xmlking
diff --git a/‎.deploy/keycloak/Dockerfile‎
Lines changed: 10 additions & 0 deletions b/‎.deploy/keycloak/Dockerfile‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.deploy/keycloak/README.md‎
Lines changed: 69 additions & 0 deletions b/‎.deploy/keycloak/README.md‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎.deploy/keycloak/TESTING.md‎
Lines changed: 152 additions & 0 deletions b/‎.deploy/keycloak/TESTING.md‎
Lines changed: 152 additions & 0 deletions
@@ -0,0 +1,10 @@
+FROM jboss/keycloak-openshift:4.3.0.Final
+LABEL maintainer="Sumanth <xmlking@gmail.com>"
+
+COPY configuration/* $JBOSS_HOME/standalone/configuration/
+
+ENV DB_VENDOR H2
+EXPOSE 9080
+
+CMD ["start-keycloak.sh", "-b", "0.0.0.0", "-Dkeycloak.migration.action=import", "-Dkeycloak.migration.provider=dir", "-Dkeycloak.migration.strategy=OVERWRITE_EXISTING","-Dkeycloak.migration.dir=/opt/jboss/keycloak/realm-config", "-Djboss.socket.binding.port-offset=1000"]
+
@@ -0,0 +1,69 @@
+KeyClock
+========
+Deploying KeyCloak on OpenShift Origin
+
+### Build
+```bash
+# build stateless KeyCloak docker image
+cd .deploy/keycloak
+docker build --tag=keycloak-openshift-stateless . 
+# Tag
+docker tag xmlking/keycloak-openshift-stateless:4.3.0.Final
+docker tag xmlking/keycloak-openshift-stateless:4.3.0.Final xmlking/keycloak-openshift-stateless:latest
+# Push
+docker push xmlking/keycloak-openshift-stateless:4.3.0.Final
+docker push xmlking/keycloak-openshift-stateless:latest
+```
+
+### Deploy
+
+#### OpenShift Deployment
+> Deploy KeyCloak to OpenShift
+
+```bash
+# login with your ID
+oc login <my OpenShift URL>
+# oc login https://console.starter-us-west-1.openshift.com
+oc project ngx-starter-kit
+cd .deploy/keycloak
+
+# create app (first time deployment)
+oc new-app -f keycloak.tmpl.yml -p APPNAME=keycloak -n ngx-starter-kit
+
+# follow next steps if you want completely delete and deploy.
+# delete only deploymentConfig
+oc delete all -l app=keycloak -n ngx-starter-kit
+
+# delete fully
+oc delete all,configmap,secret -l app=keycloak -n ngx-starter-kit
+
+# redeploy
+From OpenShift Console UI
+Applications > Deployments > ngx-starter-kit > Deploy 
+```
+
+#### Envelopment Variables
+```bash
+# When running Keycloak behind a proxy, you will need to enable proxy address forwarding.
+PROXY_ADDRESS_FORWARDING=true
+```
+
+### Export 
+> if you change keycloak config via UI, 
+> you may want to export changes and check-in in Git for automated deployment next time.
+```bash
+# get keycloak pod name
+oc get pods
+# ssh to pod
+oc rsh <keycloak-pod-name>
+# in the shell , run
+/bin/sh /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.realmName=kubernetes -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/tmp/sumo
+# copy files back to codebase
+oc rsync <pod-name>:/tmp/sumo /Developer/Work/SPA/ngx-starter-kit/.deploy/keycloak
+```
+
+### Reference 
+* Secure a Spring Boot Rest app with Spring Security and Keycloak
+ * https://sandor-nemeth.github.io/java/spring/2017/06/15/spring-boot-with-keycloak.html
+
+* https://github.com/clevercloud-jhipster/clevercloud-keycloak-jhipster-ldap/blob/master/Dockerfile
@@ -0,0 +1,152 @@
+KeyCloak Testing
+================
+
+Pre-configured KeyCloak OpenID Connect server for testing.
