Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 7. Configuring identity providers
7.1. Configuring an htpasswd identity provider
Configure the
htpasswdTo define an htpasswd identity provider, perform the following tasks:
-
Create an
htpasswdfile to store the user and password information. -
Create a secret to represent the file.
htpasswd - Define an htpasswd identity provider resource that references the secret.
- Apply the resource to the default OAuth configuration to add the identity provider.
7.1.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.1.2. About htpasswd authentication
Using htpasswd authentication in OpenShift Container Platform allows you to identify users based on an htpasswd file. An htpasswd file is a flat file that contains the user name and hashed password for each user. You can use the
htpasswd7.1.3. Creating the htpasswd file
See one of the following sections for instructions about how to create the htpasswd file:
7.1.3.1. Creating an htpasswd file using Linux
To use the htpasswd identity provider, you must generate a flat file that contains the user names and passwords for your cluster by using htpasswd.
Prerequisites
-
Have access to the utility. On Red Hat Enterprise Linux this is available by installing the
htpasswdpackage.httpd-tools
Procedure
Create or update your flat file with a user name and hashed password:
$ htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>The command generates a hashed version of the password.
For example:
$ htpasswd -c -B -b users.htpasswd user1 MyPassword!Example output
Adding password for user user1Continue to add or update credentials to the file:
$ htpasswd -B -b </path/to/users.htpasswd> <user_name> <password>
7.1.3.2. Creating an htpasswd file using Windows
To use the htpasswd identity provider, you must generate a flat file that contains the user names and passwords for your cluster by using htpasswd.
Prerequisites
-
Have access to . This file is included in the
htpasswd.exedirectory of many Apache httpd distributions.\bin
Procedure
Create or update your flat file with a user name and hashed password:
> htpasswd.exe -c -B -b <\path\to\users.htpasswd> <user_name> <password>The command generates a hashed version of the password.
For example:
> htpasswd.exe -c -B -b users.htpasswd user1 MyPassword!Example output
Adding password for user user1Continue to add or update credentials to the file:
> htpasswd.exe -b <\path\to\users.htpasswd> <user_name> <password>
7.1.4. Creating the htpasswd secret
To use the htpasswd identity provider, you must define a secret that contains the htpasswd user file.
Prerequisites
- Create an htpasswd file.
Procedure
Create a
object that contains the htpasswd users file:Secret$ oc create secret generic htpass-secret --from-file=htpasswd=<path_to_users.htpasswd> -n openshift-config1 - 1
- The secret key containing the users file for the
--from-fileargument must be namedhtpasswd, as shown in the above command.
TipYou can alternatively apply the following YAML to create the secret:
apiVersion: v1 kind: Secret metadata: name: htpass-secret namespace: openshift-config type: Opaque data: htpasswd: <base64_encoded_htpasswd_file_contents>
7.1.5. Sample htpasswd CR
The following custom resource (CR) shows the parameters and acceptable values for an htpasswd identity provider.
htpasswd CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: my_htpasswd_provider
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret 7.1.6. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyLog in to the cluster as a user from your identity provider, entering the password when prompted.
$ oc login -u <username>Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.1.7. Updating users for an htpasswd identity provider
You can add or remove users from an existing htpasswd identity provider.
Prerequisites
-
You have created a object that contains the htpasswd user file. This procedure assumes that it is named
Secret.htpass-secret -
You have configured an htpasswd identity provider. This procedure assumes that it is named .
my_htpasswd_provider -
You have access to the utility. On Red Hat Enterprise Linux this is available by installing the
htpasswdpackage.httpd-tools - You have cluster administrator privileges.
Procedure
Retrieve the htpasswd file from the
htpass-secretobject and save the file to your file system:Secret$ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > users.htpasswdAdd or remove users from the
file.users.htpasswdTo add a new user:
$ htpasswd -bB users.htpasswd <username> <password>Example output
Adding password for user <username>To remove an existing user:
$ htpasswd -D users.htpasswd <username>Example output
Deleting password for user <username>
Replace the
htpass-secretobject with the updated users in theSecretfile:users.htpasswd$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -TipYou can alternatively apply the following YAML to replace the secret:
apiVersion: v1 kind: Secret metadata: name: htpass-secret namespace: openshift-config type: Opaque data: htpasswd: <base64_encoded_htpasswd_file_contents>If you removed one or more users, you must additionally remove existing resources for each user.
Delete the
object:User$ oc delete user <username>Example output
user.user.openshift.io "<username>" deletedBe sure to remove the user, otherwise the user can continue using their token as long as it has not expired.
