The next step is to access the Keycloak login page using your favourite browser. You can find the IP address of the Keycloak server in the output of the kubectl get pods
command listed above. If Keycloak is running on a remote cluster, you can use sshuttle to help you access it. Run the following commands:
sudo apt install sshuttle -y
sshuttle -r <USERNAME>@<HOST> <keycloak_server>
Then point your browser to http://<keycloak_server>:8080/
and use the default credentials admin/admin
to log in to Keycloak.
Once you have logged in, navigate to the Realm Settings
screen and click OpenID Endpoint Configuration
. From the JSON code that’s shown, find the issuer
value and make a note of it, as you will need it later.
Now we’re going to create a new client
configuration, so navigate to the Clients
screen and click Create
. Enter your preferred clientid
, for example you could enter “CKF”, select the protocol openid-connect
and hit save. We’ll use the clientid
a bit later, so make a note of the value that you chose.
Next change Access Type
to confidential
and in Valid Redirect URI
, add your Charmed Kubeflow deployment’s public URL with the path as follows – it should be similar to http://<YOUR FQDN>/dex/callback
– and press +
. Make a note of this URL as you will need it later. Scroll down and hit Save
.
You should now see a new tab at the top of the screen, Credentials
- navigate to it, and make a note of the client secret
as you will need it later.
User configuration
Go to Users
, click Add user
, and create a new user by filling in Username
, Email
, and checking Email Verified
. Hit save
.
Now go to the Credentials
tab and add a new password (unchecking Temporary
). Hit Save
.
Client scopes configuration
Navigate to the Client
screen and select your client, eg. CKF
. Navigate to the Client Scopes
tab, Choose Evaluate
enter the username and hit the evaluate
button. Go to the Generated Access Token
tab, and make a note of the scopes
that are shown in the JSON code shown, as you will need this information later. Typically they are likely to be openid
, profile
and email
.