Red Hat Single Sign-On Operator
If you already have a Keycloak instance running, consider using that and proceed with installing MongoDB. See also mandatory configuration on which configuration values of your Keycloak installation you need to gather for the installation of IBM Industry Solutions Workbench.
To complete this task, you must be a cluster administrator. To prevent issues with PVCs, a default storage class must be set.
Install Red Hat Single Sign-On Operator from the OperatorHub
As a cluster administrator, install the Keycloak operator from the OperatorHub to the namespace foundation :
- In the OpenShift web console navigate to the Operators → OperatorHub page
- Filter by keyword: Single Sign-On
- Select the operator: Red Hat Single Sign-On Operator provided by Red Hat
- Read the information about the operator and click Install
- On the Create Operator Subscription page:
- Select option A specific namespace on the cluster with namespace
foundation - Select an Update Channel (if more than one is available)
- Select Automatic approval strategy
- Click Subscribe
- Select option A specific namespace on the cluster with namespace
- After the Subscription's upgrade status is Up to date, navigate in the web console to the Operators → Installed Operators page
- Select the Keycloak Operator and verify that the content for the Overview tab of the Operators → Operator Details page is displayed
See OpenShift documentation Adding Operators to a cluster (OpenShift 4.16) for further information on how to install an operator from the OperatorHub.
Create the Keycloak Instance
Create the Keycloak CRD instance in the namespace foundation:
- Navigate in the web console to the Operators → Installed Operators page
- Select the Red Hat Single Sign-On Operator
- Navigate to the Keycloak tab of the Operators → Operator Details page
- Click Create Keycloak
- In the Keycloak Operator → Create Keycloak page
- Enter the resource definition (See Example Keycloak Configuration)
- Click on Create
- Verify that in the Keycloak tab the newly created keycloak CRD instance is displayed
Example Keycloak Configuration
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
name: keycloak
labels:
app: sso
spec:
instances: 1
externalAccess:
enabled: true
Retrieve Credentials
You can retrieve the credentials for connecting to the Keycloak by looking for a Kubernetes secret named credential-keycloak :
oc -n foundation get secret credential-keycloak -o jsonpath='{.data.ADMIN_USERNAME}' | base64 -d; echo
oc -n foundation get secret credential-keycloak -o jsonpath='{.data.ADMIN_PASSWORD}' | base64 -d; echo
Retrieve Certificates
The certificates are needed later during installation (truststore.trustmap.identity), so please download and save them temporarily.
KEYCLOAK_HOST=`oc get route keycloak -ojsonpath={.spec.host}`
echo | openssl s_client -showcerts -connect $KEYCLOAK_HOST:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > keycloak-fullchain.pem