issue microk8s specific comments

1multipass info microk8s-vm | grep IPv4 | awk '{ print $2 }'
2
3multipass exec microk8s-vm  -- sudo /snap/bin/microk8s kubectl port-forward service/keycloak 8080:8080 --address 0.0.0.0

Voila - you have dashboard running at http://192.168.x.x:8000 (check the IPaddress of the microk8s VM); use default credentials (userid:admin/password:admin) to open up the dashboard

Dashboard

Part-2 will cover the creation of sample web application and deploy in k8s cluster with sidecar Next part will also cover configuring the application to use OpenID and work with Keycloak

comments powered by Disqus