Skip to content

Commit

Permalink
Merge branch 'main' into archive-v2.5
Browse files Browse the repository at this point in the history
  • Loading branch information
@LucasSaintarbor
LucasSaintarbor authored Feb 18, 2025
2 parents cdc844a + a2706ae commit 45a1a05
Show file tree
Hide file tree
Showing 44 changed files with 1,164 additions and 744 deletions.
29 changes: 29 additions & 0 deletions .github/workflows/create-issue.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Create issue to track porting between Community and Product docs

on:
pull_request_target:
types:
- closed
branches:
- main
paths-ignore:
- '**/README.md'

permissions:
issues: write
pull-requests: read

jobs:
create_issue:
if: github.event.pull_request.merged == true && contains( github.event.pull_request.labels.*.name, 'port/community-product')
runs-on: ubuntu-latest
steps:
- name: Create issue
env:
GH_TOKEN: ${{ github.token }}
run: |
gh issue create \
--repo rancher/rancher-docs \
--title 'Port Community docs PR #${{github.event.pull_request.number}}: ${{github.event.pull_request.title}}' \
--body 'Reference: https://github.com/${{github.repository}}/pull/${{github.event.pull_request.number}}' \
--label port/community-product
202 changes: 120 additions & 82 deletions ...sions-and-global-configuration/authentication-config/configure-keycloak-oidc.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Configure Keycloak (OIDC)
description: Create a Keycloak OpenID Connect (OIDC) client and configure Rancher to work with Keycloak. By the end your users will be able to sign into Rancher using their Keycloak logins
---

<head>
<head>
<link rel="canonical" href="https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc"/>
</head>

Expand All @@ -17,62 +17,102 @@ If you have an existing configuration using the SAML protocol and want to switch

- On Rancher, Keycloak (SAML) is disabled.
- You must have a [Keycloak IdP Server](https://www.keycloak.org/guides#getting-started) configured.
- In Keycloak, create a [new OIDC client](https://www.keycloak.org/docs/latest/server_admin/#oidc-clients), with the settings below. See the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#oidc-clients) for help.
- Follow the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#proc-creating-oidc-client_server_administration_guide) to create a new OIDC client with the settings below.

Setting | Value
------------|------------
`Client ID` | &lt;CLIENT_ID> (e.g. `rancher`)
`Name` | &lt;CLIENT_NAME> (e.g. `rancher`)
`Client Protocol` | `openid-connect`
`Access Type` | `confidential`
`Valid Redirect URI` | `https://yourRancherHostURL/verify-auth`
| Setting | Value |
| ------------|------------|
| `Client ID` | &lt;client-id> (e.g. `rancher`) |
| `Name` | &lt;client-name> (e.g. `rancher`) |
| `Client type` | `OpenID Connect` |
| `Client authentication` | `ON` |
| `Valid Redirect URI` | `https://yourRancherHostURL/verify-auth` |

- In the new OIDC client, create [Mappers](https://www.keycloak.org/docs/latest/server_admin/#_protocol-mappers) to expose the users fields.
- Create a new "Groups Mapper" with the settings below.

Setting | Value
------------|------------
`Name` | `Groups Mapper`
`Mapper Type` | `Group Membership`
`Token Claim Name` | `groups`
`Full group path` | `OFF`
`Add to ID token` | `OFF`
`Add to access token` | `OFF`
`Add to user info` | `ON`

- Create a new "Client Audience" with the settings below.

Setting | Value
------------|------------
`Name` | `Client Audience`
`Mapper Type` | `Audience`
`Included Client Audience` | &lt;CLIENT_NAME>
`Add to ID token` | `OFF`
`Add to access token` | `ON`

- Create a new "Groups Path" with the settings below.

Setting | Value
------------|------------
`Name` | `Group Path`
`Mapper Type` | `Group Membership`
`Token Claim Name` | `full_group_path`
`Full group path` | `ON`
`Add to ID token` | `ON`
`Add to access token` | `ON`
`Add to user info` | `ON`

- Go to **Role Mappings > Client Roles > realm-management** and add the following Role Mappings to all users or groups that need to query the Keycloak users.
- query-users
- query-groups
- view-users
1. In the navigation menu, click **Clients**.
1. Click the **Clients list** tab.
1. Find and click the client you created.
1. Click the **Client scopes** tab.
1. Find and click the link labeled `<client-name>-dedicated`. For example, if you named your client `rancher`, look for the link named `rancher-dedicated`.
1. Click the **Mappers** tab.
1. Click **Configure a new mapper**. If you already have existing mappers configured, click the arrow next to **Add mapper** and select **By configuration**. Repeat this process and create these mappers:
- From the mappings table, select **Group Membership** and configure a new "Groups Mapper" with the settings below. For settings that are not mentioned, use the default value.