Delete the
object for the user:Identity$ oc delete identity my_htpasswd_provider:<username>Example output
identity.user.openshift.io "my_htpasswd_provider:<username>" deleted
7.1.8. Configuring identity providers using the web console
Configure your identity provider (IDP) through the web console instead of the CLI.
Prerequisites
- You must be logged in to the web console as a cluster administrator.
Procedure
-
Navigate to Administration
Cluster Settings. - Under the Global Configuration tab, click OAuth.
- Under the Identity Providers section, select your identity provider from the Add drop-down menu.
You can specify multiple IDPs through the web console without overwriting existing IDPs.
7.2. Configuring a Keystone identity provider
Configure the
keystone7.2.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.2.2. About Keystone authentication
Keystone is an OpenStack project that provides identity, token, catalog, and policy services.
You can configure the integration with Keystone so that the new OpenShift Container Platform users are based on either the Keystone user names or unique Keystone IDs. With both methods, users log in by entering their Keystone user name and password. Basing the OpenShift Container Platform users on the Keystone ID is more secure because if you delete a Keystone user and create a new Keystone user with that user name, the new user might have access to the old user’s resources.
7.2.3. Creating the secret
Identity providers use OpenShift Container Platform
Secretopenshift-configProcedure
Create a
object that contains the key and certificate by using the following command:Secret$ oc create secret tls <secret_name> --key=key.pem --cert=cert.pem -n openshift-configTipYou can alternatively apply the following YAML to create the secret:
apiVersion: v1 kind: Secret metadata: name: <secret_name> namespace: openshift-config type: kubernetes.io/tls data: tls.crt: <base64_encoded_cert> tls.key: <base64_encoded_key>
7.2.4. Creating a config map
Identity providers use OpenShift Container Platform
ConfigMapopenshift-configProcedure
Define an OpenShift Container Platform
object containing the certificate authority by using the following command. The certificate authority must be stored in theConfigMapkey of theca.crtobject.ConfigMap$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-configTipYou can alternatively apply the following YAML to create the config map:
apiVersion: v1 kind: ConfigMap metadata: name: ca-config-map namespace: openshift-config data: ca.crt: | <CA_certificate_PEM>
7.2.5. Sample Keystone CR
The following custom resource (CR) shows the parameters and acceptable values for a Keystone identity provider.
Keystone CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: keystoneidp
mappingMethod: claim
type: Keystone
keystone:
domainName: default
url: https://keystone.example.com:5000
ca:
name: ca-config-map
tlsClientCert:
name: client-cert-secret
tlsClientKey:
name: client-key-secret- 1
- This provider name is prefixed to provider user names to form an identity name.
- 2
- Controls how mappings are established between this provider’s identities and
Userobjects. - 3
- Keystone domain name. In Keystone, usernames are domain-specific. Only a single domain is supported.
- 4
- The URL to use to connect to the Keystone server (required). This must use https.
- 5
- Optional: Reference to an OpenShift Container Platform
ConfigMapobject containing the PEM-encoded certificate authority bundle to use in validating server certificates for the configured URL. - 6
- Optional: Reference to an OpenShift Container Platform
Secretobject containing the client certificate to present when making requests to the configured URL. - 7
- Reference to an OpenShift Container Platform
Secretobject containing the key for the client certificate. Required iftlsClientCertis specified.
7.2.6. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyLog in to the cluster as a user from your identity provider, entering the password when prompted.
$ oc login -u <username>Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.3. Configuring an LDAP identity provider
Configure the
ldap7.3.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.3.2. About LDAP authentication
During authentication, the LDAP directory is searched for an entry that matches the provided user name. If a single unique match is found, a simple bind is attempted using the distinguished name (DN) of the entry plus the provided password.
These are the steps taken:
-
Generate a search filter by combining the attribute and filter in the configured with the user-provided user name.
url - Search the directory using the generated filter. If the search does not return exactly one entry, deny access.
- Attempt to bind to the LDAP server using the DN of the entry retrieved from the search, and the user-provided password.
- If the bind is unsuccessful, deny access.
- If the bind is successful, build an identity using the configured attributes as the identity, email address, display name, and preferred user name.
