Kubernetes at home - Part 6: Keycloak authentication and Azure Active Directory

Here’s a quick detour into adding Azure Active Directory as an Identity Provider for Keycloak in my home Kubernetes single-node cluster. I’m not going into much detail since OpenID Connect is so well documented. Most of the steps for this specific connection can also be found here.

High level steps

  1. Registering new application in Azure

New Azure app registration

  1. Registering new realm in Keycloak, so I’m not using the main one.

New Keycloak realm

  1. Registering new identity provider in Keycloak. Most of the OpenID Connect config can be automatically imported from the OpenID well-known configuration.

New Keycloak identity provder registration

  1. Keycloak has a small client already built-in for user account management, and that provides a handy method to test using the new identity provider.

Keycloak login

  1. So long as you can login to Azure Active Directory, you can go ahead and get into Keycloak.

Keycloak registered user

Summary and motivation

For the most part, I want to be able to have a self-sufficient Kubernetes cluster at home; however, this is a happy medium in my mind.

By using Azure AD as an identity provider, I get some convenience that is optional. THe entirety of the identity provider could be inaccessible or removed, and I’d still have control of users and configuration here. Further, in a theoretical world where I start shipping software from this local environment, authentication is a cross-cutting concern that I’d happily replace with a cloud service once this all left my home network.