I am going to author multiple articles under application authentication using popular industry standard method known as OAuth2.0. I will be using OpenID connect in this example.

In Part-1, I will be covering deploying opensource keycloak (Identity and access management software) on kubernetes and adding users to access the sample web application.

• Deploy Keycloak on k8s
• Add user to Keycloak
• Configure an OpenID-Connect Client

OAuth2.0 is better choice for identifying personal user accounts and granting permissions. It consists of two tokens viz., access tokens and refresh tokens

Deploy Keycloak on k8s.

kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml

Keycloak uses H2 as default database. You may choose Postgress DB or similar database in Production.

You will see the following logs once the keycloak server pod is up and running

11:42:36,205 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
11:42:36,215 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
11:42:36,216 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
11:42:36,216 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 10.0.2 (WildFly Core 11.1.1.Final) started in 100207ms - Started 689 of 994 services (708 services are lazy, passive or on-demand)

To validate everything is running as expected

kubectl get all

NAME                            READY   STATUS    RESTARTS   AGE
pod/keycloak-857c59449b-9c2fq   1/1     Running   0          67m

NAME                 TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
service/keycloak     LoadBalancer   10.152.183.160   <pending>     8080:31910/TCP   67m

NAME                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/keycloak   1/1     1            1           67m

NAME                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/keycloak-857c59449b   1         1         1       67m

To open the keycloak dashboard locally you need to port-forward the keycloak service to your local machine.

PS: I am running microk8s and hence I need to issue microk8s specific comments

multipass info microk8s-vm | grep IPv4 | awk '{ print $2 }'

multipass exec microk8s-vm  -- sudo /snap/bin/microk8s kubectl port-forward service/keycloak 8080:8080 --address 0.0.0.0

Voila - you have dashboard running at http://192.168.x.x:8000 (check the IPaddress of the microk8s VM); use default credentials (userid:admin/password:admin) to open up the dashboard.

Part-2 will cover the creation of sample web application and deploy in k8s cluster with sidecar Next part will also cover configuring the application to use OpenID and work with Keycloak