che icon indicating copy to clipboard operation
che copied to clipboard
verified publisher icon eclipse-che

keycloak integration with new che helm chart

Open rakeshreddyrg09 opened this issue 3 years ago • 6 comments

Summary

Hello team,

Can anyone share the documentation flow for how to set up eclipse-che oidc is configured with keycloak which is installed in same k8s cluster.

this is how currently passing details through values file. OIDC-che client-test-keycloak

also i have tried with different keycloak issuer URLs like below

http://keycloak-discovery/auth/realms/TEST_DEV/.well-known/openid-configuration
http://keycloak-discovery/auth/realms/TEST_DEV/protocol/openid-connect/token/introspect

error in oauth-proxy:

[2022/07/08 13:27:12] [options.go:72] Performing OIDC Discovery...
[2022/07/08 13:27:12] [options.go:80] error: failed to discover OIDC configuration: error performing request: Get "http://keycloak-discovery/auth/realms/TEST_DEV/protocol/openid-connect/auth/.well-known/openid-configuration": dial tcp: lookup keycloak-discovery on 10.43.0.10:53: no such host
[2022/07/08 13:27:12] [main.go:54] Get "http://keycloak-discovery/auth/realms/TEST_DEV/protocol/openid-connect/auth/.well-known/openid-configuration": dial tcp: lookup keycloak-discovery on 10.43.0.10:53: no such host

FOR ALL THE 3 DIFFERENT URLs i am getting the same error. can anyone help me out what i am missing here.

Thank you eclipse-che team.

Relevant information

No response

rakeshreddyrg09 avatar Jul 08 '22 13:07 rakeshreddyrg09

Hi @rakeshreddyrg09, thanks for opening an issue. I'm a little confused by the identityProviderURL here -- does http://keycloak-discovery resolve in your DNS to the keycloak pod in-cluster?

cc: @tolusha you're more familiar with OIDC setup in Che. I'd appreciate your help here if you're available.

amisevsk avatar Jul 08 '22 20:07 amisevsk

hello @amisevsk thank you for reply, here is my keycloak ingress, other components in my cluster are able to do the OIDC OAUTH successfully. image i have tried with my other host too but same result. image

rakeshreddyrg09 avatar Jul 09 '22 02:07 rakeshreddyrg09

I think the correct issuer url must be the following: https://<KEYCLOAK_ADDR>/realms/<REALM_NAME> for instance https://keycloak.192.168.59.253.nip.io/realms/che

tolusha avatar Jul 18 '22 12:07 tolusha

Hi @tolusha I tried the above configuration, but still getting the same error.

rakeshreddyrg09 avatar Jul 20 '22 04:07 rakeshreddyrg09

I've prepared a draft script how to setup keycloak as OIDC provider on minikube and deploy Eclipse Che. Could you check if it can shed a light on your problem?

[1] https://gist.github.com/tolusha/345c59eb36a136ffdbce61acbee9c50a

tolusha avatar Jul 21 '22 11:07 tolusha

Hi @tolusha, Thank you for your reply. Actually I am using a k3d cluster.

rakeshreddyrg09 avatar Jul 21 '22 12:07 rakeshreddyrg09

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

che-bot avatar Jan 17 '23 00:01 che-bot