Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
l
loud-daybreak-83328
01/26/2023, 6:36 PMHi. Has anyone successfully gotten RKE to use OIDC (Keycloak) as an authentication provider? This is separate from the Rancher front-end, just the cluster itself. I have this config set in the kube-api extra_args section:
oidc-client-id: <http://myclient.example.org|myclient.example.org>
oidc-groups-claim: groups
oidc-issuer-url: <https://keycloak.example.org/realms/test>
oidc-username-claim: preferred_usernametime="2023-01-26T18:31:29Z" level=info msg="Processing v1Authenticate request..."
time="2023-01-26T18:31:29Z" level=error msg="found 1 parts of token"m
microscopic-diamond-94749
01/26/2023, 6:46 PMdo you want to use oidc as well as rancher for authentication or is this without rancher, just RKE? I've only set up KC as a Rancher Auth Provider, but I find your question intruiging.
l
loud-daybreak-83328
01/26/2023, 6:48 PMI'm trying to use a 3rd party application that won't really work with the way rancher handles users and stuff, so it needs to point directly to the cluster. So, yes, rancher will use OIDC if people need to log into directly, but this one app would have to go around the back
m
microscopic-diamond-94749
01/26/2023, 6:54 PMI have a feeling you need to set oidc as an extra authentication method in the kubelet args somewhere, not just the oidc settings
l
loud-daybreak-83328
01/26/2023, 6:57 PMhmm. I'm not sure where that would be (I haven't seen anything online anywhere for it)...maybe other K8s distros don't need those options by default and rke does.
m
microscopic-diamond-94749
01/26/2023, 6:59 PMyes you're right, at least the k8s.io docs don't mention anything other than the params you provided
but it might conflict with the rancher authentication? 🤷♂️
l
loud-daybreak-83328
01/26/2023, 6:59 PMI wouldn't be surprised about anything.
m
microscopic-diamond-94749
01/26/2023, 7:00 PMtry it with an rke cluster that isn't provisioned via rancher
l
loud-daybreak-83328
01/26/2023, 7:01 PMI think that was one of my next things to try,
m
microscopic-diamond-94749
01/26/2023, 7:01 PMthis is what I had in mind before though https://rancher.com/docs/rke/latest/en/config-options/authentication/
l
loud-daybreak-83328
01/27/2023, 11:33 AMBy any chance have you connected directly to the rancher api (through kubectl) using the oidc token rather than a Rancher token?
m
microscopic-diamond-94749
01/27/2023, 11:36 AMI haven't done that, as I mentioned we only use oidc / keycloak as the login auth provider.
l
loud-daybreak-83328
01/27/2023, 11:38 AMOk. I was just looking at this vague documentation page: https://ranchermanager.docs.rancher.com/v2.7/reference-guides/cli-with-rancher/kubectl-utility....but I think I'd still need to make a user API token, which defeats the purpose
m
microscopic-diamond-94749
01/27/2023, 11:43 AMyes, I know what you mean
it only means that you can refresh your rancher token with the
kubectl