+
+* **Realm**: kubernetes
+* **Client ID**: kube-tenant 
+* **Accounts**:
+ * *ROLE_ADMIN*
+ 1. kubeadmin : kubeadmin
+ * *ROLE_USER*
+ 1. sumo: demo
+ 2. sumo1: demo
+ 3. sumo2: demo
+ 4. sumo3: demo
+
+
+### Configure SPA Client
+
+> set issuer, clientId in apps/webapp/src/environments/environment.ts 
+
+```json
+ auth: {
+ clientId: 'cockpit',
+ issuer: 'http://localhost:9080/auth/realms/kubernetes'
+ }
+```
+
+### Start
+
+```bash
+# Start keycloak
+docker-compose up keycloak
+
+# Stop keycloak
+docker-compose stop keycloak
+# this will remove volume created by docker.
+docker-compose down
+
+# SSH into keycloak container
+docker-compose exec keycloak sh
+
+# if you want to export keycloak config to local host
+/bin/sh /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.realmName=kubernetes -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/tmp/sumo
+# copy exported files to localhost
+docker cp <containerId>:/tmp/sumo /Developer/Work/SPA/ngx-starter-ki/.deploy/keycloak
+```
+
+
+### Use
+
+http://localhost:9080/
+> admin: admin123
+
+### Test
+
+```bash
+# Environment variable. change as per your server setup
+OIDC_BASE_URL=http://localhost:9080/auth/realms/kubernetes
+CLIENT_ID=kube-tenant
+
+USERNAME=sumo
+PASSWORD=demo
+
+# get URLs
+curl $OIDC_BASE_URL/.well-known/openid-configuration | jq .
+#get certs
+curl $OIDC_BASE_URL/protocol/openid-connect/certs | jq .
+
+# Get tokens
+response=$(curl -X POST $OIDC_BASE_URL/protocol/openid-connect/token \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -d username=$USERNAME \
+ -d password=$PASSWORD \
+ -d client_id=$CLIENT_ID \
+ -d 'grant_type=password' \
+ -d 'scope=openid')
+
+access_token=$(echo $response | jq -r '.access_token')
+id_token=$(echo $response | jq -r '.id_token')
+refresh_token=$(echo $response | jq -r '.refresh_token')
+
+# Print tokens
+echo $access_token
+echo $id_token
+echo $refresh_token
+
+# Get User Profile
+curl -X POST $OIDC_BASE_URL/protocol/openid-connect/userinfo \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -d "access_token=$access_token" | jq .
+ 
+# Logout
+curl -X POST $OIDC_BASE_URL/protocol/openid-connect/logout \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -d client_id=$CLIENT_ID \
+ -d "refresh_token=$refresh_token" | jq .
+ ```
+
+#### Example Access Token
+```json
+{
+ "jti": "726d3a1b-4d1c-44e0-b645-f6c8b38ed83f",
+ "exp": 1529217929,
+ "nbf": 0,
+ "iat": 1529217629,
+ "iss": "http://localhost:9080/auth/realms/kubernetes",
+ "aud": "kube-tenant",
+ "sub": "8602c118-9778-4eda-98a0-673382934688",
+ "typ": "Bearer",
+ "azp": "kube-tenant",
+ "auth_time": 0,
+ "session_state": "698b3e16-4f53-46b4-aa7f-ddc05c2f9ae8",
+ "acr": "1",
+ "allowed-origins": [
+ "http://localhost:4200"
+ ],
+ "realm_access": {
+ "roles": [
+ "offline_access",
+ "uma_authorization"
+ ]
+ },
+ "resource_access": {
+ "kube-tenant": {
+ "roles": [
+ "ROLE_USER"
+ ]
+ },
+ "account": {
+ "roles": [
+ "manage-account",
+ "manage-account-links",
+ "view-profile"
+ ]
+ }
+ },
+ "scope": "openid profile email",
+ "email_verified": false,
+ "name": "sumo demo",
+ "preferred_username": "sumo",
+ "given_name": "sumo",
+ "family_name": "demo",
+ "email": "sumo@demo.com"
+}
+```
+
+
+### References
+* Kubernetes Day 2 Operations: AuthN/AuthZ with OIDC and a Little Help From Keycloak
+ * https://medium.com/@mrbobbytables/kubernetes-day-2-operations-authn-authz-with-oidc-and-a-little-help-from-keycloak-de4ea1bdbbe
+* https://github.com/making/k8s-keycloak-oidc-helper/blob/master/k8s-keycloak-oidc-helper.sh