Forem: iderr The latest articles on Forem by iderr (@iderr). https://forem.com/iderr https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F723555%2Fcc140b65-dfde-4088-8133-7fe1357cc9b1.png Forem: iderr https://forem.com/iderr en Connect your AWX/Ansible Tower with Keycloak using OIDC ! iderr Mon, 07 Nov 2022 21:37:53 +0000 https://forem.com/iderr/connect-your-awxansible-tower-with-keycloak-using-oidc--4ekb https://forem.com/iderr/connect-your-awxansible-tower-with-keycloak-using-oidc--4ekb <h2> Introduction </h2> <p>Want to connect your AWX/Ansible Tower with your SSO solution (thanks to openid connect), in my case keycloak, you're in the right place.<br> I have seen a lot of tutorials on how to configure with SAML, but not one with OIDC so here it is :)</p> <h2> Prerequisites </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- A keycloak - An ansible tower / awx </code></pre> </div> <p>If you respect all these prerequisites, you are good to go !</p> <h2> Tutorial </h2> <p>Go to your beautiful keycloak instance <br> Add a client in keycloak with this redirect url <br> <a href="https://AWX_HOST/sso/complete/oidc/">https://AWX_HOST/sso/complete/oidc/</a><br> Something like this :</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--FxEqA7He--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/quegriin4s2uihhidt84.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--FxEqA7He--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/quegriin4s2uihhidt84.jpg" alt="Keycloak" width="880" height="422"></a></p> <p>Get your keys in your credentials part (if not set, set it to Client ID and secret)</p> <p>In your awx/tower instance, go to settings, generic oidc and fill all the infos :<br> OIDC key : Keycloak's client id <br> OIDC secret : Keycloak's client secret <br> OIDC provider : <a href="https://KEYCLOAK_HOST/realms/YOUR_REALM">https://KEYCLOAK_HOST/realms/YOUR_REALM</a></p> <h2> Conclusion </h2> <p>Only that, yes.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ac8dVfsV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tad5o92by2szzjhfpsby.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ac8dVfsV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tad5o92by2szzjhfpsby.png" alt="Login" width="542" height="560"></a></p> <p>Your awx/ansible tower is now connected with keycloak.</p> <p>See you on the next article !</p> ansible tutorial keycloak awx Use OVH as a DNS-01 provider for cert-manager iderr Mon, 11 Oct 2021 13:48:35 +0000 https://forem.com/iderr/use-ovh-as-a-dns-01-provider-for-cert-manager-5hl7 https://forem.com/iderr/use-ovh-as-a-dns-01-provider-for-cert-manager-5hl7 <h2> Introduction </h2> <p>First article of this new blog!</p> <p>Today we will discuss how to configure automatic Let’s-Encrypt certificate renewal with a domain hosted in OVH.</p> <p>I have not found a clear tutorial on how to setup a cluster wide OVH cert-manager provider so there it is.</p> <h2> Installation </h2> <h3> Cert-manager installation </h3> <p>Quick reminder, installing cert-manager is pretty straightforward with Helm.<br> Don't forget to replace the version with the latest one : <a href="https://github.com/jetstack/cert-manager/releases">https://github.com/jetstack/cert-manager/releases</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace cert-manager helm repo add jetstack https://charts.jetstack.io helm repo update helm <span class="nb">install </span>cert-manager jetstack/cert-manager <span class="nt">--namespace</span> cert-manager <span class="nt">--create-namespace</span> <span class="nt">--version</span> v1.5.3 <span class="nt">--set</span> <span class="nv">installCRDs</span><span class="o">=</span><span class="nb">true</span> </code></pre> </div> <p>After that, you should have a running cert-manager.</p> <h3> OVH Webhook installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/baarde/cert-manager-webhook-ovh.git <span class="nb">cd </span>cert-manager-webhook-ovh helm <span class="nb">install </span>cert-manager-webhook-ovh ./deploy/cert-manager-webhook-ovh <span class="nt">--set</span> <span class="nv">groupName</span><span class="o">=</span><span class="s1">'&lt;GROUP_NAME&gt;'</span> </code></pre> </div> <p>After that, we need to create our api keys in the OVH API to connect our webhook controller to OVH</p> <ul> <li>Go to <a href="https://api.ovh.com/createToken/index.cgi">https://api.ovh.com/createToken/index.cgi</a> </li> <li>Add the followings rights, if you want to give acces to all of your domains <ul> <li>GET /domain/zone/*</li> <li>PUT /domain/zone/*</li> <li>POST /domain/zone/*</li> <li>DELETE /domain/zone/*</li> </ul> </li> <li>If you prefer to give access only to one domain replace the "*" by your domain name</li> </ul> <p>We will store the freshly generated application secret in Kubernetes.</p> <p>The secret needs to be in the same namespace as the cert-manager controller pod if you want to create a ClusterIssuer, in our case, 'cert-manager'<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic ovh-credentials <span class="nt">--namespace</span> cert-manager <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">applicationSecret</span><span class="o">=</span><span class="s1">'&lt;OVHSECRET&gt;'</span> </code></pre> </div> <p>Grant permission to get the secret to the cert-manager-webhook-ovh service account<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-ovh:secret-reader</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">secrets"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ovh-credentials"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-ovh:secret-reader</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-ovh:secret-reader</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-ovh</span> </code></pre> </div> <p>And we can finally create our cluster issuer, don't forget to replace the values between &lt;&gt; with your keys/config<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://acme-v02.api.letsencrypt.org/directory</span> <span class="na">email</span><span class="pi">:</span> <span class="s1">'</span><span class="s">&lt;EMAIL&gt;'</span> <span class="na">privateKeySecretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-account-key</span> <span class="na">solvers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">dns01</span><span class="pi">:</span> <span class="na">webhook</span><span class="pi">:</span> <span class="na">groupName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">&lt;GROUP_NAME&gt;'</span> <span class="na">solverName</span><span class="pi">:</span> <span class="s">ovh</span> <span class="na">config</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">ovh-eu</span> <span class="na">applicationKey</span><span class="pi">:</span> <span class="s1">'</span><span class="s">&lt;APP_KEY&gt;'</span> <span class="na">applicationSecretRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">applicationSecret</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ovh-credentials</span> <span class="na">consumerKey</span><span class="pi">:</span> <span class="s1">'</span><span class="s">&lt;CONSUMER_KEY&gt;'</span> </code></pre> </div> <p>And voila, you have a fully working ClusterIssuer with OVH, you can test all your work with a new Certificate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Certificate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">example-certificate</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">dnsNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">test.mydomain.com</span> <span class="na">issuerRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">test-mydomain-com-tls</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>NAME READY SECRET AGE example-certificate True test-mydomain-com-tls 3s </code></pre> </div> <h2> Conclusion </h2> <p>Congratulation, and see you next time for another article! </p> kubernetes opensource