Integration of cluster nodes in Keycloak

EDIT 2025-07-01: Issue updated.

Rather than connecting to the nodes with SSH using a technical account and a common private key, the users should be able to connect to the nodes with a nominative account and their own private key for tracability of the operations. The integration of the nodes with an IDM allows that, and allows tuning the permissions that the users have on the nodes.

Tool sssd version 2.11.0 introduces the IDP provider keycloak. It can be used to authenticate Keycloak defined users via ssh. Also by tuning keycloak group/users, pam rules and suoders files we can be able to authorized some of them to do some privileged commands via sudo.

This issue is the umbrella covering the following steps:

• Add the CA cert to the trust store of all provisioned nodes of management and workload clusters.
• Add the ability to resolve the management keycloak users from all nodes of the management and workload clusters
• Provision in Vault the password of the openid client
• Via Crossplane (if possible) declares an openid client with the proper configuration and using the password declared in Vault
• Build Ubuntu and OpenSUSE images with Keycloak 2.11.0 (official packages not available).
• Modify SCC to be able to:
  • provision the cluster with the SSSD configuration files containing the Keycloak endpoints as well the openid client password
  • enable the SSSD systemd service
  • push all related configuration for SSH and SUDO.