Skip to content

F0otsh0T/hcp-vault-oidc-keycloak

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
assets
assets
 
 
integration
integration
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

title description
HashiCorp Vault Integration - OIDC with KeyCloak
HashiCorp Vault Integration OIDC Authentication with KeyCloak

HashiCorp Vault Integration - OIDC with KeyCloak

PREREQS / COMPONENTS

  • HashiCorp Vault
  • KeyCloak
  • PostgreSQL
  • TerraForm
  • Optional: Identity Aware Proxy (IAP)

OVERVIEW

This repo walks through how to set up Vault and Keycloak for OIDC Authentication.

Vault OIDC IDP Flow

Log into Vault via OIDC validtion from Keycloak IDP

BASICS

High Level Setup

  • HCLIC: You will need to provide your own Vault Enterprise License File
    • Place your vault.hclic in the root of this repo when you execute your setup and configurations via make
  • Sequence:
    • (Optional) Clone and Link Vault and Keycloak Repos
      • ./docker-vault
      • ./docker-keycloak
    • (Optional) Spin up Vault and Keycloak (along with PostgreSQL)
    • Configure Vault and Keycloak for OIDC
      • ./integration
      • Requirements:
        • Vault URL
        • Vault Token
        • Keycloak URL
        • Keycloak User
        • Keycloak Password
      • You may need to manually edit the ./integrations/terraform/terraform.auto.tfvars or other environment variables if you're not using the local Docker instances of Vault and Keycloak.

Environment Variables

KEY DEFAULT
vault_url http://localhost:8200
keycloak_url http://localhost:8080
vault_root_token cat docker-vault/terraform/data/scripts/vault.json | jq -r '.root_token'
keycloak_user admin
keycloak_password passw0rd

USAGE

Vault-Keycloak OIDC Integration Only

If you already have a Vault and Keycloak environment running somewhere, you just need to set your environment variables with the relevant inputs.

Set up OIDC Integration
make -f Makefile integrate-only
Clean OIDC Integration
make -f Makefile clean-integrate

Spin up Vault, Keycloak, and set up OIDC Integration

Instantiate Vault and Keycloak then integrate OIDC between the two platforms.

Spin up
make -f Makefile testbed-all
Clean
make -f Makefile clean-all

FILES

.
├── LICENSE
├── Makefile
├── README.md
├── assets
├── docker-keycloak -> ./tmp/testbed-docker-keycloak/docker-keycloak
├── docker-vault -> ./tmp/hcp-vault-docker-enterprise/docker-vault
├── integration
│   ├── Makefile
│   ├── docker-compose
│   │   └── vault-agent
│   └── terraform
│       ├── 00.variables.tf
│       ├── 00.versions.tf
│       ├── 01.keycloak.tf
│       ├── 01.vault.tf
│       ├── 99.outputs.tf
│       ├── templates
│       │   ├── app1_owner_policy.tpl
│       │   ├── app1_reader_policy.tpl
│       │   ├── app2_owner_policy.tpl
│       │   ├── app2_reader_policy.tpl
│       │   ├── vault_admin_policy.tpl
│       │   └── vault_super_admin_policy.tpl
│       ├── terraform.auto.tfvars
│       ├── terraform.tfstate
│       └── terraform.tfstate.backup
├── terraform.tfstate
├── utility
└── vault.hclic

OIDC ENTITY MATRIX

ENTITY PASSWORD KEYCLOAK REALM KEYCLOAK ROLE VAULT NAMESPACE VAULT POLICY
alice alice demo vault_super_admin_role root, demo vault_super_admin_policy.tpl
bob bob demo vault_admin_role root, demo vault_admin_policy.tpl
carol carol demo app1_owner_role root, demo app1_owner_policy.tpl
dan dan demo app2_owner_role root, demo app2_owner_policy.tpl

CONTAINERS

CONTAINER NETWORK IP PORT-INTERNAL PORT-EXTERNAL
vault_s1 vault-ent-network 10.88.0.18 8200 8200
vault_s2 vault-ent-network 10.88.0.28 8200 28200
vautl_s3 vault-ent-network 10.88.0.38 8200 38200
keycloak vault-ent-network 10.88.0.100 8080 8080
postgresql vault-ent-network 10.88.0.101 5432 5432

TERRAFORM

Requirements

Name Version
terraform >= 0.13
keycloak >= 3.0.0
vault >= 3.0.0

Providers

Name Version
keycloak 4.4.0
vault 3.25.0

Modules

No modules.

Resources

Name Type
keycloak_openid_client.openid_client resource
keycloak_openid_user_client_role_protocol_mapper.user_client_role_mapper resource
keycloak_realm.demo resource
keycloak_role.app1_owner_role resource
keycloak_role.app2_owner_role resource
keycloak_role.vault_admin_role resource
keycloak_role.vault_super_admin_role resource
keycloak_user.user_alice resource
keycloak_user.user_bob resource
keycloak_user.user_carol resource
keycloak_user.user_dan resource
keycloak_user_roles.alice_roles resource
keycloak_user_roles.bob_roles resource
keycloak_user_roles.carol_roles resource
keycloak_user_roles.dan_roles resource
vault_approle_auth_backend_role.app1 resource
vault_approle_auth_backend_role_secret_id.app1 resource
vault_auth_backend.approle resource
vault_identity_group.app1_owner_group resource
vault_identity_group.app2_owner_group resource
vault_identity_group.vault_admin_group resource
vault_identity_group.vault_super_admin_group resource
vault_identity_group_alias.app1_owner_group_alias resource
vault_identity_group_alias.app2_owner_group_alias resource
vault_identity_group_alias.vault_admin_group_alias resource
vault_identity_group_alias.vault_super_admin_group_alias resource
vault_identity_oidc_key.keycloak_provider_key_demo resource
vault_identity_oidc_key.keycloak_provider_key_root resource
vault_jwt_auth_backend.keycloak_demo resource
vault_jwt_auth_backend.keycloak_root resource
vault_jwt_auth_backend_role.default_demo resource
vault_jwt_auth_backend_role.default_root resource
vault_kv_secret_v2.app1_secret resource
vault_kv_secret_v2.app2_secret resource
vault_mount.kvv2 resource
vault_namespace.demo resource
vault_policy.app1_owner resource
vault_policy.app1_reader resource
vault_policy.app2_owner resource
vault_policy.app2_reader resource
vault_policy.vault_admin resource
vault_policy.vault_super_admin resource
vault_approle_auth_backend_role_id.app1 data source

Inputs

Name Description Type Default Required
keycloak_password Keycloak Password string "" no
keycloak_url Keycloak URL string "http://keycloak:8080" no
keycloak_user Keycloak User string "" no
vault_root_token Vault Root Token string "" no
vault_url Vault URL string "http://localhost:8200" no

Outputs

No outputs.

REFERENCES

OIDC
Vault
KeyCloak
Miscellaneous

AKNOWLEDGEMENTS

Thanks to @nicklhw

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages