Keycloak SSO Authentication in Redpanda Console

This section pertains to Redpanda Console in a self-managed deployment, and this feature requires an Enterprise license. To upgrade, contact Redpanda sales.

If Redpanda Console has enterprise features enabled and it cannot find a valid license either in its local configuration or in the connected Redpanda cluster, it shuts down.

By integrating Redpanda Console with Keycloak, your users can sign in to Redpanda Console using their Keycloak login credentials.

Prerequisites

You must:

  • Install Keycloak and create a super admin user account, which has permissions for setting up an OAuth application. For details, see the Keycloak documentation.

  • Create an OpenID Connect (OIDC) client. For details, see the Keycloak documentation.

    Provide the following inputs when you are asked for them:

    • Client type: OpenID Connect

    • Client ID: Enter a alphanumeric that the Keycloak database can use to identify the client

    • Name: Enter any name for the client

    • Valid Redirect URIs: Enter the domain where Redpanda Console is hosted followed by the /login/callbacks/keycloak path. For example, https://console.<your-company>.com/login/callbacks/keycloak or https://localhost:8080/login/callbacks/keycloak.

    • (Optional) Create at least one realm for managing and authenticating a specific group of users

      You can use the master realm, or you can create a realm for managing and authenticating a specific group of users.
      Copy the client ID and client secret. The console configuration file uses these credentials to establish communication with Keycloak.

Edit the console configuration file

Edit the console configuration file associated with your deployment method and incorporate the details from your client application. For example, Kubernetes deployments use the values.yaml file. Linux deployments use the redpanda-console-config.yaml file, which is in /etc/redpanda.

login:
  enabled: true

  # jwtSecret is the secret key you must use to sign and encrypt the JSON
  # web token used to store user sessions. This secret key is
  # critical for the security of Redpanda Console's authentication and
  # authorization system. Use a long, complex key with a combination of
  # numbers, letters, and special characters. The minimum number of
  # characters is 10, but Redpanda recommends using more than 32
  # characters. For additional security, use a different secret key for
  # each environment. jwtSecret can be securely generated with the following
  # command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32
  #
  # If you update this secret key, any users who are
  # already logged in to Redpanda Console will be logged out and will have
  # to log in again.
  jwtSecret: ""

  keycloak:
    enabled: true
    url: https://keycloak.internal.company.com
    # Replace with the actual realm name.
    realm: <realm-name>

    clientId: ""
    clientSecret: ""

    # The directory configuration is only required if you want to
    # use Keycloak groups in your role bindings.
    # This is described further in the next section.
    # directory:
    #   adminUser: ""
    #   adminPassword: ""

RBAC Keycloak groups sync

To bind roles to Keycloak groups, you must specify admin user credentials, which are used to resolve group memberships when communicating with Keycloak’s API. These credentials must be the same ones that are used to log in to the Keycloak admin panel, and they must be associated with the realm where the group memberships will be resolved.

login:
  keycloak:
    directory:
      adminUser: ""
      adminPassword: ""

Define role-bindings

When you set up the Keycloak login configuration, you can bind Keycloak users or groups to roles. Following is a sample role binding:

roleBindings:
  - metadata:
      name: Developers
    subjects:
      - kind: group
        provider: Keycloak
        name: 55e999ff-7923-4750-b2e1-7387768958a0 # Group ID
      - kind: user
        provider: Keycloak
        name: martin # Keycloak login / username
    roleName: editor