Now that we’ve figured out how to get Jenkins to talk to FreeIPA directly we can explore other authentication schemes. We are going to start with Keycloak because it provides an OpenID API which we can consume in other applications to avoid some of the complexity of talking LDAP to FreeIPA.

Preparing Keycloak Prerequisites

LDAP Service Account

Since we will be talking to FreeIPA’s LDAP server we will need to create a new service account for Keycloak with a secure password. Set one up in FreeIPA and note down both the bind DN and the password for use later in the realm configuration.

Kubernetes Namespace

Like with all of the other projects in this series we’re going to create a unique namespace for Keycloak to deploy into. This can be done with the rancher tool or with raw kubectl if you don’t mind the namespace showing up in the default project.

# Rancher CLI
$ export RANCHER_URL=
$ export RANCHER_TOKEN=<authentication_token>
$ rancher login $RANCHER_URL --token $RANCHER_TOKEN
$ rancher namespaces create keycloak

# Kubernetes CLI
$ export KUBECONFIG=/path/to/kube_config.yml
$ kubectl create namespace keycloak

Administrator and Database Passwords

We need two password secrets for Keycloak to run properly, one for the Keycloak administrative user and one to pass to the bundled PostgreSQL chart to set up the database.

# PostgreSQL
$ kubectl create secret generic keycloak-postgres-password \
    --namespace keycloak \
    --from-literal password=<db_password>

# Keycloak Administrator
$ kubectl create secret generic keycloak-admin-password \
    --namespace keycloak \
    --from-literal password=<admin_password>

While we can mostly ignore the Postgres password so long as it is secure, we should note down the Keycloak administrator password so that we can access the Keycloak web UI during any testing and debugging.

Note: In re-reading the Keycloak Helm chart documentation it seems like this configuration, and the later database value configuration is unnecessary if you are using the bundled PostgreSQL chart. I have left it in here to document my actual steps.

SSL Certificates

Like all of my other services, this one is deployed with a SSL certificate issued by FreeIPA. I have the key and signed certificate and added them to the namespace as a standard TLS Secret.

$ kubectl create secret tls tls-keycloak-ingress \
    --namespace keycloak \
    --cert=keycloak.cert \

FreeIPA Keycloak Realm

This is where the real fun begins! I built my configuration using a combination of official documentation and a realm example provided by the keycloak-freeipa-docker project on GitHub. You can download the full example file here.

Unpacking freeipa-realm.json

The JSON file above is daunting when you first look at it but what it breaks down to is mostly a series of mappings which we’ll go through now. More documentation is available from the Keycloak Server Administration Guide.

The first section is where we configure the realm ID and provide a display name to show on the realm login screen. This is also where we set if we want the realm to be active and what credentials it requires. In my case I went with password only but Kerberos tokens can also be used for an even more seamless interface.

  "id": "freeipa-realm",
  "realm": "freeipa-realm",
  "displayName": " Realm",
  "enabled": true,
  "requiredCredentials": [

Next, we have the client list which are all of the clients allowed to use that realm for authentication and authorization. Right now this is just Jenkins over the OpenID protocol but more services could be added as we bring more things online. Keycloak supports several different protocols and will interact nicely with most web applications.

  "clients": [
      "clientId": "jenkins",
      "enabled": true,
      "publicClient": true,
      "protocol": "openid-connect",
      "rootUrl": "",
      "redirectUris": [
      "webOrigins": [

Now we have the actual LDAP configuration to connect Keycloak with FreeIPA. This is where we will use that service account we created earlier. I still haven’t figured out how to get LDAPS working with Keycloak but for now regular LDAP is ok. I have a sneaking suspicion the fix for LDAPS here will be strikingly similar to the one I devised for Jenkins. Big differences from the official LDAP realm is that we’ve configured the vendor to be rhds for RedHat Directory Server, the enterprise version of FreeIPA, and we’ve set the uuidLDAPAttribute to be ipaUniqueID. Additionally, we set the entire provider as read-only and to not sync registrations from Keycloak to FreeIPA. We want our FreeIPA install to be the single source of truth in our domain right now and we will manage our users and groups from there.

