mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
36 lines
1.3 KiB
Plaintext
36 lines
1.3 KiB
Plaintext
// Module is included in the following assemblies:
|
|
//
|
|
// *
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="keycloak-identity-brokering-with-openshift-oauthclient_{context}"]
|
|
= Keycloak Identity Brokering with {product-title}
|
|
|
|
You can configure a Keycloak instance to use {product-title} for authentication through Identity Brokering. This allows for Single Sign-On (SSO) between the {product-title} cluster and the Keycloak instance.
|
|
|
|
.Prerequisites
|
|
|
|
* `jq` CLI tool is installed.
|
|
|
|
|
|
.Procedure
|
|
|
|
. Obtain the {product-title} API URL:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl -s -k -H "Authorization: Bearer $(oc whoami -t)" https://<openshift-user-facing-api-url>/apis/config.openshift.io/v1/infrastructures/cluster | jq ".status.apiServerURL".
|
|
----
|
|
+
|
|
[NOTE]
|
|
====
|
|
The address of the {product-title} API is often protected by HTTPS. Therefore, you must configure X509_CA_BUNDLE in the container and set it to `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. Otherwise, Keycloak cannot communicate with the API Server.
|
|
====
|
|
|
|
. In the Keycloak server dashboard, navigate to *Identity Providers* and select *Openshift v4*. Specify the following values:
|
|
*Base Url*:: {product-title} 4 API URL
|
|
*Client ID*:: `keycloak-broker`
|
|
*Client Secret*:: A secret that you want define
|
|
+
|
|
Now you can log in to Argo CD with your {product-title} credentials through Keycloak as an Identity Broker.
|