Skip to main content
Version: 3.9.0

Portal OIDC Configuration

This page provides instructions for configuring the OIDC authorization for the KubeRocketCI Portal UI, enabling the use of Single Sign-On (SSO) for authorization in the Portal. This configuration allows for centralized control of user access and rights from a single configuration point.

Prerequisites​

Ensure the following values are set first before starting the Portal OIDC configuration:

  1. realm_id = openshift

  2. client_id = kubernetes

  3. keycloak_client_key= keycloak_client_secret_key (received from: Openshift realm -> clients -> kubernetes -> Credentials -> Client secret)

  4. group = edp-oidc-admins, edp-oidc-builders, edp-oidc-deployers, edp-oidc-developers, edp-oidc-viewers (Should be created manually in the realm from point 1)

note

The values indicated above are the result of the Keycloak configuration as an OIDC identity provider. To obtain these values, please refer to the guidelines on the Keycloak OIDC EKS Configuration page.

Configure Keycloak​

To proceed with the Keycloak configuration, perform the following:

  1. Add the URL of the Headlamp to the valid_redirect_uris variable in Keycloak:

    keycloak_openid_client
      valid_redirect_uris = [
        "https://edp-portal.<dns_wildcard>/*"
        "http://localhost:8000/*"
      ]

    Make sure to define the following Keycloak client values as indicated:

    Keycloak client configuration

  2. Configure the Keycloak client key in Kubernetes using the Kubernetes secrets or the External Secrets Operator:

    apiVersion: v1
    kind: Secret
    metadata:
      name: keycloak-client-headlamp-secret
      namespace: edp
    type: Opaque
    stringData:
      clientSecret: <keycloak_client_secret_key>

  3. Assign user to one or more groups in Keycloak.

Integrate Portal With Kubernetes​

Portal is integrated in Kubernetes in three steps:

  1. Update the values.yaml file by enabling OIDC:

    values.yaml
    edp-headlamp:
      config:
        oidc:
          enabled: true

  2. Navigate to Portal UI and log in by clicking the Sign In button:

    Portal login page

  3. Upon logging in, specify the namespace for KubeRocketCI where platform is deployed by clicking the cluster settings link in the bottom left corner of the UI:

    Portal namespace settings

As a result, it is possible to control access and rights from the Keycloak endpoint.

Changing the Lifespan of an Access Token​

Change the Access Token Lifespan: go to your Keycloak and select Openshift realm > Realm settings > Tokens > Access Token Lifespan > set a new value to the field and save this change.

By default, "Access Token Lifespan" value is 5 minutes.

Access Token Lifespan