| Setting | Value |
| ------------|------------|
| `Name` | `Groups Mapper` |
| `Mapper Type` | `Group Membership` |
| `Token Claim Name` | `groups` |
| `Full group path` | `OFF` |
| `Add to ID token` | `OFF` |
| `Add to access token` | `OFF` |
| `Add to user info` | `ON` |

- From the mappings table, select **Audience** and configure a new "Client Audience" with the settings below. For settings that are not mentioned, use the default value.

| Setting | Value |
| ------------|------------|
| `Name` | `Client Audience` |
| `Mapper Type` | `Audience` |
| `Included Client Audience` | &lt;client-name> |
| `Add to ID token` | `OFF` |
| `Add to access token` | `ON` |

- From the mappings table, select **Group Membership** and configure a new "Groups Path" with the settings below. For settings that are not mentioned, use the default value.

| Setting | Value |
| ------------|------------|
| `Name` | `Group Path` |
| `Mapper Type` | `Group Membership` |
| `Token Claim Name` | `full_group_path` |
| `Full group path` | `ON` |
| `Add to ID token` | `ON` |
| `Add to access token` | `ON` |
| `Add to user info` | `ON` |

- Add the following role mappings to all users or groups that need to query the Keycloak users.

<Tabs>
<TabItem value="Users">

1. In the navigation menu, click **Users**.
1. Click the user you want to add role mappings to.
1. Click the **Role mapping** tab.
1. Click **Assign role**.
1. Select the following roles:
- query-users
- query-groups
- view-users
1. Click **Assign**.

</TabItem>
<TabItem value="Groups">

1. In the navigation menu, click **Groups**.
1. Click the group you want to add role mappings to.
1. Click the **Role mapping** tab.
1. Click **Assign role**.
1. Select the following roles:
- query-users
- query-groups
- view-users
1. Click **Assign**.

</TabItem>
</Tabs>

## Configuring Keycloak in Rancher

1. In the Rancher UI, click **☰ > Users & Authentication**.
1. In the left navigation bar, click **Auth Provider**.
1. Select **Keycloak (OIDC)**.
1. Complete the **Configure a Keycloak OIDC account** form. For help with filling the form, see the [configuration reference](#configuration-reference).

:::note

When configuring the **Endpoints** section using the **Generate** option, Rancher includes `/auth` as part of the context path in the **Issuer** and **Auth Endpoint** fields, which is only valid for Keycloak 16 or older. You must configure endpoints using the **Specify** option for [Keycloak 17](https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-17-0-0) and newer, which have [migrated to Quarkus](https://www.keycloak.org/migration/migrating-to-quarkus).

:::

1. After you complete the **Configure a Keycloak OIDC account** form, click **Enable**.

Rancher redirects you to the IdP login page. Enter credentials that authenticate with Keycloak IdP to validate your Rancher Keycloak configuration.
Expand All @@ -83,7 +123,7 @@ If you have an existing configuration using the SAML protocol and want to switch

:::

**Result:** Rancher is configured to work with Keycloak using the OIDC protocol. Your users can now sign into Rancher using their Keycloak logins.
**Result:** Rancher is configured to work with Keycloak using the OIDC protocol. Your users can now sign in to Rancher using their Keycloak logins.

## Configuration Reference

Expand All @@ -103,56 +143,54 @@ If you have an existing configuration using the SAML protocol and want to switch

This section describes the process to transition from using Rancher with Keycloak (SAML) to Keycloak (OIDC).

### Reconfigure Keycloak

1. Change the existing client to use the OIDC protocol. In the Keycloak console, select **Clients**, select the SAML client to migrate, select the **Settings** tab, change `Client Protocol` from `saml` to `openid-connect`, and click **Save**

1. Verify the `Valid Redirect URIs` are still valid.

1. Select the **Mappers** tab and create a new Mapper with the settings below.

Setting | Value
------------|------------
`Name` | `Groups Mapper`
`Mapper Type` | `Group Membership`
`Token Claim Name` | `groups`
`Add to ID token` | `ON`
`Add to access token` | `ON`
`Add to user info` | `ON`
1. Reconfigure Keycloak.
1. Configure a new `OpenID Connect` client according to the [Prerequisites](#prerequisites). Ensure the same `Valid Redirect URIs` are set.
1. Configure mappers for the new client according to the [Prerequisites](#prerequisites).
1. Before configuring Rancher to use Keycloak (OIDC), Keycloak (SAML) must be first disabled.
1. In the Rancher UI, click **☰ > Users & Authentication**.
1. In the left navigation bar, click **Auth Provider**.
1. Select **Keycloak (SAML)**.
1. Click **Disable**.
1. Follow the steps in [Configuring Keycloak in Rancher](#configuring-keycloak-in-rancher).