The configured
urlldap://host:port/basedn?attribute?scope?filterFor this URL:
| URL component | Description |
|---|---|
|
| For regular LDAP, use the string |
|
| The name and port of the LDAP server. Defaults to |
|
| The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but it could also specify a subtree in the directory. |
|
| The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are provided. If no attributes are provided, the default is to use |
|
| The scope of the search. Can be either |
|
| A valid LDAP search filter. If not provided, defaults to |
When doing searches, the attribute, filter, and provided user name are combined to create a search filter that looks like:
(&(<filter>)(<attribute>=<username>))For example, consider a URL of:
ldap://ldap.example.com/o=Acme?cn?sub?(enabled=true)When a client attempts to connect using a user name of
bob(&(enabled=true)(cn=bob))If the LDAP directory requires authentication to search, specify a
bindDNbindPassword7.3.3. Creating the LDAP secret
To use the identity provider, you must define an OpenShift Container Platform
SecretbindPasswordProcedure
Create a
object that contains theSecretfield:bindPassword$ oc create secret generic ldap-secret --from-literal=bindPassword=<secret> -n openshift-config1 - 1
- The secret key containing the bindPassword for the
--from-literalargument must be calledbindPassword.
TipYou can alternatively apply the following YAML to create the secret:
apiVersion: v1 kind: Secret metadata: name: ldap-secret namespace: openshift-config type: Opaque data: bindPassword: <base64_encoded_bind_password>
7.3.4. Creating a config map
Identity providers use OpenShift Container Platform
ConfigMapopenshift-configProcedure
Define an OpenShift Container Platform
object containing the certificate authority by using the following command. The certificate authority must be stored in theConfigMapkey of theca.crtobject.ConfigMap$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-configTipYou can alternatively apply the following YAML to create the config map:
apiVersion: v1 kind: ConfigMap metadata: name: ca-config-map namespace: openshift-config data: ca.crt: | <CA_certificate_PEM>
7.3.5. Sample LDAP CR
The following custom resource (CR) shows the parameters and acceptable values for an LDAP identity provider.
LDAP CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: ldapidp
mappingMethod: claim
type: LDAP
ldap:
attributes:
id:
- dn
email:
- mail
name:
- cn
preferredUsername:
- uid
bindDN: ""
bindPassword:
name: ldap-secret
ca:
name: ca-config-map
insecure: false
url: "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid" - 1
- This provider name is prefixed to the returned user ID to form an identity name.
- 2
- Controls how mappings are established between this provider’s identities and
Userobjects. - 3
- List of attributes to use as the identity. First non-empty attribute is used. At least one attribute is required. If none of the listed attribute have a value, authentication fails. Defined attributes are retrieved as raw, allowing for binary values to be used.
- 4
- List of attributes to use as the email address. First non-empty attribute is used.
- 5
- List of attributes to use as the display name. First non-empty attribute is used.
- 6
- List of attributes to use as the preferred user name when provisioning a user for this identity. First non-empty attribute is used.
- 7
- Optional DN to use to bind during the search phase. Must be set if
bindPasswordis defined. - 8
- Optional reference to an OpenShift Container Platform
Secretobject containing the bind password. Must be set ifbindDNis defined. - 9
- Optional: Reference to an OpenShift Container Platform
ConfigMapobject containing the PEM-encoded certificate authority bundle to use in validating server certificates for the configured URL. Only used wheninsecureisfalse. - 10
- When
true, no TLS connection is made to the server. Whenfalse,ldaps://URLs connect using TLS, andldap://URLs are upgraded to TLS. This must be set tofalsewhenldaps://URLs are in use, as these URLs always attempt to connect using TLS. - 11
- An RFC 2255 URL which specifies the LDAP host and search parameters to use.
To whitelist users for an LDAP integration, use the
lookupIdentityUser7.3.6. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyLog in to the cluster as a user from your identity provider, entering the password when prompted.
$ oc login -u <username>Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.4. Configuring a basic authentication identity provider
Configure the
basic-authentication7.4.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.4.2. About basic authentication
Basic authentication is a generic back-end integration mechanism that allows users to log in to OpenShift Container Platform with credentials validated against a remote identity provider.
Because basic authentication is generic, you can use this identity provider for advanced authentication configurations.
Basic authentication must use an HTTPS connection to the remote server to prevent potential snooping of the user ID and password and man-in-the-middle attacks.
With basic authentication configured, users send their user name and password to OpenShift Container Platform, which then validates those credentials against a remote server by making a server-to-server request, passing the credentials as a basic authentication header. This requires users to send their credentials to OpenShift Container Platform during login.
This only works for user name/password login mechanisms, and OpenShift Container Platform must be able to make network requests to the remote authentication server.
User names and passwords are validated against a remote URL that is protected by basic authentication and returns JSON.
A
401A non-
200{"error":"Error message"}A
200sub{"sub":"userid"} - 1
- The subject must be unique to the authenticated user and must not be able to be modified.
