Overview
UDS Core leverages Keycloak and Authservice to implify authentication and authorization for applications. These tools enable seamless user authentication experiences while supporting various OAuth 2.0 and OpenID Connect (OIDC) flows.
UDS Core automates Keycloak Client configuration, secret management, and advanced templating, offering scalable support for a wide range of applications and authentication scenarios. The chart below illustrates the basic logical connection between these concepts:
When a new UDS Package CR with the sso configuration gets deployed, the UDS Operator creates a new Keycloak Client. This process happens in one of two modes - using Dynamic Client Registration or Keycloak Admin endpoint for managing Clients. Depending on the Keycloak Realm configuration, the Operator automatically picks the right mode. In the case of the former mode, the Registration Token that is used for updating and removing the newly created Keycloak Client is stored in Pepr Store. The latter mode reads the Client Secrets from the keycloak-client-secrets Kubernetes Secret deployed in keycloak namespace. This Secret is managed automatically by the UDS Operator. Once the Keycloak Client is ready, and the enableAuthserviceSelector is defined in the spec, the UDS Operator deploys Istio Request Authentication and AuthorizationPolicy for both JWT and Request Headers. Both actions combined, enables seamless and transparent application authentication and authorization capabilities.
Rotating the UDS Operator Client Secret
The UDS Operator uses a dedicated Client in Keycloak. In some cases, the Client Secret needs to be rotated. In order to do so, you need to manually modify the keycloak-client-secrets Kubernetes Secret in the keycloak namespace and delete the uds-operator key. The UDS Operator will automatically re-create it.
User Groups
UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. More details might be found in the Package CR spec.
Applications
Grafana
Grafana maps the groups from Keycloak to its internal Admin and Viewer groups.
| Keycloak Group | Mapped Grafana Group |
|---|---|
Admin | Admin |
Auditor | Viewer |
If a user doesn’t belong to either of these Keycloak groups the user will be unauthorized when accessing Grafana.
Neuvector
Neuvector maps the groups from Keycloak to its internal admin and reader groups.
| Keycloak Group | Mapped Neuvector Group |
|---|---|
Admin | admin |
Auditor | reader |
Keycloak
All groups are under the Uds Core parent group. Frequently a group will be referred to as Uds Core/Admin or Uds Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups.