From 1038453b03f3cb8d3d76be849897a9e3db6b7386 Mon Sep 17 00:00:00 2001 From: Brandon Williams Date: Tue, 11 Feb 2025 16:16:08 -0600 Subject: [PATCH 1/4] fix: local sso testing seed script --- local-dev/k3d-seed-data/seed-example-sso.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/local-dev/k3d-seed-data/seed-example-sso.sh b/local-dev/k3d-seed-data/seed-example-sso.sh index 5f5b7e4759..c9c6fc1639 100644 --- a/local-dev/k3d-seed-data/seed-example-sso.sh +++ b/local-dev/k3d-seed-data/seed-example-sso.sh @@ -2,6 +2,7 @@ CONFIG_PATH=/tmp/kcadm.config +function auth { # login to keycloak if ! /opt/keycloak/bin/kcadm.sh config credentials --config $CONFIG_PATH --server http://localhost:8080/auth --realm master --client admin-api --secret ${KEYCLOAK_ADMIN_API_CLIENT_SECRET} then @@ -12,6 +13,9 @@ then exit 1 fi fi +} + +auth if /opt/keycloak/bin/kcadm.sh get realms/sso --config $CONFIG_PATH > /dev/null; then echo "Realm sso is already created, skipping" @@ -22,6 +26,9 @@ fi echo "Creating new sso realm" /opt/keycloak/bin/kcadm.sh create realms --config $CONFIG_PATH -s realm=sso -s enabled=true +# must reauth to get permissions for new realm +auth + # Create a user in the SSO realm echo "Creating user and configuring password for user@sso.example.com" @@ -77,4 +84,4 @@ echo "Configuring ssorealm identity provider with platform-owner role mapping" -s identityProviderAlias=ssorealm \ -s config.syncMode=FORCE \ -s config.role=platform-owner \ - --config $CONFIG_PATH -r lagoon \ No newline at end of file + --config $CONFIG_PATH -r lagoon From 36c5e41b3e57620922d199db56828fd4a9ceec61 Mon Sep 17 00:00:00 2001 From: Brandon Williams Date: Tue, 11 Feb 2025 16:16:08 -0600 Subject: [PATCH 2/4] feat: include keycloak plugin for better SSO login experience --- local-dev/k3d-seed-data/seed-example-sso.sh | 3 +++ services/keycloak/Dockerfile | 2 ++ 2 files changed, 5 insertions(+) diff --git a/local-dev/k3d-seed-data/seed-example-sso.sh b/local-dev/k3d-seed-data/seed-example-sso.sh index c9c6fc1639..a7cc987cbe 100644 --- a/local-dev/k3d-seed-data/seed-example-sso.sh +++ b/local-dev/k3d-seed-data/seed-example-sso.sh @@ -67,7 +67,10 @@ echo "Creating ssorealm identity provider in lagoon realm" -s config.logoutUrl=${KEYCLOAK_FRONTEND_URL%/}/realms/sso/protocol/openid-connect/logout \ -s config.userInfoUrl=http://localhost:8080/auth/realms/sso/protocol/openid-connect/userinfo \ -s config.issuer=${KEYCLOAK_FRONTEND_URL%/}/realms/sso \ + -s config.loginHint=true \ -s config.validateSignature=true \ + -s 'config."home.idp.discovery.domains"=sso.example.com' \ + -s 'config."home.idp.discovery.matchSubdomains"=true' \ -s config.pkceEnabled=false \ -s config.clientAuthMethod=client_secret_post \ -s config.clientId=sso-oidc-client \ diff --git a/services/keycloak/Dockerfile b/services/keycloak/Dockerfile index bc078b23ee..6d1d17a6b7 100644 --- a/services/keycloak/Dockerfile +++ b/services/keycloak/Dockerfile @@ -82,6 +82,8 @@ ENV TMPDIR=/tmp \ VOLUME /opt/keycloak/data +RUN curl -sSLo /opt/keycloak/providers/keycloak-home-idp-discovery.jar https://github.com/sventorben/keycloak-home-idp-discovery/releases/download/v26.0.1/keycloak-home-idp-discovery.jar + COPY entrypoints/kc-startup.sh /lagoon/kc-startup.sh COPY entrypoints/wait-for-mariadb.sh /lagoon/entrypoints/98-wait-for-mariadb.sh COPY entrypoints/default-keycloak-entrypoint.sh /lagoon/entrypoints/99-default-keycloak-entrypoint.sh From a5b26a6c86aadb2fd7a02e58e8040aec391c3a2e Mon Sep 17 00:00:00 2001 From: Brandon Williams Date: Tue, 11 Feb 2025 16:16:09 -0600 Subject: [PATCH 3/4] refactor: cursed 3-spaces indentation --- local-dev/k3d-seed-data/seed-example-sso.sh | 58 ++++++++++----------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/local-dev/k3d-seed-data/seed-example-sso.sh b/local-dev/k3d-seed-data/seed-example-sso.sh index a7cc987cbe..c2969d276a 100644 --- a/local-dev/k3d-seed-data/seed-example-sso.sh +++ b/local-dev/k3d-seed-data/seed-example-sso.sh @@ -2,24 +2,24 @@ CONFIG_PATH=/tmp/kcadm.config -function auth { # login to keycloak -if ! /opt/keycloak/bin/kcadm.sh config credentials --config $CONFIG_PATH --server