A successful response can optionally provide additional data, such as:
A display name using the
key. For example:name{"sub":"userid", "name": "User Name", ...}An email address using the
key. For example:email{"sub":"userid", "email":"user@example.com", ...}A preferred user name using the
key. This is useful when the unique, unchangeable subject is a database key or UID, and a more human-readable name exists. This is used as a hint when provisioning the OpenShift Container Platform user for the authenticated identity. For example:preferred_username{"sub":"014fbff9a07c", "preferred_username":"bob", ...}
7.4.3. Creating the secret
Identity providers use OpenShift Container Platform
Secretopenshift-configProcedure
Create a
object that contains the key and certificate by using the following command:Secret$ oc create secret tls <secret_name> --key=key.pem --cert=cert.pem -n openshift-configTipYou can alternatively apply the following YAML to create the secret:
apiVersion: v1 kind: Secret metadata: name: <secret_name> namespace: openshift-config type: kubernetes.io/tls data: tls.crt: <base64_encoded_cert> tls.key: <base64_encoded_key>
7.4.4. Creating a config map
Identity providers use OpenShift Container Platform
ConfigMapopenshift-configProcedure
Define an OpenShift Container Platform
object containing the certificate authority by using the following command. The certificate authority must be stored in theConfigMapkey of theca.crtobject.ConfigMap$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-configTipYou can alternatively apply the following YAML to create the config map:
apiVersion: v1 kind: ConfigMap metadata: name: ca-config-map namespace: openshift-config data: ca.crt: | <CA_certificate_PEM>
7.4.5. Sample basic authentication CR
The following custom resource (CR) shows the parameters and acceptable values for a basic authentication identity provider.
Basic authentication CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: basicidp
mappingMethod: claim
type: BasicAuth
basicAuth:
url: https://www.example.com/remote-idp
ca:
name: ca-config-map
tlsClientCert:
name: client-cert-secret
tlsClientKey:
name: client-key-secret- 1
- This provider name is prefixed to the returned user ID to form an identity name.
- 2
- Controls how mappings are established between this provider’s identities and
Userobjects. - 3
- URL accepting credentials in Basic authentication headers.
- 4
- Optional: Reference to an OpenShift Container Platform
ConfigMapobject containing the PEM-encoded certificate authority bundle to use in validating server certificates for the configured URL. - 5
- Optional: Reference to an OpenShift Container Platform
Secretobject containing the client certificate to present when making requests to the configured URL. - 6
- Reference to an OpenShift Container Platform
Secretobject containing the key for the client certificate. Required iftlsClientCertis specified.
7.4.6. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyLog in to the cluster as a user from your identity provider, entering the password when prompted.
$ oc login -u <username>Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.4.7. Example Apache HTTPD configuration for basic identity providers
The basic identify provider (IDP) configuration in OpenShift Container Platform 4 requires that the IDP server respond with JSON for success and failures. You can use CGI scripting in Apache HTTPD to accomplish this. This section provides examples.
Example /etc/httpd/conf.d/login.conf
<VirtualHost *:443>
# CGI Scripts in here
DocumentRoot /var/www/cgi-bin
# SSL Directives
SSLEngine on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Configure HTTPD to execute scripts
ScriptAlias /basic /var/www/cgi-bin
# Handles a failed login attempt
ErrorDocument 401 /basic/fail.cgi
# Handles authentication
<Location /basic/login.cgi>
AuthType Basic
AuthName "Please Log In"
AuthBasicProvider file
AuthUserFile /etc/httpd/conf/passwords
Require valid-user
</Location>
</VirtualHost>Example /var/www/cgi-bin/login.cgi
#!/bin/bash
echo "Content-Type: application/json"
echo ""
echo '{"sub":"userid", "name":"'$REMOTE_USER'"}'
exit 0Example /var/www/cgi-bin/fail.cgi
#!/bin/bash
echo "Content-Type: application/json"
echo ""
echo '{"error": "Login failure"}'
exit 07.4.7.1. File requirements
These are the requirements for the files you create on an Apache HTTPD web server:
-
and
login.cgimust be executable (fail.cgi).chmod +x -
and
login.cgimust have proper SELinux contexts if SELinux is enabled:fail.cgi, or ensure that the context isrestorecon -RFv /var/www/cgi-binusinghttpd_sys_script_exec_t.ls -laZ -
is only executed if your user successfully logs in per
login.cgidirectives.Require and Auth -
is executed if the user fails to log in, resulting in an
fail.cgiresponse.HTTP 401
7.4.8. Basic authentication troubleshooting
The most common issue relates to network connectivity to the backend server. For simple debugging, run
curl<user><password>$ curl --cacert /path/to/ca.crt --cert /path/to/client.crt --key /path/to/client.key -u <user>:<password> -v https://www.example.com/remote-idpSuccessful responses
A
200sub{"sub":"userid"}The subject must be unique to the authenticated user, and must not be able to be modified.
