Console Initial Setup
Prerequisites
- Access to Keycloak Master Realm
- SSO has been setup for:
SSO setup for tools that are disabled is not required.
Keycloak
SmoothGlue can automatically configure this client and group out of the box. Please see the SmoothGlue auto-SSO feature. Skip to Create Console-Bot Admin User if not manually setting up the Keycloak client and group.
Create Keycloak Client
- In the
smoothglue
realm, click onClients
underManage
in the left pane. - Click
Create client
. - Ensure the
Client type
isOpenId Connect
. - Enter a unique client name (e.g.,
console
) forClient ID
. - Click on the
Next
button. - Ensure
Client authentication
is toggled on,Standard flow
is enabled, andDirect access grants
is disabled - Click on the
Next
button. - Set
Valid Redirect URIs
tohttps://console.${DOMAIN}/login/generic_oauth
. - Set
Valid post logout redirect URIs
tohttps://console.${DOMAIN}
. - Click on the
Save
button.
Configure Dedicated Mapper
- Go to the
console
client and click on theClient scopes
tab. - Click on the
console-dedicated
client scope. - Click
Configure a new mapper
. - Select
Group Membership
. - Enter
console-group-membership-mapper
forName
, - Enter
groups
forToken Claim Name
. - Click
Save
.
Configure _structsureAdmins
Group
Console assigns SmoothGlue admins configured in Console to the _structsureAdmins
group in Keycloak. It is important that this group has the realm-admin
role mapping so that admins can manage users in Keycloak via Console:
- In the
smoothglue
realm, clickGroups
in the left-hand panel. - Select
_structsureAdmins
. - Go to
Role mapping
tab. - Click
Assign role
. - Ensure the drop-down filter in the top left is set to
Filter by clients
. - Search for and enable the
realm-admin
role. - Click
Assign
.
Configure Console for Keycloak
Console uses authservice
to get a Java Web Token (JWT) from Keycloak that contains info about the currently logged-in user. Console uses the permissions of the logged-in user to interact with Keycloak APIs to manage user accounts.
If Keycloak is using non-publicly trusted or self-signed certificates, Console will need to be configured with additional CAs in order for Console to talk to Keycloak.
The following is automatically configured when using the SmoothGlue auto-SSO feature.
Add the following to bigbang-secrets.yaml
:
addons:
authservice:
chains:
console:
callback_uri: https://console.<DOMAIN>/login/generic_oauth
match:
header: :authority
prefix: console.<DOMAIN>
client_id: console # the client name created above
client_secret: <client_secret> # retrieve the client secret from the client's `Credentials` tab in Keycloak
packages:
console:
values:
backend:
keycloak:
realm: smoothglue
host: keycloak.<DOMAIN> # this value can be omitted but is required when setting a custom subdomain for Keycloak.
caBundle: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Create Console-Bot Admin User
We recommend starting with an initial Keycloak bot-admin user with the realm-admin
role in order to be responsible for downstream tool access tokens. This bot-admin will be used to set up access keys within tools that Console supports integrations for.
Do not log in to Console UI with this user. It is recommended to remove the password for console-bot
in Keycloak to reduce the chances of downgrading permissions.
- In the
smoothglue
realm, clickUsers
in the left-hand panel. - Click
Add user
. - Fill in the following information for the initial user:
- Email verified: Enabled
- Username:
console-bot
- Email:
console-bot@<your-domain>.com
- First name:
console
- Last name:
bot
- Groups:
_structsureAdmins
- Click
Create
.
Set a password for the console-bot
user:
- From the
smoothglue
realm, go toUsers
>console-bot
. - Go to the
Credentials
tab. - Click
Set password
. - Disable
Temporary
. - Enter a password.
- Click
Save
andSave password
to confirm.
Do not log in to Console UI with this user.
Configure Console Integrations
Console has integrations with the following tools for managing users and access to resources:
- GitLab
- Mattermost
- Jira
If Console is to be deployed without one or more of these tools, Console needs to be configured to disable the integration. The following is a bigbang-values.yaml
example that could be used to disable any of the integrations:
packages:
console:
values:
backend:
mattermost:
enabled: false
gitlab:
enabled: false
jira:
enabled: false
Failing to disable unused integrations can lead to initialization failures.
GitLab
Users are dynamically created upon logging in to GitLab, so the System Integrator needs to log in to GitLab as the console-bot
user in order to create the user within GitLab.
After logging in as console-bot
, log out of GitLab and log in as the default admin user for GitLab.
Assign admin privileges to the console-bot
user:
- Go to the admin panel by clicking
Admin
near the bottom-left of the screen or by going tohttps://{{GitLab_Hostname}}/admin
. - Go to
Users
. - Click
Edit
for theconsole-bot
user. - Change
Access level
toAdministrator
- Click
Save changes
.
Create Personal Access Token
:
- Log in to GitLab as
console-bot
. - Click the user icon in the top-left corner, and select
Preferences
. - Click
Access Tokens
on the left-hand panel. - Click
Add new token
:- Name:
console-bot-admin-integration
. - Set an appropriate expiration date for the environment. This token will need to be manually rotated.
- Scopes:
api
andadmin_mode
. - Click
Create token
.
- Name:
- Save the value for the token.
Removing or altering permissions in GitLab for console-bot
after access tokens have been set could lead to unexpected issues.