  "userFederationProviders": [
      "displayName": "ldap-freeipa",
      "providerName": "ldap",
      "priority": 1,
      "fullSyncPeriod": -1,
      "changedSyncPeriod": -1,
      "config": {
        "pagination": "true",
        "debug": "false",
        "searchScope": "1",
        "connectionPooling": "true",
        "usersDn": "cn=users,cn=accounts,dc=example,dc=com",
        "userObjectClasses": "inetOrgPerson, organizationalPerson",
        "usernameLDAPAttribute": "uid",
        "bindDn": "uid=keycloak,cn=sysaccounts,cn=etc,dc=example,dc=com",
        "bindCredential": "<service_account_password>",
        "rdnLDAPAttribute": "uid",
        "vendor": "rhds",
        "editMode": "READ_ONLY",
        "uuidLDAPAttribute": "ipaUniqueID",
        "connectionUrl": "ldap://",
        "syncRegistrations": "false",
        "authType": "simple"

Last, but not least, is the huge mess of data mappers which take various LDAP attributes and map them to their Keycloak equivalent. Most are fairly mundane, things like name and email address but the one shown below deserves a quick pause. This last mapping is how we translate the user groups we have in FreeIPA into roles for Keycloak. There are ways to map the actual roles that FreeIPA has over but I wasn’t as successful with them as I was just mapping groups.

  "userFederationMappers": [
      "name": "groups",
      "federationMapperType": "role-ldap-mapper",
      "federationProviderDisplayName": "ldap-freeipa",
      "config": {
        "roles.dn": "cn=groups,cn=accounts,dc=example,dc=com",
        "membership.ldap.attribute": "member",
        "": "cn",
        "role.object.classes": "groupOfNames",
        "mode": "LDAP_ONLY",
        "use.realm.roles.mapping": "true"

Creating the Secret

We are going to be mounting the realm JSON file as a volume secret in our Keycloak container so we need to create a secret out of the file and inject it into our namespace.

$ kubectl create secret generic freeipa-realm \
    --namespace keycloak \
    --from-file freeipa-realm.json=freeipa-realm.json

Deploying Keycloak With Helm

I am installing Keycloak with the Codecentric Helm chart so the next step is to write up the values file we will feed into Helm. Note: Again I do not think the dbVendor or existingSecret keys are actually required in this configuration but are retained to show what I actually did to get things working.

# keycloak-values.yml
  storageClass: nfs-client
  replicas: 1
  username: admin
  existingSecret: keycloak-admin-password
  extraVolumes: |
    - name: freeipa-realm
        secretName: freeipa-realm
  extraVolumeMounts: |
    - name: freeipa-realm
      mountPath: "/realm/"
      readOnly: true
  extraArgs: -Dkeycloak.import=/realm/freeipa-realm.json
    enabled: true
      - secretName: tls-keycloak-ingress
    deployPostgres: true
    dbVendor: postgres
    existingSecret: keycloak-postgres-password
    existingSecretPasswordKey: password
    enabled: true

The most interesting pieces here are the extraVolumes and extraVolumeMounts which allow us to load our FreeIPA JSON file into the container where it can be imported on startup. Beyond that, everything is pretty bog standard with TLS ingress handled by K8s and the bundled PostgreSQL chart handling data persistance. With the variables ready install is pretty straight forward.

$ helm install keycloak codecentric/keycloak \
    --namespace keycloak \
    --values keycloak-values.yml

Updating Jenkins Configuration

Now, at long last, we get to the whole point of this exercise: Jenkins authenticating with Keycloak. We’re going to open up the Jenkins Helm values we worked with last time and make some minor modifications to switch it over to using Keycloak. Under the JCasC configuration group we’re going to remove the LDAP configuration from configScripts and replace it with the following.

# jenkins-values.yml
keycloak-settings: |
    securityRealm: keycloak
    keycloakJson: |-
        "realm": "freeipa-realm",
        "auth-server-url": "",
        "ssl-required": "all",
        "resource": "jenkins",
        "public-client": true,
        "confidential-port": 0

This tells Jenkins to use Keycloak as it’s security realm and provides the Keycloak plugin with the OpenID JSON configuration it needs to connect with our new Keycloak instance. Before we update our Jenkins deploy we need to also make sure that keycloak:latest appears in our Jenkins configuration under the installPlugins key so that the plugin is installed and available when the Jenkins container starts up. Now it’s time to update our Jenkins install with Helm.

$ helm upgrade jenkins stable/jenkins \
    --namespace jenkins \
    --values jenkins-values.yml

Once the deploy is finished you should be able to access and be redirected to Keycloak to authenticate against FreeIPA. If all is well you should be sent back to the Jenkins landing page with all of your user information autofilled once you login successfully through Keycloak.