A successful response can optionally provide additional data, such as:
A display name using the
key:name{"sub":"userid", "name": "User Name", ...}An email address using the
key:email{"sub":"userid", "email":"user@example.com", ...}A preferred user name using the
key:preferred_username{"sub":"014fbff9a07c", "preferred_username":"bob", ...}The
key is useful when the unique, unchangeable subject is a database key or UID, and a more human-readable name exists. This is used as a hint when provisioning the OpenShift Container Platform user for the authenticated identity.preferred_username
Failed responses
-
A response indicates failed authentication.
401 -
A non-status or the presence of a non-empty "error" key indicates an error:
200{"error":"Error message"}
7.5. Configuring a request header identity provider
Configure the
request-headerX-Remote-User7.5.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.5.2. About request header authentication
A request header identity provider identifies users from request header values, such as
X-Remote-UserYou can also use the request header identity provider for advanced configurations such as the community-supported SAML authentication. Note that this solution is not supported by Red Hat.
For users to authenticate using this identity provider, they must access
https://<namespace_route>/oauth/authorizehttps://<namespace_route>/oauth/authorizeTo redirect unauthenticated requests from clients expecting browser-based login flows:
-
Set the parameter to the authenticating proxy URL that will authenticate interactive clients and then proxy the request to
provider.loginURL.https://<namespace_route>/oauth/authorize
To redirect unauthenticated requests from clients expecting
WWW-Authenticate-
Set the parameter to the authenticating proxy URL that will authenticate clients expecting
provider.challengeURLchallenges and then proxy the request toWWW-Authenticate.https://<namespace_route>/oauth/authorize
The
provider.challengeURLprovider.loginURL- is replaced with the current URL, escaped to be safe in a query parameter.
${url}For example:
https://www.example.com/sso-login?then=${url} - is replaced with the current query string, unescaped.
${query}For example:
https://www.example.com/auth-proxy/oauth/authorize?${query}
As of OpenShift Container Platform 4.1, your proxy must support mutual TLS.
7.5.2.1. SSPI connection support on Microsoft Windows
Using SSPI connection support on Microsoft Windows is a Technology Preview feature. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information on Red Hat Technology Preview features support scope, see https://access.redhat.com/support/offerings/techpreview/.
The OpenShift CLI (
ococ7.5.3. Creating a config map
Identity providers use OpenShift Container Platform
ConfigMapopenshift-configProcedure
Define an OpenShift Container Platform
object containing the certificate authority by using the following command. The certificate authority must be stored in theConfigMapkey of theca.crtobject.ConfigMap$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-configTipYou can alternatively apply the following YAML to create the config map:
apiVersion: v1 kind: ConfigMap metadata: name: ca-config-map namespace: openshift-config data: ca.crt: | <CA_certificate_PEM>
7.5.4. Sample request header CR
The following custom resource (CR) shows the parameters and acceptable values for a request header identity provider.
Request header CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: requestheaderidp
mappingMethod: claim
type: RequestHeader
requestHeader:
challengeURL: "https://www.example.com/challenging-proxy/oauth/authorize?${query}"
loginURL: "https://www.example.com/login-proxy/oauth/authorize?${query}"
ca:
name: ca-config-map
clientCommonNames:
- my-auth-proxy
headers:
- X-Remote-User
- SSO-User
emailHeaders:
- X-Remote-User-Email
nameHeaders:
- X-Remote-User-Display-Name
preferredUsernameHeaders:
- X-Remote-User-Login- 1
- This provider name is prefixed to the user name in the request header to form an identity name.
- 2
- Controls how mappings are established between this provider’s identities and
Userobjects. - 3
- Optional: URL to redirect unauthenticated
/oauth/authorizerequests to, that will authenticate browser-based clients and then proxy their request tohttps://<namespace_route>/oauth/authorize. The URL that proxies tohttps://<namespace_route>/oauth/authorizemust end with/authorize(with no trailing slash), and also proxy subpaths, in order for OAuth approval flows to work properly.${url}is replaced with the current URL, escaped to be safe in a query parameter.${query}is replaced with the current query string. If this attribute is not defined, thenloginURLmust be used. - 4
- Optional: URL to redirect unauthenticated
/oauth/authorizerequests to, that will authenticate clients which expectWWW-Authenticatechallenges, and then proxy them tohttps://<namespace_route>/oauth/authorize.${url}is replaced with the current URL, escaped to be safe in a query parameter.${query}is replaced with the current query string. If this attribute is not defined, thenchallengeURLmust be used. - 5
- Reference to an OpenShift Container Platform
ConfigMapobject containing a PEM-encoded certificate bundle. Used as a trust anchor to validate the TLS certificates presented by the remote server.ImportantAs of OpenShift Container Platform 4.1, the
field is required for this identity provider. This means that your proxy must support mutual TLS.ca - 6
- Optional: list of common names (
cn). If set, a valid client certificate with a Common Name (cn) in the specified list must be presented before the request headers are checked for user names. If empty, any Common Name is allowed. Can only be used in combination withca. - 7
- Header names to check, in order, for the user identity. The first header containing a value is used as the identity. Required, case-insensitive.