http://localhost:8080/auth --realm master --client admin-api --secret ${KEYCLOAK_ADMIN_API_CLIENT_SECRET} -then - if ! /opt/keycloak/bin/kcadm.sh config credentials --config $CONFIG_PATH --server http://localhost:8080/auth --user $KEYCLOAK_ADMIN_USER --password $KEYCLOAK_ADMIN_PASSWORD --realm master - then - echo "Unable to log in to keycloak with client admin-api or username and password" - echo "If you have rotated the admin-api secret, you will need to log in and update it manually" - exit 1 - fi -fi +function auth { + if ! /opt/keycloak/bin/kcadm.sh config credentials --config $CONFIG_PATH --server http://localhost:8080/auth --realm master --client admin-api --secret ${KEYCLOAK_ADMIN_API_CLIENT_SECRET} + then + if ! /opt/keycloak/bin/kcadm.sh config credentials --config $CONFIG_PATH --server http://localhost:8080/auth --user $KEYCLOAK_ADMIN_USER --password $KEYCLOAK_ADMIN_PASSWORD --realm master + then + echo "Unable to log in to keycloak with client admin-api or username and password" + echo "If you have rotated the admin-api secret, you will need to log in and update it manually" + exit 1 + fi + fi } auth if /opt/keycloak/bin/kcadm.sh get realms/sso --config $CONFIG_PATH > /dev/null; then - echo "Realm sso is already created, skipping" - exit 0 + echo "Realm sso is already created, skipping" + exit 0 fi # create the SSO realm @@ -33,20 +33,20 @@ auth echo "Creating user and configuring password for user@sso.example.com" /opt/keycloak/bin/kcadm.sh create users -r sso \ - -s email=user@sso.example.com \ - -s firstName=sso \ - -s lastName=user \ - -s username=sso-user \ - -s enabled=true \ - -o --fields id,username \ - --config $CONFIG_PATH + -s email=user@sso.example.com \ + -s firstName=sso \ + -s lastName=user \ + -s username=sso-user \ + -s enabled=true \ + -o --fields id,username \ + --config $CONFIG_PATH # Set the password for the SSO user /opt/keycloak/bin/kcadm.sh set-password \ - --config $CONFIG_PATH \ - --username sso-user \ - -p user@sso.example.com \ - --target-realm sso + --config $CONFIG_PATH \ + --username sso-user \ + -p user@sso.example.com \ + --target-realm sso # create the SSO realm OIDC client echo "Creating example client in sso realm" @@ -82,9 +82,9 @@ echo "Creating ssorealm identity provider in lagoon realm" # create a role mapper that grants any users from the SSO realm as platform-owner echo "Configuring ssorealm identity provider with platform-owner role mapping" /opt/keycloak/bin/kcadm.sh create identity-provider/instances/ssorealm/mappers \ - -s name=platform-owner \ - -s identityProviderMapper=oidc-hardcoded-role-idp-mapper \ - -s identityProviderAlias=ssorealm \ - -s config.syncMode=FORCE \ - -s config.role=platform-owner \ - --config $CONFIG_PATH -r lagoon + -s name=platform-owner \ + -s identityProviderMapper=oidc-hardcoded-role-idp-mapper \ + -s identityProviderAlias=ssorealm \ + -s config.syncMode=FORCE \ + -s config.role=platform-owner \ + --config $CONFIG_PATH -r lagoon From 322efa60cb26bc9fcf60cd6e99828211a78739e7 Mon Sep 17 00:00:00 2001 From: Brandon Williams Date: Tue, 11 Feb 2025 16:16:09 -0600 Subject: [PATCH 4/4] docs: keycloak README with warning about upgrades --- services/keycloak/README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 services/keycloak/README.md diff --git a/services/keycloak/README.md b/services/keycloak/README.md new file mode 100644 index 0000000000..385c9fc06a --- /dev/null +++ b/services/keycloak/README.md @@ -0,0 +1,15 @@ +# Keycloak + +Lagoon uses Keycloak to store users, handle authentication and authorization for multiple clients +(api, ui, cli, etc), and handle SSO against 3rd party identity providers. + +## Upgrading + +Upgrading keycloak should not be done without care. Carefully read the release and upgrade notes to +determine if any breaking changes have been made to subsystems that Lagoon relies on. This includes +how Keycloak is configured and run. + +The following libraries/plugins may also require specific versions of Keycloak, or must be upgraded +at the same time as Keycloak to a supported version: + +* [Home IDP Discovery plugin](https://github.com/sventorben/keycloak-home-idp-discovery)