-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC with Keycloak which is also in the cluster? #1900
Comments
@senpro-ingwersenk Did you follow this docs to setup headlamp with keycloak OIDC? Can you share redact sensitive information and share a screenshot/logs of the error that you see in browser console? |
The guide assumes that Keycloak is hosted outside the cluster - which mine is not.
So I did my best to try and make a configuration and deployment that would get close to this - but logging in via OIDC to Headlamp shows this in my browser console: When I use the I did try to find similiar options for k3s in particular, but couldn't - but it is likely that I missed it. |
@senpro-ingwersenk Hi! Thanks for your efforts to run it. I really wonder why it is important to distinguish between keycloak outside the cluster and inside - I think in both cases you should publish Keycloak outside with Ingress (i.e. Traefik in your case?) and use domain name pointing to ingress. Also please check that the services published with the ingress are accessible from the cluster itself - it could be an issue, particularly when running in clouds like DO. |
Hello!
Discussions were disabled, so apologies for posting this as an issue. :)
Most of my company collegues aren't as terminal-savy as me and a former worker had demployed a k3s cluster here. Now I added Headlamp as a nice Web UI to give my collegue an entrypoint into the cluster so they can see what it is doing and the likes.
However, I had wanted to use our existing Keycloak OIDC structure, bound to our AD, to enable seamless SSO. And I can, in fact, click the login button and it "logs me in" - but the browser console tells me that I am unauthenticated.
Granted, I know that it is attempting to authenticate me directly with the API server through OIDC.
Question is, how can I realize that, without having to share a singular service account token around? I shared it with another collegue for now so they can try Headlamp out besides myself, but I would like to integrate it into our existing infrastructure.
Since the container has the service account loaded and a ClusterRoleBinding is established, Headlamp can authenticate with this just fine, in theory.
Is there anything I missed or that I have to do to make it work?
Here is the current deployment, in full:
Full deployment YAML
Thanks and kind regards!
The text was updated successfully, but these errors were encountered: