Red Hat Single Sign-On Operator
If you already have a Keycloak instance running, consider using that and proceed with installing MongoDB. See also Pre-Installation Tasks on which configuration values of your Keycloak installation you need to gather for the installation of IBM Industry Solutions Workbench.
To complete this task, you must be a cluster administrator. To prevent issues with PVCs, a default storage class must be set.
Install Red Hat Single Sign-On Operator from the OperatorHub
As a cluster administrator, install the Keycloak operator from the OperatorHub to the namespace foundation :
- In the OpenShift web console navigate to the Operators → OperatorHub page
- Filter by keyword: Single Sign-On
- Select the operator: Red Hat Single Sign-On Operator provided by Red Hat
- Read the information about the operator and click Install
- On the Create Operator Subscription page:
- Select option A specific namespace on the cluster with namespace
foundation - Select an Update Channel (if more than one is available)
- Select Automatic approval strategy
- Click Subscribe
- Select option A specific namespace on the cluster with namespace
- After the Subscription's upgrade status is Up to date, navigate in the web console to the Operators → Installed Operators page
- Select the Keycloak Operator and verify that the content for the Overview tab of the Operators → Operator Details page is displayed
See OpenShift documentation Adding Operators to a cluster (OpenShift 4.12) for further information on how to install an operator from the OperatorHub.
Create the Keycloak Instance
Create the Keycloak CRD instance in the namespace foundation:
- Navigate in the web console to the Operators → Installed Operators page
- Select the Red Hat Single Sign-On Operator
- Navigate to the Keycloak tab of the Operators → Operator Details page
- Click Create Keycloak
- In the Keycloak Operator → Create Keycloak page
- Enter the resource definition (See Example Keycloak Configuration)
- Click on Create
- Verify that in the Keycloak tab the newly created keycloak CRD instance is displayed
Example Keycloak Configuration
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
name: keycloak
labels:
app: sso
spec:
instances: 1
externalAccess:
enabled: trueRetrieve Credentials
You can retrieve the credentials for connecting to the Keycloak by looking for a Kubernetes secret named credential-keycloak :
oc -n foundation get secret credential-keycloak -o jsonpath='{.data.ADMIN_USERNAME}' | base64 -d; echo
oc -n foundation get secret credential-keycloak -o jsonpath='{.data.ADMIN_PASSWORD}' | base64 -d; echoRetrieve Certificates
The certificates are needed later during installation (truststore.trustmap.identity), so please download and save them temporarily.
KEYCLOAK_HOST=`oc get route keycloak -ojsonpath={.spec.host}`
echo | openssl s_client -showcerts -connect $KEYCLOAK_HOST:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > keycloak-fullchain.pem