Skip to main content

Configure OIDC on Rancher

Create the keycloak ressources

This can be done either by following rancher documentation on Keycloak OIDC or by using the KeycloakImporter Helm Chart with the provided values keycloak-import-values.yaml.

Tis values is not complete ! You need to provide the following (their placement can be found by searching <anchor> in the file) :

  • a username and password to connect to keycloak with enough permissions to add client, groups and users.
  • a password for the user rancher-admin

Once you have replaced the placeholders you can use the KeycloakImporter Helm Chart :

# For the sake of this command, we consider that both rancher and keycloakimporter are in the same folder
helm upgrade --install --namespace cattle-system -f keycloak-import-values.yaml keycloakimporter-rancher ../keycloakimporter/keycloakimporter

Activate OIDC in rancher UI

First you need to connect to keycloak to retrieve configuration informations :

  1. Select the realm kosmos in the upper left corner
  2. Click on Clients in the left panel to show the client list and then and on rancher in this list
  3. Click on the tab Credentials and retrieve the Client Secret
  4. Click on Realm Settings on the left panel and then at the bottom of the settings click on the OpenID Endpoint Configuration link.
  5. Keep the new browser tab open

Then connect to Rancher UI and connect with an admin user :

  1. Click on the user icon in the bottom left corner
  2. Click on the Auth provider tab in the new left panel
  3. Click on the Keycloak labeled with an orange OIDC
  4. Fill the fields in the Configure a Keycloak OIDC account section :
    • the Client ID is rancher
    • the Client Secret is the one retrieved in the Keycloak UI previously (step 3)
    • do not fill the Private Key and Certificate fields
  5. In the Endpoints section select Specify, click on the Show Advanced button and have your keycloak OpenID Endpoint Configuration nearby :
    • leave the Rancher URL as is
    • Issuer : paste the value from the field issuer in keycloak configuration
    • Auth Endpoint : paste the value from the field authorization_endpoint in keycloak configuration
    • Token Endpoint : paste the value from the field token_endpoint in keycloak configuration
    • User Info Endpoint : paste the value from the field userinfo_endpoint in keycloak configuration
    • JWKS URL & Authorization COntext Reference : do not fill
  6. Click on Save and when asked to, authenticate with the rancher-admin@athea.tech user
    • the password can be retrieved with the command :
     kubectl -n cattle-system get secret rancher-admin-oidc -o jsonpath='{.data.password}' | base64 --decode ; echo

With the OIDC now active you can setup basic authorizations :

  1. While on the Authentication Provider:Keycloak (OIDC) result page click on Restrict access to only the authorized users & groups
  2. In the new Authorized Users & Groups section, add the following groups and click on Save
    • adminsysteme
    • adminsecurite
    • admininfra
  3. In the left panel click on Groups
  4. In the new menu, click on the Assign Global Roles
  5. In Select Member choose the adminsysteme group, and give it the global permissions Administrator and click on Save
  6. In the new menu, click on the Assign Global Roles
  7. In Select Member choose the adminsecurite group, and give it the global permissions Administrator and click on Save
  8. In the new menu, click on the Assign Global Roles
  9. In Select Member choose the admininfra group, and give it the global permissions Administrator and click on Save