- 8
- Header names to check, in order, for an email address. The first header containing a value is used as the email address. Optional, case-insensitive.
- 9
- Header names to check, in order, for a display name. The first header containing a value is used as the display name. Optional, case-insensitive.
- 10
- Header names to check, in order, for a preferred user name, if different than the immutable identity determined from the headers specified in
headers. The first header containing a value is used as the preferred user name when provisioning. Optional, case-insensitive.
7.5.5. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyLog in to the cluster as a user from your identity provider, entering the password when prompted.
$ oc login -u <username>Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.5.6. Example Apache authentication configuration using request header
This example configures an Apache authentication proxy for the OpenShift Container Platform using the request header identity provider.
Custom proxy configuration
Using the
mod_auth_gssapi-
Block the header from client requests to prevent spoofing.
X-Remote-User -
Enforce client certificate authentication in the configuration.
RequestHeaderIdentityProvider -
Require the header be set for all authentication requests using the challenge flow.
X-Csrf-Token -
Make sure only the endpoint and its subpaths are proxied; redirects must be rewritten to allow the backend server to send the client to the correct location.
/oauth/authorize -
The URL that proxies to must end with
https://<namespace_route>/oauth/authorizewith no trailing slash. For example,/authorizemust proxy tohttps://proxy.example.com/login-proxy/authorize?….https://<namespace_route>/oauth/authorize?… -
Subpaths of the URL that proxies to must proxy to subpaths of
https://<namespace_route>/oauth/authorize. For example,https://<namespace_route>/oauth/authorizemust proxy tohttps://proxy.example.com/login-proxy/authorize/approve?….https://<namespace_route>/oauth/authorize/approve?…
The
https://<namespace_route>oc get route -n openshift-authenticationConfiguring Apache authentication using request header
This example uses the
mod_auth_gssapiPrerequisites
Obtain the
module from the Optional channel. You must have the following packages installed on your local machine:mod_auth_gssapi-
httpd -
mod_ssl -
mod_session -
apr-util-openssl -
mod_auth_gssapi
-
Generate a CA for validating requests that submit the trusted header. Define an OpenShift Container Platform
object containing the CA. This is done by running:ConfigMap$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-config1 - 1
- The CA must be stored in the
ca.crtkey of theConfigMapobject.
TipYou can alternatively apply the following YAML to create the config map:
apiVersion: v1 kind: ConfigMap metadata: name: ca-config-map namespace: openshift-config data: ca.crt: | <CA_certificate_PEM>- Generate a client certificate for the proxy. You can generate this certificate by using any x509 certificate tooling. The client certificate must be signed by the CA you generated for validating requests that submit the trusted header.
- Create the custom resource (CR) for your identity providers.
Procedure
This proxy uses a client certificate to connect to the OAuth server, which is configured to trust the
X-Remote-User-
Create the certificate for the Apache configuration. The certificate that you specify as the parameter value is the proxy’s client certificate that is used to authenticate the proxy to the server. It must use
SSLProxyMachineCertificateFileas the extended key type.TLS Web Client Authentication Create the Apache configuration. Use the following template to provide your required settings and values:
ImportantCarefully review the template and customize its contents to fit your environment.
