search

deployKF / website

the website for deployKF
https://www.deploykf.org/
Apache License 2.0
3 stars 7 forks source link

Getting OIDC connector working with keycloak #62

Closed EPNSED closed 11 months ago

EPNSED commented 11 months ago

I'm trying to follow the documentation provided here, I'm trying to connect to our local keycloak instance

https://www.deploykf.org/guides/platform/deploykf-authentication/#external-identity-providers

I was able to get everything working if I put everything in the value file as plain text, however, I'm having a hard time using the secrets. I apologize if this is a basic question, but I'm having a hard time here.

Documentation has the following,

## NOTE: 
          ##  - the `configExistingSecretKey` key in the secret must 
          ##    contain a string of YAML that is formatted the same 
          ##    as the CONTENTS of the `config` map key above
          #configExistingSecret: "my-dex-connector-secret"
          #configExistingSecretKey: "google-config"

This is how I create the secret 

echo -n '
config:
    issuer : "https://xxxx.rs.gsu.edu/auth/realms/xxxx"
    clientID : "kubeflow"
    clientSecret : "xxxx-xxx-xxx-xxxx"
    redirectURI : "https://xxxx.rs.gsu.edu:8443/dex/callback" ' | base64

Then I used the value created from the above step and created a key using the following definition 

apiVersion: v1
kind: Secret
metadata:
  name: my-dex-connector-secret
  namespace: kubeflow
type: Opaque
data:
  SecretKey: c3BlYzoKICAgICAgICAgIXXXXXXXXXXXX

I added the following to the values.ymal file 

connectors:
        - type : "oidc"
          id : "kubeflow"
          name : "GSU Credentials" 
          configExistingSecret: "my-dex-connector-secret"
          configexistingSecretKey: "SecretKey"

What am I doing wrong here?

thesuperzapper commented 11 months ago

@EPNSED first, ensure you are using configExistingSecretKey NOT configexistingSecretKey (capitalization matters).

Second, the secret should contain the CONTENT of the dex config, not the "config:" part itself.

Also, you might not know this, but there is a special stringData write-only field in Secrets (which kubectl automatically translates to base64 encoded fields in data), so you could use something like this to save time:

apiVersion: v1
kind: Secret
metadata:
  name: my-dex-connector-secret
  namespace: kubeflow
type: Opaque
stringData:
  SecretKey: |
    issuer : "https://xxxx.rs.gsu.edu/auth/realms/xxxx"
    clientID : "kubeflow"
    clientSecret : "xxxx-xxx-xxx-xxxx"
    redirectURI : "https://xxxx.rs.gsu.edu:8443/dex/callback"
EPNSED commented 11 months ago

Thanks @thesuperzapper. It worked. Do you have an architecture diagram somewhere? Although authentication is successful, I'm still getting internal server error (500 error). I'm trying to debug this. It would be very useful to have an architecture diagram. Please feel free to close this ticket though. Authentication works now