Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly MCC). This means everything you need is in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Federation

MOSK integrates with Mirantis Container Cloud Identity and Access Management (IAM) subsystem to allow centralized management of users and their permissions across multiple clouds.

The core component of Container Cloud IAM is Keycloak, the open-source identity and access management software. Its primary function is to perform secure authentication of cloud users against its built-in or various external identity databases, such as LDAP directories, OpenID Connect or SAML compatible identity providers.

By default, every MOSK cluster is integrated with the Keycloak running in the Container Cloud management cluster. The integration automatically provisions the necessary configuration on the MOSK and Container Cloud IAM sides, such as the os client object in Keycloak. However, for the federated users to get proper permissions after logging in, the cloud operator needs to define the role mapping rules specific to each MOSK environment.

Connecting to Keycloak

MOSK enables you to connect to the Keycloak identity provider through the following structure in the OpenStackDeployment custom resource:

spec:
  features:
    keystone:
      keycloak:
        enabled: true
        url: https://keycloak.it.just.works
        oidc:
          OIDCSSLValidateServer: false
          OIDCOAuthSSLValidateServer: false
          OIDCScope: "openid email profile groups"

Connecting to external identity provider

Available since MOSK 24.3 TechPreview

MOSK enables you to connect external identity provider to Keystone directly through the following structure in the OpenStackDeployment custom resource:

spec:
  features:
    keystone:
      federation:
        openid:
          enabled: true
          oidc_auth_type: oauth2
          providers:
            keycloak:
              description: Keycloak provider
              issuer: https://keycloak.it.just.works/auth/realms/iam
              mapping:
              - local:
                - user:
                    email: '{1}'
                    name: '{0}'
                - domain:
                    name: Default
                  groups: '{2}'
                remote:
                - type: OIDC-iam_username
                - type: OIDC-email
                - type: OIDC-iam_roles
              metadata:
                client:
                  client_id: os
                conf:
                  response_type: id_token
                  scope: openid email profile
                  ssl_validate_server: false
                provider:
                  value_from:
                    from_url:
                      url: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration
            okta:
              description: OKTA provider
              enabled: true
              issuer: https://dev-68495932.okta.com/oauth2/default
              mapping:
              - local:
                - user:
                    email: '{1}'
                    name: '{0}'
                - domain:
                    name: Default
                  groups: m:os@admin
                remote:
                - type: OIDC-name
                - type: OIDC-email
              metadata:
                client:
                  client_id: 0oaixfwyqcAkCbC335d7
                  client_secret: aKOtnqHwu37ricQJfOD9ShECqj7DY7SVHgh8nm1NwlAhGbQjGqREHencsGagyfmQ
                conf: {}
                provider:
                  value_from:
                    from_url:
                      url: https://dev-68495932.okta.com/oauth2/default/.well-known/openid-configuration
              oauth2:
                OAuth2TokenVerify: jwks_uri https://dev-68495932.okta.com/oauth2/default/v1/keys
              token_endpoint: https://dev-68495932.okta.com/oauth2/default/v1/token

The oidc_auth_type parameter specifies the Apache module to use: oauth20 or oauth2. The oauth20 functionality is deprecated and superseded by a new oauth2 module. You can configure two and more identity providers only with the oauth2 module.