This article describes how to setup an external access to -dashboard protecting the URL with authentication managed by a keycloak server.

This article presents how to setup a framework where a user can access the -dashboard protected using an authentication system managed by a Keycloak server.

Prerequisites​

Basic understanding of nginx reverse proxy, kubernetes, and openid connect.

A lot of information on this matter can be found in "Use Keycloak with API Gateway to secure APIs" blog post

Here I'll present instructions, examples, code and screenshots taken from my home lab.

The framework used in this article consists of some KVM virtual machines (from now VM):

The hserv VM have two lan cards: one on an external lan to expose services and one an internal lan to communicate with the Kubernetes (from now K8S) cluster. All the other VM are only connected to the internal lan.

All the machines resolve the IP addresses using the DNS server installed on hserv

Hserv and hdev machines have a Graphical User Interface (from now GUI). All the other machines have only the character console.

The real framework is more complex. Here are reported only the relevant components

All machines use Ubuntu distribution but commands reported here should worh for other distributions with some modifications. The username used throughout this article will be "sysop" So the home directory will be indicated as "/home/sysop" or "~/".

Create a Certification Authority and Certificates​

For all the VM the DNS server will resolve ".h.net" to the external address of hserv. In all others machine that will access the the services exposed by hserv there will be a line in the "/etc/hosts" file resolving ".h.net" to the external address of hserv.

Working on hserv

Create the directory for the entire project software

cdmkdir H

Create the directory to hold the Certification authority (from now CA) certificates and the web sites certificates

cd ~/Hmkdir hservcertscd hservcerts

Create a private key for "hservca"

sudo openssl genrsa -out hservca.key 2048

This generates a hservca.key key file. Using this fiile generate the CA certificate

sudo openssl req -x509 -new -nodes -key hservca.key -sha256 -days 3650 -out hservca.pem

This generates a hservca.pem" certificate file. These two files will be used to create the web sites certificates

Add the CA to Browsers​

To be able to access the web sites with certidicates issued by this private CA, the CA certificate file have to be added to the web browser that will access these sites.

Working on hdev

Copy the "hservca.pem" file in any machine that will access these sites.

cdcp ~/H/hservcerts/hservca.pem .rcp hservca.pem mirto@_any_machine_name_://home/_your_username_/

For Firefox browser go to:

Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import

and import "hservca.pem" (remember to flag all options)

For Chromium or Chrome browsers go to:

Settings -> Advanced -> Privacy and security -> Manage certificates -> Authorities -> Import (flag all options)

and import "hservca.pem" (remember to flag all options)

Add the CA to the Operating System​

Working on hdev

Copy the "hservca.pem" file in the "/home/sysop" directory. Copy this file on any other machine that will use sertificates signed by this CA.

cdcp ~/H/hservcerts/hservca.pem .rcp hservca.pem mirto@_any_machine_name_://home/_your_username_/

Work on any machine

Then on any machine and hserv do the following:

cdsudo mkdir -p /usr/share/ca-certificates/extrasudo cp hservca.pem /usr/share/ca-certificates/extra/hservca.crtsudo dpkg-reconfigure ca-certificates

Attention:

• "dpkg-reconfigure ca-certificates" do not recognize the ".pem" extension. Copy the "hservca.pem" file to "hservca.crt"

• select the new certificate in "dpkg-reconfigure ca-certificates" (extra/hservca.crt is not selected)

Confirm that you want to proceed: select “yes” and click “Ok”. Select the new “hservca.crt” entry and click “Ok”

Install nginx-mainline​

Verify the system is updated

sudo apt updatesudo apt full-upgrade

Install prerequisites

sudo apt install wget gnupg2 ca-certificates lsb-release ubuntu-keyring software-properties-common -y

Download the Nginx GPG key

wget -O- https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg

Add the Nginx mainline apt repository

echo deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx | sudo tee /etc/apt/sources.list.d/nginx-mainline.list

Pin the Nginx repository

echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx

Update apt and install nginx

sudo apt updatesudo apt install nginx

Install Keycloak​

Work on hserv

Prerequisites​

Install jdk

sudo apt install default-jdk

Remove anacron

sudo apt remove anacron

Reboot the hserv machine

Keycloak Installation​

Go in base installation directory and get keycloak installation files (verify what is the last release)

cd ~/H/wget https://github.com/keycloak/keycloak/releases/download/20.0.1/keycloak-20.0.1.zip

Extract the files

unzip keycloak-20.0.1.zip

Go to the bin directory and start keycloak in standalone mode

cd ~/H/keycloak-20.0.1/bin/./kc.sh start-dev

Verify that Keycloak is accessible from hserv at the URL "http://localhost:8080"

Create the admin user as name "admin" and password "1357Togo"

Go to the administration console

Login and the “Master” realm appears. Note the Keycloak version

Automatic Keycloak Startup​

Work on hserv

Create in “/usr/lib/systemd/system” a file named “keycloak.service” containing

[Unit]Description=keycloak serviceAfter=network.service[Service]ExecStart=/home/sysop/H/keycloak-20.0.1/bin/kc.sh start-dev >/var/log/keycloak.log 2>&1PIDFile=/var/run/keycloak.pid[Install]WantedBy=multi-user.target

Enable and activate the service