Skip to content
Documentation

Setup Single Sign-On of Hashicorp Vault with Opstella

Prerequisites

Section titled “Prerequisites”

To Setup Single Sign-On with Opstella, you need

Vault Single Sign-On Integration

Section titled “Vault Single Sign-On Integration”

  1. Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

    Set Kubeconfig File

    Terminal window
    export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"

  2. Get into vault-0 (Vault Cluster-Lead Instance) container using kubectl exec.

    Terminal window
    kubectl exec -i -t --namespace devsecops-system pod/vault-0 -- sh

  3. Use the retrieved 🗝️ Vault Root Token to authenticate with Vault

    • Token will be xyz.AbC123...dEf456 format (28 Characters)
    export VAULT_TOKEN="CHANGEME"

  4. Enable Single Sign-On with OIDC Authentication

    Terminal window
    vault auth enable oidc

  5. Specify OIDC Authentication Information

    Using Opstella Keycloak Information

    • Opstella Keycloak Domain: idp.${BASE_DOMAIN}

    • Opstella Keycloak Realm Name: ${KEYCLOAK_REALM}

      💡 Your dedicated Keycloak Realm. foobar-opstella ; Please change accordingly

      export KEYCLOAK_DOMAIN="idp.${BASE_DOMAIN}"
      export KEYCLOAK_REALM="foobar-opstella"

    • OIDC Issuer Endpoint from Opstella Keycloak Information

      export OIDC_ISSUER_ENDPOINT="https://${KEYCLOAK_DOMAIN}/realms/${KEYCLOAK_REALM}"

    • Client ID: vault

    • Client secret: CHANGEME

      export VAULT_OIDC_CLIENT_ID="vault"
      export VAULT_OIDC_CLIENT_SECRET="CHANGEME"

  6. Create OIDC Authentication Configuration

    Terminal window
    cat <<EOF > /tmp/oidc_config.json
    {
      "oidc_discovery_url": "${OIDC_ISSUER_ENDPOINT}",
      "oidc_client_id": "${VAULT_OIDC_CLIENT_ID}",
      "oidc_client_secret": "${VAULT_OIDC_CLIENT_SECRET}",
      "default_role": "default"
    }
    EOF

  7. Create OIDC Authentication Backend Configuration

    • Vault Domain: ${VAULT_DOMAIN} is assumed to be exported as defined in the Shell Variables guide.

      Terminal window
      cat <<EOF > /tmp/oidc_backend.json
      {
      "role_type": "oidc",
      "token_ttl": "1h",
      "token_max_ttl": "1h",
      "bound_audiences": "vault",
      "user_claim": "sub",
      "groups_claim": "groups",
      "claim_mappings": {
          "preferred_username": "username",
          "email": "email"
      },
      "allowed_redirect_uris": [
          "https://${VAULT_DOMAIN}/ui/vault/auth/oidc/oidc/callback",
          "http://${VAULT_DOMAIN}/oidc/callback"
      ]
      }
      EOF

  8. Write OIDC Authentication Configuration

    Terminal window
    vault write auth/oidc/config @/tmp/oidc_config.json
    Terminal window
    vault write sys/auth/oidc/tune token_type="default-service" listing_visibility="unauth" description="Opstella SSO Integration" default_lease_ttl="1h" max_lease_ttl="1h"

  9. Write OIDC Authentication Backend Configuration

    Terminal window
    vault write auth/oidc/role/default @/tmp/oidc_backend.json

  10. Clean up

    Terminal window
    rm -r /tmp/*.json

You will be testing Single Sign-On Integration in End-to-End Testing/Single Sign-On for Vault

Finished?

Use the below navigation to proceed