Red Hat Single Sign-On Operator

If you already have a Keycloak instance running, consider using that and proceed with installing MongoDB. See also Pre-Installation Tasks on which configuration values of your Keycloak installation you need to gather for the installation of IBM Industry Solutions Workbench.

Note: To complete this task, you must be a cluster administrator. To prevent issues with PVCs, a default storage class must be set.

Install Red Hat Single Sign-On Operator from the OperatorHub

As a cluster administrator, install the Keycloak operator from the OperatorHub to the namespace foundation :

  1. In the OpenShift web console navigate to the Operators → OperatorHub page

  2. Filter by keyword: Single Sign-On

  3. Select the operator: Red Hat Single Sign-On Operator provided by Red Hat

  4. Read the information about the operator and click Install

  5. On the Create Operator Subscription page:

    • Select option A specific namespace on the cluster with namespace foundation

    • Select an Update Channel (if more than one is available)

    • Select Automatic approval strategy

    • Click Subscribe

  6. After the Subscription's upgrade status is Up to date, navigate in the web console to the Operators → Installed Operators page

  7. Select the Keycloak Operator and verify that the content for the Overview tab of the Operators → Operator Details page is displayed

Note: See OpenShift documentation Adding Operators to a cluster (OpenShift 4.12) for further information on how to install an operator from the OperatorHub.

Create the Keycloak Instance

Create the Keycloak CRD instance in the namespace foundation:

  1. Navigate in the web console to the Operators → Installed Operators page

  2. Select the Red Hat Single Sign-On Operator

  3. Navigate to the Keycloak tab of the Operators → Operator Details page

  4. Click Create Keycloak

  5. In the Keycloak Operator → Create Keycloak page

  6. Verify that in the Keycloak tab the newly created keycloak CRD instance is displayed

Example Keycloak Configuration

apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  name: keycloak
  labels:
    app: sso
spec:
  instances: 1
  externalAccess:
    enabled: true

Retrieve Credentials

You can retrieve the credentials for connecting to the Keycloak by looking for a Kubernetes secret named credential-keycloak :

oc -n foundation get secret credential-keycloak -o jsonpath='{.data.ADMIN_USERNAME}' | base64 -d; echo
oc -n foundation get secret credential-keycloak -o jsonpath='{.data.ADMIN_PASSWORD}' | base64 -d; echo

Retrieve Certificates

The certificates are needed later during installation (truststore.trustmap.identity), so please download and save them temporarily.

KEYCLOAK_HOST=`oc get route keycloak -ojsonpath={.spec.host}`
echo | openssl s_client -showcerts -connect $KEYCLOAK_HOST:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > keycloak-fullchain.pem