LoadModule request_module modules/mod_request.so LoadModule auth_gssapi_module modules/mod_auth_gssapi.so # Some Apache configurations might require these modules. # LoadModule auth_form_module modules/mod_auth_form.so # LoadModule session_module modules/mod_session.so # Nothing needs to be served over HTTP. This virtual host simply redirects to # HTTPS. <VirtualHost *:80> DocumentRoot /var/www/html RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L] </VirtualHost> <VirtualHost *:443> # This needs to match the certificates you generated. See the CN and X509v3 # Subject Alternative Name in the output of: # openssl x509 -text -in /etc/pki/tls/certs/localhost.crt ServerName www.example.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCACertificateFile /etc/pki/CA/certs/ca.crt SSLProxyEngine on SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt # It is critical to enforce client certificates. Otherwise, requests can # spoof the X-Remote-User header by accessing the /oauth/authorize endpoint # directly. SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem # To use the challenging-proxy, an X-Csrf-Token must be present. RewriteCond %{REQUEST_URI} ^/challenging-proxy RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC] RewriteRule ^.* - [F,L] <Location /challenging-proxy/oauth/authorize> # Insert your backend server name/ip here. ProxyPass https://<namespace_route>/oauth/authorize AuthName "SSO Login" # For Kerberos AuthType GSSAPI Require valid-user RequestHeader set X-Remote-User %{REMOTE_USER}s GssapiCredStore keytab:/etc/httpd/protected/auth-proxy.keytab # Enable the following if you want to allow users to fallback # to password based authentication when they do not have a client # configured to perform kerberos authentication. GssapiBasicAuth On # For ldap: # AuthBasicProvider ldap # AuthLDAPURL "ldap://ldap.example.com:389/ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)" </Location> <Location /login-proxy/oauth/authorize> # Insert your backend server name/ip here. ProxyPass https://<namespace_route>/oauth/authorize AuthName "SSO Login" AuthType GSSAPI Require valid-user RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER GssapiCredStore keytab:/etc/httpd/protected/auth-proxy.keytab # Enable the following if you want to allow users to fallback # to password based authentication when they do not have a client # configured to perform kerberos authentication. GssapiBasicAuth On ErrorDocument 401 /login.html </Location> </VirtualHost> RequestHeader unset X-Remote-UserNoteThe
address is the route to the OAuth server and can be obtained by runninghttps://<namespace_route>.oc get route -n openshift-authenticationUpdate the
stanza in the custom resource (CR):identityProvidersidentityProviders: - name: requestheaderidp type: RequestHeader requestHeader: challengeURL: "https://<namespace_route>/challenging-proxy/oauth/authorize?${query}" loginURL: "https://<namespace_route>/login-proxy/oauth/authorize?${query}" ca: name: ca-config-map clientCommonNames: - my-auth-proxy headers: - X-Remote-UserVerify the configuration.
Confirm that you can bypass the proxy by requesting a token by supplying the correct client certificate and header:
# curl -L -k -H "X-Remote-User: joe" \ --cert /etc/pki/tls/certs/authproxy.pem \ https://<namespace_route>/oauth/token/requestConfirm that requests that do not supply the client certificate fail by requesting a token without the certificate:
# curl -L -k -H "X-Remote-User: joe" \ https://<namespace_route>/oauth/token/requestConfirm that the
redirect is active:challengeURL# curl -k -v -H 'X-Csrf-Token: 1' \ https://<namespace_route>/oauth/authorize?client_id=openshift-challenging-client&response_type=tokenCopy the
redirect to use in the next step.challengeURLRun this command to show a
response with a401basic challenge, a negotiate challenge, or both challenges:WWW-Authenticate# curl -k -v -H 'X-Csrf-Token: 1' \ <challengeURL_redirect + query>Test logging in to the OpenShift CLI (
) with and without using a Kerberos ticket:ocIf you generated a Kerberos ticket by using
, destroy it:kinit# kdestroy -c cache_name1 - 1
- Make sure to provide the name of your Kerberos cache.
Log in to the
tool by using your Kerberos credentials:oc# oc login -u <username>Enter your Kerberos password at the prompt.
Log out of the
tool:oc# oc logoutUse your Kerberos credentials to get a ticket:
# kinitEnter your Kerberos user name and password at the prompt.
Confirm that you can log in to the
tool:oc# oc loginIf your configuration is correct, you are logged in without entering separate credentials.
7.6. Configuring a GitHub or GitHub Enterprise identity provider
Configure the
githubYou can use the GitHub integration to connect to either GitHub or GitHub Enterprise. For GitHub Enterprise integrations, you must provide the
hostnamecaThe following steps apply to both GitHub and GitHub Enterprise unless noted.
7.6.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.6.2. About GitHub authentication
Configuring GitHub authentication allows users to log in to OpenShift Container Platform with their GitHub credentials. To prevent anyone with any GitHub user ID from logging in to your OpenShift Container Platform cluster, you can restrict access to only those in specific GitHub organizations.
7.6.3. Registering a GitHub application
To use GitHub or GitHub Enterprise as an identity provider, you must register an application to use.
Procedure
Register an application on GitHub:
-
For GitHub, click Settings
Developer settings OAuth Apps Register a new OAuth application. -
For GitHub Enterprise, go to your GitHub Enterprise home page and then click Settings
Developer settings Register a new application.
-
For GitHub, click Settings
-
Enter an application name, for example .
My OpenShift Install -
Enter a homepage URL, such as .
https://oauth-openshift.apps.<cluster-name>.<cluster-domain> - Optional: Enter an application description.
