https://deploy-preview-470--cozystack.netlify.app/docs/v0/operations/oidc/Recent content in Using OpenID Connect with Cozystack on CozystackHugoenhttps://deploy-preview-470--cozystack.netlify.app/docs/v0/operations/oidc/enable_oidc/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-470--cozystack.netlify.app/docs/v0/operations/oidc/enable_oidc/<h2 id="prerequisites">Prerequisites</h2> <ol> <li> <p><strong>OIDC Configuration</strong> Your API server must be configured to use OIDC. If you are using Talos Linux, your machine configuration should include the following parameters:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f0f0f0;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#062873;font-weight:bold">cluster</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">apiServer</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">extraArgs</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">oidc-issuer-url</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;https://keycloak.example.org/realms/cozy&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">oidc-client-id</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;kubernetes&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">oidc-username-claim</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;preferred_username&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">oidc-groups-claim</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;groups&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div><p><strong>For Talm</strong> Add to your <code>values.yaml</code> in talm repo:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f0f0f0;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#062873;font-weight:bold">oidcIssuerUrl</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;https://keycloak.&lt;YOUR_ROOT_DOMAIN&gt;/realms/cozy&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div></li> <li> <p><strong>Domain Reachability</strong> Ensure that the domain <code>keycloak.example.org</code> is accessible from the cluster and resolves to your root ingress controller.</p>https://deploy-preview-470--cozystack.netlify.app/docs/v0/operations/oidc/users_and_roles/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-470--cozystack.netlify.app/docs/v0/operations/oidc/users_and_roles/<p>Creating users and add roles for them</p> <h3 id="overview">Overview</h3> <p>When a tenant is created in Cozy (starting with version 1.6.0), roles, RoleBindings and keycloak groups will automatically be created in the Kubernetes cluster.</p> <p>To create a user, refer to the following documentation: <a href="https://www.keycloak.org/docs/latest/server_admin/#using-the-admin-console" target="_blank">Keycloak Admin Console Documentation</a></p> <h2 id="assigning-a-role-to-a-user-for-a-tenant">Assigning a Role to a User for a Tenant</h2> <ol> <li><strong>Access Keycloak</strong>: To retrieve login credentials, check the secret by running the following command: <div class="highlight"><pre tabindex="0" style="background-color:#f0f0f0;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl get secret keycloak-credentials -n cozy-keycloak -o yaml </span></span></code></pre></div><strong>Keycloak Address</strong>: The Keycloak address will match the value specified in the cozystack ConfigMap. For example, if your ConfigMap looks like this: <div class="highlight"><pre tabindex="0" style="background-color:#f0f0f0;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>v1<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ConfigMap<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">metadata</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">name</span>:<span style="color:#bbb"> </span>cozystack<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">namespace</span>:<span style="color:#bbb"> </span>cozy-system<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">data</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">root-host</span>:<span style="color:#bbb"> </span>infra.example.org<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">api-server-adress</span>:<span style="color:#bbb"> </span><span style="color:#40a070">55.21.33.22</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">bundle-name</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;paas-full&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">ipv4-pod-cidr</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;10.244.0.0/16&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">ipv4-pod-gateway</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;10.244.0.1&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">ipv4-svc-cidr</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;10.96.0.0/16&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#062873;font-weight:bold">ipv4-join-cidr</span>:<span style="color:#bbb"> </span><span style="color:#4070a0">&#34;100.64.0.0/16&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div>Then Keycloak will be available at: <code>keycloak.infra.example.org</code></li> </ol> <div class="alert alert-warning" role="alert"> If you are planning to integrate with external services either as clients or as IdPs, your Keycloak address needs to be publicly accessible and reachable by these services. </div> <h2 id="configure-roles-for-each-tenant-in-cozy">Configure Roles for Each Tenant in Cozy:</h2> <h3 id="cluster-wide">Cluster wide</h3> <ul> <li> <p><strong><code>cozystack-cluster-admin</code></strong></p>https://deploy-preview-470--cozystack.netlify.app/docs/v0/operations/oidc/self-signed-certificates/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-470--cozystack.netlify.app/docs/v0/operations/oidc/self-signed-certificates/<p>This guide explains how to configure Kubernetes API server for OIDC authentication with Keycloak when using self-signed certificates. By default, Cozystack issues certificates via LetsEncrypt, but some environments (e.g., air-gapped or private enterprise networks) may use a custom CA instead.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Cozystack cluster with OIDC enabled (see <a href="../enable_oidc/">Enable OIDC Server</a>)</li> <li>Talos Linux control plane nodes</li> <li><code>talosctl</code> configured for your cluster</li> <li><code>kubelogin</code> installed</li> </ul> <h2 id="step-1-retrieve-the-keycloak-certificate">Step 1: Retrieve the Keycloak Certificate</h2> <p>Get the certificate from the ingress controller:</p>