Add ability for external service authentication. The process below discusses how to install and authenticate with self-hosted keycloak OAuth2 endpoints.
config.yaml file for the Jupyterhub helm chartAdd the keycloak helm chart repo.
$ helm repo add codecentric https://codecentric.github.io/helm-charts
$ helm repo updateInstall keycloak, specifying a httpPort different from the default of 80 (the jupyterhub service requires that the inbound port be port 80 or 443, otherwise it doesn't work correctly).
$ helm install keycloak codecentric/keycloak --set keycloak.service.httpPort=8080Get the keycloak admin user password.
$ kubectl get secret --namespace default keycloak-http -o jsonpath="{.data.password}" | base64 --decode; echoForward the exposed keycloak port from service to k8s master.
$ kubectl port-forward -n default keycloak-0 8080:8080Forward the port from the k8s master to your own host.
$ sudo ssh -L 8080:127.0.0.1:8080 -Nfl USERNAME HOSTNAMEwhere:
USERNAME is your usernameHOSTNAME is the host name of the k8s masterPoint internal cluster hostname to loopback on your own localhost. This step is mandatory. From your browser, the location of the keycloak instance needs to be the same as the location from within the cluster network. Within the network, the service is accessed from keycloak-http.default.svc.cluster.local. Outside the network, without adding an entry to /etc/hosts, the location is only accessible from localhost.
Edit /etc/hosts
$ sudo vi /etc/hostsadding a new entry:
127.0.0.1 keycloak-http.default.svc.cluster.localSet up the keycloak instance:
Verify the user login works.
$ http://localhost:8080/auth/realms/jhub/accountEndpoints: http://localhost:9000/auth/realms/jhub/.well-known/openid-configuration