### Reconfigure Rancher
:::caution

Before configuring Rancher to use Keycloak (OIDC), Keycloak (SAML) must be first disabled.

1. In the Rancher UI, click **☰ > Users & Authentication**.
1. In the left navigation bar, click **Auth Provider**.
1. Select **Keycloak (SAML)**.
1. Click **Disable**.

Configure Rancher to use Keycloak (OIDC) by following the steps in [this section](#configuring-keycloak-in-rancher).

:::note

After configuration is completed, Rancher user permissions will need to be reapplied as they are not automatically migrated.
After configuration is completed, Rancher user permissions need to be reapplied as they are not automatically migrated.

:::

## Annex: Troubleshooting

If you are experiencing issues while testing the connection to the Keycloak server, first double-check the configuration options of your OIDC client. You may also inspect the Rancher logs to help pinpoint what's causing issues. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) in this documentation.

All Keycloak related log entries will be prepended with either `[generic oidc]` or `[keycloak oidc]`.
All Keycloak related log entries are prepended with either `[generic oidc]` or `[keycloak oidc]`.

### You are not redirected to Keycloak

When you fill the **Configure a Keycloak OIDC account** form and click on **Enable**, you are not redirected to your IdP.
When you fill the **Configure a Keycloak OIDC account** form and click **Enable**, you are not redirected to your IdP.

* Verify your Keycloak client configuration.
Verify your Keycloak client configuration.

### The generated `Issuer` and `Auth Endpoint` are incorrect

* On the **Configure a Keycloak OIDC account** form, change **Endpoints** to `Specify (advanced)` and override the `Issuer` and `Auth Endpoint` values. To find the values, go to the Keycloak console and select **Realm Settings**, select the **General** tab, and click **OpenID Endpoint Configuration**. The JSON output will display values for `issuer` and `authorization_endpoint`.
On the **Configure a Keycloak OIDC account** form, change **Endpoints** to `Specify (advanced)` and override the `Issuer` and `Auth Endpoint` values. To find the values, go to the Keycloak console and select **Realm Settings**, select the **General** tab, and click **OpenID Endpoint Configuration**. The JSON output displays values for `issuer` and `authorization_endpoint`.

### Keycloak Error: "Invalid grant_type"

* In some cases, this error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly.
In some cases, this error message may be misleading and is caused by setting the `Valid Redirect URI` incorrectly.

### Unable to See Groups When Assigning Global Roles

If you use a user that is not part of any groups for initial setup, then you cannot search for groups when trying to assign a global role.
To resolve this, you can either:

1. Manually edit the `authconfig/keycloakoidc` object to enable group search.

1. On the Rancher server:
```bash
kubectl edit authconfigs.management.cattle.io keycloakoidc
```
2. Set `groupSearchEnabled: true`.
3. Save your changes.

2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak.
2 changes: 1 addition & 1 deletion docs/integrations-in-rancher/cluster-api/cluster-api.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@ title: Cluster API (CAPI) with Rancher Turtles
[Rancher Turtles](https://turtles.docs.rancher.com/) is a [Kubernetes Operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/#operators-in-kubernetes) that manages the lifecycle of provisioned Kubernetes clusters, by providing integration between your Cluster API (CAPI) and Rancher. With Rancher Turtles, you can:

- Import CAPI clusters into Rancher, by installing the Rancher Cluster Agent in CAPI provisioned clusters.
- Configure the [CAPI Operator](https://turtles.docs.rancher.com/reference-guides/rancher-turtles-chart/values#cluster-api-operator-values).
- Configure the [CAPI Operator](https://turtles.docs.rancher.com/turtles/next/en/reference-guides/rancher-turtles-chart/values.html#cluster-api-operator-values).

The [Overview](./overview.md) section outlines installation options, Rancher Turtles architecture, and a brief demo. For more details, see the [Rancher Turtles documentation](https://turtles.docs.rancher.com/).
10 changes: 5 additions & 5 deletions docs/integrations-in-rancher/cluster-api/overview.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Below is a visual representation of the key components of Rancher Turtles and th

As defined by [Supply-chain Levels for Software Artifacts (SLSA)](https://slsa.dev/spec/v1.0/about), SLSA is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package.