To configure Console to use the access token, the following configuration should be placed into the bigbang-secrets.yaml
:
packages:
console:
values:
backend:
gitlab:
accessToken: '<Personal Access Token Value>'
host: 'gitlab.<DOMAIN>' # this value can be omitted but is required when setting a custom subdomain for GitLab.
Jira
Users are dynamically created upon logging in to Jira, so the System Integrator needs to log in to Jira as the console-bot
before proceeding.
Assign admin privileges to console-bot
user:
- Log in to Jira with an admin-level account.
- Click on the
Settings
gear icon in the top-right corner. - Click
User management
. - Edit user groups for
console-bot
by clicking the kebab icon (3 vertical dots) to add the following groups:jira-administrators
Create Jira Personal Access Token
:
- Log in to Jira as
console-bot
. - Click the user icon in the top-right corner, and go to
Profile
. - Click
Personal Access Tokens
in the left-hand panel. - Click
Create token
:- Token name:
console-bot-admin-integration
. - Disable
Automatic expiry
.
- Token name:
- Click
Create
. - Save token value.
Removing or altering permissions for console-bot
in Jira after access tokens have been set could lead to unexpected issues.
To configure Console to use the access tokens, the following configuration should be placed into the bigbang-secrets.yaml
:
packages:
console:
values:
backend:
jira:
host: 'jira.<DOMAIN>' # this value can be omitted but is required when setting a custom subdomain for Jira.
accessToken: '<Jira Access Token Value>'
envs:
JIRA_USERNAME: 'console-bot'
Mattermost
Users are dynamically created upon login to Mattermost, so the System Integrator needs to login to Mattermost as the console-bot
before proceeding.
Enable Personal Access Tokens for Admins:
- Log in to Mattermost with an admin-level account.
- The user will be prompted to create a team. This can be named/configured to the user's preference.
- Click the 9 dot icon in the top-left corner (left of the Mattermost logo).
- Click
System Console
. - Click
Integration Management
in the left-hand panel. - Enable Personal Access Tokens:
True
. - Click
Save
. - Leave
System Console
by clickingBack to <team name>
.
Enable Admin for console-bot
:
- Log in using a Mattermost admin-level account.
- Click the 9 dot icon in the top-left corner (left of the Mattermost logo).
- Click
System Console
. - Navigate to
User Management
->Users
. - Find
console-bot
, and in theActions
column, selectManage Roles
and set toSystem Admin
. - Click
Save
.
Create Personal Access Token:
- Log in to Mattermost as
console-bot
. - Click the profile icon in the top-right corner.
- Click
Profile
. - Click
Security
. - Click
Edit
forPersonal Access Tokens
. - Click
Create Token
:- Token Description:
console-bot-admin-integration
. - Click
Yes, Create
.
- Token Description:
- Save
Access Token
value.
console:
values:
backend:
mattermost:
host: 'chat.<DOMAIN>' # this value can be omitted but is required when setting a custom subdomain for Mattermost.
accessToken: '<Mattermost Access Token Value>'
Removing or altering permissions in Mattermost for console-bot
after access tokens have been set could lead to unexpected issues.
Create Admin User
Now that the console-bot
user access tokens have been set up, the next step is to create the initial admin user that will serve as the first user in Console UI.
- First, navigate to Keycloak and follow the same steps to set up an admin user in Keycloak:
This user will serve as the initial first admin and user within Console UI. The naming convention is up to the user; however, avoid the username admin
, as it is reserved in some tools.
- In the
smoothglue
realm, clickUsers
in the left-hand panel. - Click
Add user
. - Fill in the following information for the initial user:
- Email verified: Enabled
- Username:
<your-desired-admin-username>
- Email:
<your-desired-admin-username>@<your-domain>.com
- First name:
<your-desired-admin-first-name>
- Last name:
<your-desired-admin-last-name>
- Groups:
_structsureAdmins
- Click
Create
.
Set a password for the admin user:
- From the
smoothglue
realm, go toUsers
>your-desired-admin-username
. - Go to the
Credentials
tab. - Click
Set password
. - Disable
Temporary
. - Enter a password.
- Click
Save
andSave password
to confirm.
Adopt User and Promote to Admin
Now that the user account has been created in Keycloak, we can log in to Console UI and it will be adopted by the system.
-
Navigate to Console UI and log in using
your-desired-admin-username
and password set up in Keycloak. -
Once successfully logged in, the user will exist in Console but not have admin privileges.
-
Get the
console-backend
pod name from the cluster:kubectl get pod -n console | grep "console-backend"
. -
Get a shell on the backend pod:
kubectl exec -it <console-backend-pod-name> -n console -- sh
. -
Promote the user to platform admin by using the create_platform_admin script.
- Enter
django-admin create_platform_admin
. - When prompted, enter the username for
<your-desired-admin-username>
that was created in Keycloak. - Console UI should update automatically, but the session might require a refresh and/or a relogin, using the same credentials.
- Enter
-
Once the user is updated, at the top right of the screen where the username is located, there should be a drop-down that will have an option to toggle between admin and user mode. Select the
Admin Panel
view: -
Navigate to the
Users
view on Console UI: -
Repair the initial admin user created for Console use:
noteRepairing a user in Console UI will create the user in the following downstream tools:
- GitLab
- Mattermost
- Jira
Upon successfully repairing, the user will fully setup.
To learn more about Console's capabilities, continue reading our Introduction to SmoothGlue Console.
More information on available configuration options and technical descriptions of Console actions can be found in the Console Technical Manual.