Ensure docker, k3d and ngrok are installed.
brew update
brew install --cask docker ngrok
brew install k3dVersions in use:
$ docker version
Client:
Cloud integration: 1.0.14
Version: 20.10.6
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
$ k3d version
k3d version v4.4.6k3d cluster create keycloak --servers 1 \
--port 443:443@loadbalancer \
--port 80:80@loadbalancer \
--api-port 6443 --k3s-server-arg '--no-deploy=traefik'Run ngrok http 80 to create a temporary domain, tunneling your port 80
traffic.
We'll set a fake domain in our /etc/hosts just for kicks:
echo "127.0.0.1 k3d.local" | sudo tee -a /etc/hostsUse official Helm repo:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo updateInstall chart:
helm install ingress-nginx ingress-nginx/ingress-nginx \
--wait --version 3.34.0 --set-string controller.config.ssl-redirect=falseRunning curl http://k3d.local should respond with "404 Not Found".
Let's use codecentric Helm repo:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo updateCreate a keycloak-values.yaml with custom values:
image:
tag: 14.0.0
postgresql:
enabled: false
ingress:
enabled: true
rules:
- host: 4eeaf28b49b8.ngrok.io
paths: [ / ]
tls: []
console:
enabled: true
rules:
- host: 4eeaf28b49b8.ngrok.io
paths: [ /auth/admin ]
tls: []
extraEnv: |
- name: KEYCLOAK_FRONTEND_URL
value: https://4eeaf28b49b8.ngrok.io/auth
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_USER
value: admin
- name: KEYCLOAK_PASSWORD
value: adminInstall chart:
helm install keycloak codecentric/keycloak \
--version 11.0.1 -f keycloak-values.yaml --waitA realm in Keycloak is the equivalent of a tenant. It allows creating isolated
groups of applications and users. By default there is a single realm in Keycloak
called master. This is dedicated to manage Keycloak and should not be used for
your own applications. Let’s create our first realm.
- Open browser at https://4eeaf28b49b8.ngrok.io and click on "Administrative Console"
- Login with
admin/admin - Hover the mouse over the drop-down in the top-left corner where it says
Master, then click onAdd realm - Fill in the form with the following values:
- Name:
myrealm
- Name:
- Click
Create
Initially there are no users in a new realm, so let’s create one:
- Open the Keycloak Admin Console
- Click
Users(left-hand menu)- Click
Add user(top-right corner of table)
- Click
- Fill in the form with the following values:
- Username:
myuser - First Name: Your first name
- Last Name: Your last name
- Username:
- Click
Save
The user will need an initial password set to be able to login. To do this:
- Click
Credentials(top of the page) - Fill in the
Set Passwordform with a password - Click
ONnext toTemporaryto prevent having to update password on first login
Let’s now try to login to the account console to verify the user is configured correctly.
- Open the Keycloak Account Console at https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/account
- Login with
myuserand the password you created earlier
You should now be logged-in to the account console where users can manage their accounts.
Let’s try to secure our first application. First step is to register this application with your Keycloak playground instance:
- Open the Keycloak Admin Console
- Click 'Clients'
- Fill in the form with the following values:
- Client ID:
myclient - Client Protocol:
openid-connect - Root URL:
https://www.keycloak.org/app/
- Client ID:
- Click
Save
To make it easy for you we have a SPA testing application available on the Keycloak website.
Open https://www.keycloak.org/app/. Change
Keycloak URL to the URL of your Keycloak instance. Click Save.
Now you can click Sign in to authenticate to this application using the
Keycloak server you started earlier.
First, Create new client in your Keycloak.
- Open the Keycloak Admin Console
- Click 'Clients'
- Fill in the form with the following values:
- Client ID:
myapp - Client Protocol:
openid-connect - Root URL:
http://4eeaf28b49b8.ngrok.io/oauth2
- Client ID:
- Click
Save - Change:
- Access Type 'Confidential'
- Valid Redirect URIs, add '*'
- Click
Save - Take note of the Secret in the credential tab of the client under the tab 'Credentials'.
- Create a mapper with Mapper Type 'Group Membership' and Token Claim Name 'groups'.
Use official Helm repo:
helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
helm repo updateCreate a oauth2proxy-values.yaml with custom values:
image:
tag: "v7.1.3"
ingress:
enabled: true
path: /oauth2
hosts:
- 4eeaf28b49b8.ngrok.io
config:
clientID: myapp
clientSecret: "<client secret from 'credentials' tab in myapp client>"
cookieSecret: "UlpPOE8wWUo3cmZtRGxDRllXUmd2bEhaN1VXcGxFclI="
extraArgs:
provider: keycloak
scope: address
login-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/auth
redeem-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/token
profile-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/userinfo
validate-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/userinfoInstall chart:
helm install oauth2-proxy oauth2-proxy/oauth2-proxy \
--version 3.3.2 -f oauth2proxy-values.yaml --waitNow navigate to https://4eeaf28b49b8.ngrok.io/oauth2 and complete sign-in.
You can protect any ingress resource with OAuth2 for example:
---
apiVersion: networking/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://auth{{ .Values.dnsDomain }}/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://auth{{ .Values.dnsDomain }}/oauth2/start?rd=https%3A%2F%2F$host$request_uri"