Rancher Turtles meets [SLSA Level 3](https://slsa.dev/spec/v1.0/levels#build-l3) requirements as an appropriate hardened build platform, with consistent build processes, and provenance distribution. For more information, visit the [Rancher Turtles Security](https://turtles.docs.rancher.com/security/slsa) document.
Rancher Turtles meets [SLSA Level 3](https://slsa.dev/spec/v1.0/levels#build-l3) requirements as an appropriate hardened build platform, with consistent build processes, and provenance distribution. For more information, visit the [Rancher Turtles Security](https://turtles.docs.rancher.com/turtles/next/en/security/slsa.html) document.

## Prerequisites

Expand Down Expand Up @@ -92,7 +92,7 @@ By adding the Turtles repository via the Rancher UI, Rancher can process the ins
1. Click **Rancher Turtles - the Cluster API Extension**.
1. Click **Install > Next > Install**.

This process uses the default values for the Helm chart, which are good for most installations. If your configuration requires overriding some of these defaults, you can either specify the values during installation from the Rancher UI or you can [manually install the chart via Helm](#installing-via-helm). For details about available values, see the Rancher Turtles [Helm chart reference guide](https://turtles.docs.rancher.com/reference-guides/rancher-turtles-chart/values).
This process uses the default values for the Helm chart, which are good for most installations. If your configuration requires overriding some of these defaults, you can either specify the values during installation from the Rancher UI or you can [manually install the chart via Helm](#installing-via-helm). For details about available values, see the Rancher Turtles [Helm chart reference guide](https://turtles.docs.rancher.com/turtles/next/en/reference-guides/rancher-turtles-chart/values.html).

The installation may take a few minutes and after completing you can see the following new deployments in the cluster:

Expand All @@ -115,7 +115,7 @@ There are two ways to install Rancher Turtles with Helm, depending on whether yo

The CAPI Operator is required for installing Rancher Turtles. You can choose whether you want to take care of this dependency yourself or let the Rancher Turtles Helm chart manage it for you. [Installing Turtles as a dependency](#installing-rancher-turtles-with-cluster-api-capi-operator-as-a-helm-dependency) is simpler, but your best option depends on your specific configuration.

The CAPI Operator allows for handling the lifecycle of [CAPI providers](https://turtles.docs.rancher.com/tasks/capi-operator/installing_core_provider) using a declarative approach, extending the capabilities of `clusterctl`. If you want to learn more about it, you can refer to [Cluster API Operator book](https://cluster-api-operator.sigs.k8s.io/).
The CAPI Operator allows for handling the lifecycle of [CAPI providers](https://turtles.docs.rancher.com/turtles/next/en/tasks/capi-operator/installing_core_provider.html) using a declarative approach, extending the capabilities of `clusterctl`. If you want to learn more about it, you can refer to [Cluster API Operator book](https://cluster-api-operator.sigs.k8s.io/).

#### Installing Rancher Turtles with `Cluster API (CAPI) Operator` as a Helm dependency

Expand Down Expand Up @@ -177,15 +177,15 @@ stringData:

:::info

For detailed information on the values supported by the chart and their usage, refer to [Helm chart options](https://turtles.docs.rancher.com/reference-guides/rancher-turtles-chart/values)
For detailed information on the values supported by the chart and their usage, refer to [Helm chart options](https://turtles.docs.rancher.com/turtles/next/en/reference-guides/rancher-turtles-chart/values.html)

:::

#### Installing Rancher Turtles without `Cluster API (CAPI) Operator` as a Helm dependency

:::note

Remember that if you opt for this installation option, you must manage the CAPI Operator installation yourself. You can follow the [CAPI Operator guide](https://turtles.docs.rancher.com/contributing/install_capi_operator) in the Rancher Turtles documentation for assistance.
Remember that if you opt for this installation option, you must manage the CAPI Operator installation yourself. You can follow the [CAPI Operator guide](https://turtles.docs.rancher.com/turtles/next/en/contributing/install_capi_operator.html) in the Rancher Turtles documentation for assistance.

:::

Expand Down
2 changes: 1 addition & 1 deletion docs/integrations-in-rancher/integrations-in-rancher.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ To learn more and get started with Rancher Prime, please visit [this page](https
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common/internal';

<DocCardList items={useCurrentSidebarCategory().items.slice(0,9)} />
<DocCardList items={useCurrentSidebarCategory().items.slice(0,10)} />
2 changes: 2 additions & 0 deletions docusaurus.config.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,10 +202,12 @@ module.exports = {
2.7: {
label: 'v2.7',
path: 'v2.7',
className: 'toArchive'
},
2.6: {
label: 'v2.6',
path: 'v2.6',
className: 'toArchive'
},
2.5: {
label: 'v2.5 (Archived)',
Expand Down
Loading

0 comments on commit 45a1a05

Please sign in to comment.