Join this online user group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.
kubectl create namespace ace-keycloak-k8s
kind: Secret apiVersion: v1 metadata: name: dash-ace-keycloak-k8s-example-iam-11111 namespace: ace-keycloak-k8s labels: app: keycloak data: CLIENT_ID: ZGFzaC1hY2Uta2V5Y2xvYWstazhzLWV4YW1wbGUtaWFtLTExMTEx CLIENT_SECRET: modify-this-value type: Opaque
echo -n "dash-ace-keycloak-k8s-example-iam-11111" | base64
echo -n "client-secret-value" | base64
kubectl apply -f kcClientSecret.yaml -n ace-keycloak-k8s
kind: Secret apiVersion: v1 metadata: name: example-tls-secret namespace: ace-keycloak-k8s labels: app: keycloak data: ca.crt: modify-this-value type: Opaque
echo -n "-----BEGIN CERTIFICATE----- abcdefg -----END CERTIFICATE-----" | base64
kubectl apply -f kcCASecret.yaml -n ace-keycloak-k8s
apiVersion: appconnect.ibm.com/v1beta1 kind: Dashboard metadata: name: example-iam-dash labels: backup.appconnect.ibm.com/component: dashboard namespace: ace-keycloak-k8s spec: api: enabled: true license: accept: true license: L-XRNH-47FJAW use: AppConnectEnterpriseProduction pod: containers: content-server: resources: limits: memory: 512Mi requests: cpu: 50m memory: 50Mi control-ui: resources: limits: memory: 512Mi requests: cpu: 50m memory: 125Mi imagePullSecrets: - name: ibm-entitlement-key switchServer: name: default authentication: integrationKeycloak: auth: clientSecretName: dash-ace-keycloak-k8s-example-iam-11111 enabled: true endpoint: 'https://example-keycloak.test.com' realm: exampleRealm tls: secretName: exmaple-tls-secret ingressHost: example-iam.example-keycloak.test.com authorization: integrationKeycloak: auth: clientSecretName: dash-ace-keycloak-k8s-example-iam-11111 enabled: true endpoint: 'https://example-keycloak.test.com' realm: exampleRealm tls: secretName: exmaple-tls-secret ingressHost: example-iam.example-keycloak.test.com storage: size: 5Gi type: persistent-claim class: ibmc-file-gold-gid displayMode: IntegrationRuntimes replicas: 1 version: '12.0.12.3-r1'
kubectl get pod <keycloak-pod-name> -n <namespace-for-keycloak-pod> -o=jsonpath='{.spec.containers[0].env[?(@.name == "KC_HOSTNAME")].value}'
kubectl apply -f dashboard_iam.yaml -n ace-keycloak-k8s
kubectl get configmap example-iam-dash-dash -o=jsonpath='{.data.ACE_INGRESS_HOSTNAME}' -n ace-keycloak-k8s
apiVersion: appconnect.ibm.com/v1beta1 kind: DesignerAuthoring metadata: name: example-iam-designer labels: backup.appconnect.ibm.com/component: designerauthoring namespace: ace-keycloak-k8s spec: imagePullSecrets: - name: ibm-entitlement-key license: accept: true license: L-XRNH-47FJAW use: AppConnectEnterpriseProduction couchdb: storage: size: 10Gi type: persistent-claim class: ibmc-file-gold-gid replicas: 1 designerMappingAssist: incrementalLearning: schedule: Every 15 days enabled: false authentication: integrationKeycloak: auth: clientSecretName: designer-ace-keycloak-k8s-example-iam-11111 enabled: true endpoint: 'https://example-keycloak.test.com' realm: exampleRealm tls: secretName: example-tls-secret ingressHost: example-iam-designer.example-keycloak.test.com authorization: integrationKeycloak: auth: clientSecretName: designer-ace-keycloak-k8s-example-iam-11111 enabled: true endpoint: 'https://example-keycloak.test.com' realm: exampleRealm tls: secretName: example-tls-secret ingressHost: example-iam-designer.example-keycloak.test.com designerFlowsOperationMode: local replicas: 1 version: '12.0.12.3-r1'
kubectl apply -f designer_iam.yaml -n ace-keycloak-k8s
kubectl get configmap example-iam-designer-designer-env -o=jsonpath='{.data.FIREFLY_ROUTE_UI}' -n ace-keycloak-k8s
The IBM® App Connect Operator (version 12.1.0 or later) offers enhanced Keycloak support, which enables you to use an existing Keycloak instance to configure authentication and authorization for App Connect Dashboard and Designer Authoring. This new feature is available on both OCP and Kubernetes.
kubectl logs <dashboard pod name> -c control-ui | grep -i "InternalOAuthError: Failed to obtain access token"
kubectl logs <designer authoring ui pod name> -c <designer-authoring-name>-ui | grep -i "InternalOAuthError: Failed to obtain access token"
openssl s_client -showcerts -verify 5 -connect example-keycloak.test.com:443 < /dev/null
kubectl logs <dashboard pod name> -c control-ui | grep -i "Cannot read properties of null (reading 'exp')"
kubectl logs <designer authoring ui pod name> -c <designer-authoring-name>-ui | grep -i "Cannot read properties of null (reading 'exp')"
kubectl logs <dashboard pod name> -c control-ui | grep -i "cannot find the highest role"
kubectl logs <designer authoring ui pod name> -c <designer-authoring-name>-ui | grep -i "cannot find the highest role"
Copy
One important hint: The command
might not display the correct root certificate. In our case the command just displayed an intermediate certificate.However for the HTTP call from the Dashboard to Keycloak the Dashboard requires the "real root certificate" at the end. Best is to cross check the shown certificate via a Webbrowser (just go to the Keycloak WebUI and display the used certificates - this should show you the complete chain)