Elastic / Kibana Keycloak Integrationπ
This document summarizes helm values and manual steps that are required to integrate with keycloak.
Configuration Stepsπ
These are the items you need to do to configure keycloak, elastic search, and kibana for SSO on the ECK stack in your Big Bang installation.
Keycloak Configurationπ
Prerequisitesπ
Keycloak is configured with a working Realm including Groups and Users.
Processπ
- Create an elastic OIDC client scope with the following mappings
Name | Mapper Type | Mapper Selection Sub | Token Claim Name | Claim JSON Type |
---|---|---|---|---|
user property | string | |||
group | Group Membership | N/A | groups | N/A |
username | User Property | username | preferred_username | string |
- Create an elastic client
- Change the following configuration items
- access type: confidential this will enable βCredentialsβ
- Direct Access Grants Enabled: Off
- Valid Redirect URIs: kibana.${DOMAIN}/*
- Set Client Scopes
- Default Client Scopes: elastic (the client scope you created in the previous step)
- optional client scopes: N/A
- Take note of the client secret in the credential tab
To verify the client, check that these fields are present:
{
"exp": 9999999999,
"iat": 9999999999,
"jti": "00000000-0000-0000-0000-000000000000",
"iss": "https://${keycloakRootUrl}/auth/realms/{realm_name}",
"sub": "00000000-0000-0000-0000-000000000000",
"typ": "Bearer",
"azp": "${client_id}",
"session_state": "00000000-0000-0000-0000-000000000000",
"acr": "1",
"scope": "openid elastic",
"groups": [
"group_1",
"...",
"group_n"
],
"preferred_username": "${username}",
"email": "${email}"
}
Elastic Configurationπ
The config changes needed for SSO/Keycloak in Elastic are embedded in the helm chart and require values to be set.
Set the values for your elasticsearch-kibana helm chart as follows:
sso:
enabled: true # Toggle this on
client_id: # Set this to your elastic client id from Keycloak
client_secret: # Set this to the client credential from keycloak
oidc:
host: # Set this to the base URL for your Keycloak instance, i.e. keycloak.example.com
realm: # Set this to the realm being used from Keycloak
kibanaBasicAuth:
enabled: true # This should initially be enabled to allow you to setup role mappings
Make sure that you have enabled an enterprise license via the operator - this can be done in Big Bang via the logging values section.
NOTE: Local development makes use of login.dsop.io and the necessary values are committed in the values.yaml files in each repo.
OIDC Custom CAπ
Elasticsearch can be configured to point to specific files to trust with an OIDC auth connection, here is an example when using Big Bang to deploy elasticsearch-kibana, assuming you are populating a secret named βoidc-ca-certβ in the same namespace, with a key of ca.crt
and value of a single PEM encoded certificate:
logging:
values:
elasticsearch:
master:
volumes:
- name: cert
secret:
secretName: oidc-ca-cert
defaultMode: 0644
volumeMounts:
- mountPath: "/usr/share/elasticsearch/config/oidc/ca.crt"
name: cert
subPath: ca.crt
readOnly: true
data:
volumes:
- name: cert
secret:
secretName: oidc-ca-cert
defaultMode: 0644
volumeMounts:
- mountPath: "/usr/share/elasticsearch/config/oidc/ca.crt"
name: cert
subPath: ca.crt
readOnly: true
sso:
cert_authorities: ["/usr/share/elasticsearch/config/oidc/ca.crt"]
NOTE: Only Elasticsearch contains the SSO configuration, no need to add volumes/Mounts to Kibana via values.
NOTE: The path for the cert authority can be any path on the container as long as itβs not overwriting an existing file, the path above is an example that has been used for testing.
Kibana Configurationπ
Kibana requires no additional helm values changes, since all of the above will incorporate the necessary Kibana changes.
To set up role mappings and fully enable SSO:
- Decrypt the elasticsearch user secret from the kubernetes secret
- kubectl get secrets -n logging logging-ek-es-elastic-user -o yaml | grep elastic: | awk 'NR==1{printf $2}' | base64 -d | xargs echo
- Log into kibana with user elastic and the decrypted password
- Go to Management -> Stack Management -> Security -> Role Mappings
- Create the desired role
- For development the following settings will make everyone a super user. Roles: Superuser, Mapping rules: groups = *
- NOTE: for integration other oauth providers (such as google), you may need to adjust this role mapping to something like username = *
- You should now be able to login to Kibana with Keycloak realm users