Keycloak SSO Authentication in Redpanda Console
This feature requires an Enterprise license. To upgrade, contact Redpanda sales.
By integrating Redpanda Console with Keycloak, your users can sign in to Redpanda Console using their Keycloak login credentials.
Prerequisites
You must:
Install Keycloak and create a super admin user account, which has permissions for setting up an OAuth application. For details, see the Keycloak documentation.
Create an OpenID Connect (OIDC) client. For details, see the Keycloak documentation.
Provide the following inputs when you are asked for them:
Client type: OpenID Connect
Client ID: Enter a alphanumeric that the Keycloak database can use to identify the client
Name: Enter any name for the client
Valid Redirect URIs: Enter the domain where Redpanda Console is hosted followed by the
/login/callbacks/keycloakpath. For example,https://console.<your-company>.com/login/callbacks/keycloakorhttps://localhost:8080/login/callbacks/keycloak.(Optional) Create at least one realm for managing and authenticating a specific group of users
noteYou can use the master realm, or you can create a realm for managing and authenticating a specific group of users.
importantCopy the client ID and client secret. The console configuration file uses these credentials to establish communication with Keycloak.
Edit the console configuration file
Edit the console configuration file associated with your deployment method and incorporate the details from your client application. For example, Kubernetes deployments use the values.yaml file. Linux deployments use the redpanda-console-config.yaml file, which is in /etc/redpanda.
login:
enabled: true
# jwtSecret is the secret key you must use to sign and encrypt the JSON
# web token used to store user sessions. This secret key is
# critical for the security of Redpanda Console's authentication and
# authorization system. Use a long, complex key with a combination of
# numbers, letters, and special characters. The minimum number of
# characters is 10, but Redpanda recommends using more than 32
# characters. For additional security, use a different secret key for
# each environment. jwtSecret can be securely generated with the following
# command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32
#
# If you update this secret key, any users who are
# already logged in to Redpanda Console will be logged out and will have
# to log in again.
jwtSecret: ""
keycloak:
enabled: true
url: https://keycloak.internal.company.com
realm: <realm-name> # Replace <realm-name> with the actual realm name.
clientId: ""
clientSecret: ""
# The directory configuration is only required if you want to
# use Keycloak groups in your role bindings.
# This is described further in the next section.
# directory:
# adminUser: ""
# adminPassword: ""
RBAC Keycloak groups sync
To bind roles to Keycloak groups, you must specify admin user credentials, which are used to resolve group memberships when communicating with Keycloak's API. These credentials must be the same ones that are used to log in to the Keycloak admin panel, and they must be associated with the realm where the group memberships will be resolved.
login:
keycloak:
directory:
adminUser: ""
adminPassword: ""
Define role-bindings
When you set up the Keycloak login configuration, you can bind Keycloak users or groups to roles. Following is a sample role binding:
roleBindings:
- metadata:
name: Developers
subjects:
- kind: group
provider: Keycloak
name: 55e999ff-7923-4750-b2e1-7387768958a0 # Group ID
- kind: user
provider: Keycloak
name: martin # Keycloak login / username
roleName: editor