Closed LindseySaari closed 2 years ago
Install helm via brew brew install helm
Use this guide to set up keycloak via helm
Note: You might have to use $ helm install keycloak codecentric/keycloak
instead of $ helm install --name keycloak codecentric/keycloak
Create this ingress route
Run kubectl apply -f name_of_file.yml
Create a /etc/hosts entry for 127.0.0.1 keycloak.keycloak.example.com
Keycloak will be available at http://keycloak.keycloak.example.com:8080
kubectl port-forward keycloak-0 8080
Expose this url via ngrok:
ngrok http http://keycloak.keycloak.example.com:8080
or ngrok http http://localhost:8080
Import the realm into keycloak: Go to platform-console-api, branch_name: lhattamer-no-token-exp db/seeds/argo-keycloak-realm.json
Keycloak admin: username: admin, password: password Keycloak sign in from platform-console: keycloak_user@example.com, password: password
Follow this guide for the Argo setup
kubectl apply name_of_configmap_file.yml
2. apiVersion: v1
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-cm","namespace":"argocd"}}
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
name: argocd-cm
namespace: argocd
data:
accounts.test_user: apiKey, login
url: http://argocd.local.com
oidc.config: |
name: Keycloak
issuer: http://d50c-131-150-139-119.ngrok.io/auth/realms/Twilight
clientID: argocd
requestedScopes: ["openid", "profile", "email", "groups"]
kubectl apply name_of_rbac_file.yml
apiVersion: v1
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-rbac-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-rbac-cm","namespace":"argocd"}}
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
name: argocd-rbac-cm
namespace: argocd
data:
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
g, test_user, role:org-admin
p, admin, clusters, get, */*, allow
p, admin, clusters, create, */*, allow
p, admin, clusters, update, */*, allow
p, admin, clusters, delete, */*, allow
p, admin, projects, get, */*, allow
p, admin, projects, create, */*, allow
p, admin, projects, update, */*, allow
p, admin, projects, delete, */*, allow
p, admin, applications, get, *, allow
p, admin, applications, create, */*, allow
p, admin, applications, update, */*, allow
p, admin, applications, delete, */*, allow
p, admin, applications, sync, */*, allow
p, admin, repositories, get, */*, allow
p, admin, repositories, create, */*, allow
p, admin, repositories, update, */*, allow
p, admin, repositories, delete, */*, allow
p, admin, certificates, get, */*, allow
p, admin, certificates, create, */*, allow
p, admin, certificates, update, */*, allow
p, admin, certificates, delete, */*, allow
p, admin, accounts, get, */*, allow
p, admin, accounts, create, */*, allow
p, admin, accounts, update, */*, allow
p, admin, accounts, delete, */*, allow
p, admin, gpgkeys, get, */*, allow
p, admin, gpgkeys, create, */*, allow
p, admin, gpgkeys, update, */*, allow
p, admin, gpgkeys, delete, */*, allow
g, ArgoCDAdmins, admin
policy.default: role:''
Install helm via brew brew install helm
Use this guide to set up keycloak via helm
Create this ingress route
Run kubectl apply -f name_of_file.yml
Create a /etc/hosts
entry for 127.0.0.1 keycloak.keycloak.example.com
Keycloak will be available at http://keycloak.keycloak.example.com:8080
kubectl port-forward keycloak-0 8080
Expose this url via ngrok:
ngrok http http://keycloak.keycloak.example.com:8080
Edit the argo configmap created in the Keycloak/Argo setup - Step 1.
apiVersion: v1
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-cm","namespace":"argocd"}}
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
name: argocd-cm
namespace: argocd
data:
url: http://localhost:8080
admin.enabled: "false"
dex.config: |
connectors:
- type: github
id: github
name: Github
config:
issuer: https://github.com
clientID: gitHubClientId
clientSecret: $oidc.github.clientSecret
- type: oidc
id: keycloak
name: Keycloak
config:
issuer: http://e939-2605-a601-afa7-9c00-5cdc-6b67-8d30-1d9b.ngrok.io/auth/realms/Twilight
clientID: account
requestedScopes: ["openid", "profile", "email"]
Run $ kubectl apply name_of_configmap_file.yml
Follow these steps for creating a Github client and client secret here.Follow these steps for creating a Github client and client secret here.
Create and apply a secret for your Github and Keycloak client secret.
Branch name: lhattamer-no-token-exp
Realm name: db/seeds/argo-keycloak-realm.json
omniauth.rb
, tweak the site to your ngrok url. Note: anytime that you restart ngrok you will have to update the path in omniauth.rb along with the argocd configmap.You have a typo in your ingress: heycloak-http
should be keycloak-http
Would it be easier to add the keycloak helm chart to this repo: https://github.com/department-of-veterans-affairs/platform-argocd-local in the way we use them in the application manifests repository, and then allow it to be installed by Argo, rather than installing it first?
Would it be easier to add the keycloak helm chart to this repo: https://github.com/department-of-veterans-affairs/platform-argocd-local in the way we use them in the application manifests repository, and then allow it to be installed by Argo, rather than installing it first?
I am currently using the platform-argocd-local repo. I have Keycloak running locally though. I believe the setup would be the same for the platform repo.
Description
Since we are using Keycloak as a SSO OIDC provider for both platform-console and Argo, we will be able to use the token returned from Keycloak to make Argo API calls from platform console
Acceptance Criteria
https://github.com/department-of-veterans-affairs/platform-console-api/pull/186