Aller au contenu principal

Install

Activate OIDC in rancher UI​

First connect to keycloak with admin user

  • Retrieve admin credentials to connect to Keycloak

    echo kc_username = $(kubectl -n kosmos-iam get secret import-admin-keycloak -ojsonpath='{.data.username}'| base64 -d)
    echo kc_password = $(kubectl -n kosmos-iam get secret import-admin-keycloak -ojsonpath='{.data.password}'| base64 -d)

  • Reach rancher client:

    • Select the realm kosmos in the upper left corner
    • Click on Clients in the left panel to show the client list and then on rancher in this list
  • Retrieve configuration information:
    • Click on the tab Credentials and retrieve the Client Secret
    • Click on Realm Settings on the left panel and then at the bottom of the settings click on the OpenID Endpoint Configuration link.
    • Keep the new browser tab open

Then connect to Rancher UI and connect with an admin user:

  • Retrieve the bootstrap password to log in to Rancher

    kubectl -n cattle-system get secret bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}{{"\n"}}'

  • Log in to Rancher https://rancher.$KOSMOS_DOMAIN

  • Enter the bootstrap password when logging into the Rancher UI for the first time
  • Click “Log in with local user”
  • In the new window, check “Use a randomly generated password” (default)
  • Save the randomly generated password provided by Rancher (e.g., OccQ2cHb0P0luOdt)
  • Check “By checking the box, you accept …”
  • Click “Continue”
  • Click on the user icon in the bottom left corner
    • Click on the Auth provider tab in the new left panel
    • Click on the Keycloak labeled with an orange OIDC
    • Fill the fields in the Configure a Keycloak OIDC account section:
      • the Client ID is rancher
      • the Client Secret is the one retrieved in the Keycloak UI previously
      • do not fill the Private Key and Certificate fields
    • Activate the option Enable group search
    • In the Endpoints section select Specify, click on the Show Advanced button and have your keycloak OpenID Endpoint Configuration previously opened nearby:
      • leave the Rancher URL as is
      • Issuer: paste the value from the field issuer in keycloak configuration (eg: https://auth.$KOSMOS_DOMAIN/realms/kosmos)
      • Auth Endpoint: paste the value from the field authorization_endpoint in keycloak configuration (eg: https://auth.$KOSMOS_DOMAIN/realms/kosmos/protocol/openid-connect/auth)
      • Token Endpoint: paste the value from the field token_endpoint in keycloak configuration (eg: https://auth.$KOSMOS_DOMAIN/realms/kosmos/protocol/openid-connect/token)
      • User Info Endpoint: paste the value from the field userinfo_endpoint in keycloak configuration (eg: https://auth.$KOSMOS_DOMAIN/realms/kosmos/protocol/openid-connect/userinfo)
      • JWKS URL & Authorization Context Reference: do not fill
  • Click on Enable and when asked, authenticate with the rancher-admin@athea.tech user

    • the password can be retrieved with the command:

      kubectl -n cattle-system get secret rancher-admin-oidc -o jsonpath='{.data.password}' | base64 --decode ; echo

With the OIDC now activated, you can setup basic authorizations:

  • While on the Authentication Provider:Keycloak (OIDC) result page click on Restrict access to only the authorized users & groups
  • In the new Authorized Users & Groups section, add the following groups and click on Save
    • adminsysteme
    • adminsecurite
    • admintrait
    • adminapp
    • dev
    • intg
  • In the left panel click on Groups
  • In the new menu, click on the Assign Global Roles
  • In Select Member choose the adminsysteme group, and give it the global permissions Administrator and click on Save
  • In the new menu, click on the Assign Global Roles
  • In Select Member choose the adminsecurite group, and give it the global permissions Administrator and click on Save
  • In the new menu, click on the Assign Global Roles
  • In Select Member choose the admintrait group, and give it the global permissions Standard User and click on Save
  • In the new menu, click on the Assign Global Roles
  • In Select Member choose the adminapp group, and give it the global permissions Standard User and click on Save
  • In the new menu, click on the Assign Global Roles
  • In Select Member choose the dev group, and give it the global permissions Standard User and click on Save
  • In the new menu, click on the Assign Global Roles
  • In Select Member choose the intg group, and give it the global permissions Standard User and click on Save