Identity set-up

Purpose

This section deploys resources for identity and access management.

Stage 2 – Set Up Identity and Access Management

How to complete this stage

You will:

Install and configure an OpenID Connect (OIDC) Identity Provider using a Keycloak Helm chart
Deploy an OAuth2Proxy for authentication and Redis for session storage using a Helm chart
Install MongoDB for ABAC data storage using a Helm chart

2.1 Create Namespaces

Create kubectl namespaces for two demonstration organisations, org-a and org-b, and enable Istio to interact with them:

kubectl create namespace org-a
kubectl label namespace org-a istio-injection=enabled
kubectl create namespace org-b
kubectl label namespace org-b istio-injection=enabled

2.2 Deploy Keycloak Helm chart for identity management

Install Keycloak as the OpenID Connect (OIDC) Identity Provider:

kubectl create namespace keycloak
kubectl label namespace keycloak istio-injection=enabled
helm install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak -n keycloak \
  --set image.repository=bitnamilegacy/keycloak \
  --set postgresql.image.repository=bitnamilegacy/postgresql \
  --set global.security.allowInsecureImages=true \
  --set resources.requests.cpu=50m \
  --set resources.requests.memory=256Mi \
  --set postgresql.primary.resources.requests.cpu=50m \
  --set postgresql.primary.resources.requests.memory=128Mi

Execute these commands. Follow the steps in the output to retrieve the Keycloak URL.

export SERVICE_PORT=$(kubectl get --namespace keycloak -o jsonpath="{.spec.ports[?(@.name=='http')].port}" services keycloak)
kubectl port-forward --namespace keycloak svc/keycloak ${SERVICE_PORT}:${SERVICE_PORT} & echo "http://127.0.0.1:${SERVICE_PORT}/"

You may need to forward the port:

kubectl port-forward -n keycloak svc/keycloak 8080:80

Retrieve the Kubernetes secret generated by Helm:

kubectl get secret keycloak-postgresql -n keycloak -o jsonpath="{.data.password}" | base64 --decode; echo

Check access to keycloak's PostgreSQL database using the secret:

kubectl exec -it keycloak-postgresql-0 -n keycloak --psql -U bn_keycloak -d bitnami_keycloak

When prompted, enter the secret returned in the previous step.

Troubleshooting If you encounter errors and need to reinstall Keycloak, ensure that you delete the Persistent Volume Chain (PVC):

helm uninstall keycloak -n keycloak
kubectl delete pvc --all -n keycloak

Guide to importing a Keycloak realm, e.g. from the IA Node or Management Node JSONs: https://www.keycloak.org/operator/realm-import

2.3 Keycloak realm configuration

Open the Keycloak administration panel in a browser at http://127.0.0.1:8080/ Log in to the admin account with the credentials provided at the installation step, e.g. admin and admin123.

Go to 'Manage realms' and click on 'Create realm'
Create a realm for each component, e.g. IA node, management node, etc. This can be done using a JSON template (e.g. https://github.com/National-Digital-Twin/helm-charts/blob/develop/config/realm-ianode.json and https://github.com/National-Digital-Twin/helm-charts/blob/develop/config/realm-management-node.json).
Under the 'Manage' section in the sidebar, click on 'Clients'.
Select the client name that matches the realm you just created, e.g. 'ianode'. Navigate to the 'Credential' tab.
Regenerate the client secret and record it for use later in the setup.
Repeat these steps for any other realms that you have created. Go to 'Manage realms' and set the next realm as the Current realm, then regenerate the client secret for that realm.

Return to the command line and add the client secrets that you recorded to Keycloak.

kubectl -n keycloak create secret generic keycloak-ianode-secret --from-literal=client-secret=${IANODE_SECRET}
kubectl -n keycloak create secret generic keycloak-management-node-client --from-literal=client-secret=${MANAGEMENTNODE_SECRET}

2.4 Deploy OIDC helper, OAuth2Proxy and Redis

Deploy the ia-node-oidc helper chart to help with setting up an OIDC conformant Identity Provider (IdP) to work with the IA Node setup.

helm install ia-node-oidc oci://ghcr.io/national-digital-twin/helm/ia-node-oidc -n org-a --set oidcProvider.configMap.redirect_url="http://localhost/oauth2/callback" --set istio.authorizationPolicy.enabled=false

Deploy OAuth2Proxy and Redis with Helm:

helm install oauth2-proxy oci://registry-1.docker.io/bitnamicharts/oauth2-proxy -n org-a \
--set configuration.existingSecret="oauth2-proxy-default" \
--set configuration.existingConfigmap="oauth2-proxy-default" \
--set istio.virtualService.hosts[0]="*" \
--set image.repository=bitnamilegacy/oauth2-proxy \
--set redis.image.repository=bitnamilegacy/redis \
--set global.security.allowInsecureImages=true

2.5 Deploy MongoDB (ABAC storage)

Deploy a MongoDB instance using the ia-node-mongodb helper chart.

MongoDB stores Attribute-Based Access Control (ABAC) security attributes for use by the access-api.

helm repo add mongodb https://mongodb.github.io/helm-charts
helm install community-operator mongodb/community-operator --namespace mongodb-operator --create-namespace \
  --set operator.watchNamespace="*" \
  --set operator.resources.requests.cpu=50m \
  --set operator.resources.requests.memory=128Mi \
  --set operator.resources.limits.cpu=200m \
  --set operator.resources.limits.memory=256Mi

Next steps

Continue to Build components