| Deploying Rails Book

Useful Links when Setting up SSO on Kubernetes

While creating the comprehensive guide to Kubernetes SSO, I leant heavily on many great pieces of existing content, a lot of them are included here.

LDAP section of the Keycloak manual: https://www.keycloak.org/docs/6.0/server_admin/#_ldap

Tutorial on Keycloak + OpenLDAP: https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/authenticate-against-openldap/

Using Keycloak to authenticate general web applications (sidecar approach): https://www.openshift.com/blog/adding-authentication-to-your-kubernetes-web-applications-with-keycloak

Gatekeeper (by Keycloak) https://www.keycloak.org/docs/latest/securing_apps/index.html#_keycloak_generic_adapter

Gatekeeper (by Keycloak) on docker hub: https://hub.docker.com/r/keycloak/keycloak-gatekeeper/

Replacement for Gatekeeper (which is now EOL) https://github.com/oauth2-proxy/oauth2-proxy

Docker registry authentication with Keycloak: https://developers.redhat.com/blog/2017/10/31/docker-authentication-keycloak/

Gitea authentication documentation: https://docs.gitea.io/en-us/authentication/

oAuth 2 with Nginx Ingress; https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/

oAuth2Proxy which supports keycloak as a provider: https://github.com/oauth2-proxy/oauth2-proxy

Another tutorial on using oauth-proxy with nginx auth: https://www.digitalocean.com/community/tutorials/how-to-protect-private-kubernetes-services-behind-a-github-login-with-oauth2_proxy

Introduction to the ldapsearch cli utility: https://www.splunk.com/en_us/blog/tips-and-tricks/ldapsearch-is-your-friend.html

Deep dive into LDAP password encryption: https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html

Introduction to "OUs' (organisational units) in LDAP: https://www.theurbanpenguin.com/openldap-ous/

Article on synchronising groups between LDAP and Keycloak: https://www.janua.fr/mapping-ldap-group-and-roles-to-redhat-sso-keycloak/

Selection of examples of ldapsearch usage: https://docs.oracle.com/cd/E19450-01/820-6169/ldapsearch-examples.html

Thread on How Gitea treats Oauth2 and LDAP etc logins differently: https://github.com/go-gitea/gitea/issues/1124?_pjax=%23js-repo-pjax-container#issuecomment-284911694

Gitea LDAP documentation: https://docs.gitea.io/en-us/authentication/

Some examples of LDAP search filters: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

How to enable the memberOf feature in OpenLDAP: https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/

LDIF files for enabling the memberOf feature in OpenLDAP: https://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/

Detailed Github issue on getting memberOf to work with the docker openldap image: https://github.com/osixia/docker-openldap/issues/304

Kubernetes Day 2 operations inc OIDC (this article is fantastic) https://medium.com/@mrbobbytables/kubernetes-day-2-operations-authn-authz-with-oidc-and-a-little-help-from-keycloak-de4ea1bdbbe

Kubernetes docs on configuring OIDC https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server

Kube OIDC Proxy, tool for allowing OIDC configuration on managed clusters that don't allow it by default, e.g. EKS, AWS etc; https://github.com/jetstack/kube-oidc-proxy

Loads of great content about keycloak https://github.com/thomasdarimont/awesome-keycloak

Web application for generating kubeconfig files when working with OIDC https://github.com/heptiolabs/gangway

AWS article on the use of kube-oidc-proxy https://aws.amazon.com/blogs/opensource/consistent-oidc-authentication-across-multiple-eks-clusters-using-kube-oidc-proxy/

Tool for logging into kubectl via OIDC; https://github.com/int128/kubelogin/blob/master/docs/setup.md

More on debugging OIDC login; https://github.com/int128/kubelogin/issues/156

More on different kubelogin flows, e.g. browser vs password https://github.com/int128/kubelogin/blob/master/docs/usage.md

Grafana OIDC info: https://grafana.com/docs/grafana/latest/auth/generic-oauth/

The series:

  1. Contents and overview
  2. Installing OpenLDAP
  3. Installing Keycloak
  4. Linking Keycloak and OpenLDAP
  5. OIDC Kubectl Login with Keycloak
  6. Authenticate any web app using ingress annotations
  7. Gitea (requires LDAP)
  8. Simple Docker Registry
  9. Harbor Docker Registry with ACL