Enter the authorization callback URL, where the end of the URL contains the identity provider
:namehttps://oauth-openshift.apps.<cluster-name>.<cluster-domain>/oauth2callback/<idp-provider-name>For example:
https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/github- Click Register application. GitHub provides a client ID and a client secret. You need these values to complete the identity provider configuration.
7.6.4. Creating the secret
Identity providers use OpenShift Container Platform
Secretopenshift-configProcedure
Create a
object containing a string by using the following command:Secret$ oc create secret generic <secret_name> --from-literal=clientSecret=<secret> -n openshift-configTipYou can alternatively apply the following YAML to create the secret:
apiVersion: v1 kind: Secret metadata: name: <secret_name> namespace: openshift-config type: Opaque data: clientSecret: <base64_encoded_client_secret>You can define a
object containing the contents of a file, such as a certificate file, by using the following command:Secret$ oc create secret generic <secret_name> --from-file=<path_to_file> -n openshift-config
7.6.5. Creating a config map
Identity providers use OpenShift Container Platform
ConfigMapopenshift-configThis procedure is only required for GitHub Enterprise.
Procedure
Define an OpenShift Container Platform
object containing the certificate authority by using the following command. The certificate authority must be stored in theConfigMapkey of theca.crtobject.ConfigMap$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-configTipYou can alternatively apply the following YAML to create the config map:
apiVersion: v1 kind: ConfigMap metadata: name: ca-config-map namespace: openshift-config data: ca.crt: | <CA_certificate_PEM>
7.6.6. Sample GitHub CR
The following custom resource (CR) shows the parameters and acceptable values for a GitHub identity provider.
GitHub CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: githubidp
mappingMethod: claim
type: GitHub
github:
ca:
name: ca-config-map
clientID: {...}
clientSecret:
name: github-secret
hostname: ...
organizations:
- myorganization1
- myorganization2
teams:
- myorganization1/team-a
- myorganization2/team-b- 1
- This provider name is prefixed to the GitHub numeric user ID to form an identity name. It is also used to build the callback URL.
- 2
- Controls how mappings are established between this provider’s identities and
Userobjects. - 3
- Optional: Reference to an OpenShift Container Platform
ConfigMapobject containing the PEM-encoded certificate authority bundle to use in validating server certificates for the configured URL. Only for use in GitHub Enterprise with a non-publicly trusted root certificate. - 4
- The client ID of a registered GitHub OAuth application. The application must be configured with a callback URL of
https://oauth-openshift.apps.<cluster-name>.<cluster-domain>/oauth2callback/<idp-provider-name>. - 5
- Reference to an OpenShift Container Platform
Secretobject containing the client secret issued by GitHub. - 6
- For GitHub Enterprise, you must provide the hostname of your instance, such as
example.com. This value must match the GitHub Enterprisehostnamevalue in in the/setup/settingsfile and cannot include a port number. If this value is not set, then eitherteamsororganizationsmust be defined. For GitHub, omit this parameter. - 7
- The list of organizations. Either the
organizationsorteamsfield must be set unless thehostnamefield is set, or ifmappingMethodis set tolookup. Cannot be used in combination with theteamsfield. - 8
- The list of teams. Either the
teamsororganizationsfield must be set unless thehostnamefield is set, or ifmappingMethodis set tolookup. Cannot be used in combination with theorganizationsfield.
If
organizationsteamsclientID7.6.7. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyObtain a token from the OAuth server.
As long as the
user has been removed, thekubeadmincommand provides instructions on how to access a web page where you can retrieve the token.oc loginYou can also access this page from the web console by navigating to (?) Help
Command Line Tools Copy Login Command. Log in to the cluster, passing in the token to authenticate.
$ oc login --token=<token>NoteThis identity provider does not support logging in with a user name and password.
Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.7. Configuring a GitLab identity provider
Configure the
gitlab7.7.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.7.2. About GitLab authentication
Configuring GitLab authentication allows users to log in to OpenShift Container Platform with their GitLab credentials.
If you use GitLab version 7.7.0 to 11.0, you connect using the OAuth integration. If you use GitLab version 11.1 or later, you can use OpenID Connect (OIDC) to connect instead of OAuth.
7.7.3. Creating the secret
Identity providers use OpenShift Container Platform
Secretopenshift-configProcedure
Create a
object containing a string by using the following command:Secret$ oc create secret generic <secret_name> --from-literal=clientSecret=<secret> -n openshift-configTipYou can alternatively apply the following YAML to create the secret:
apiVersion: v1 kind: Secret metadata: name: <secret_name> namespace: openshift-config type: Opaque data: clientSecret: <base64_encoded_client_secret>You can define a
object containing the contents of a file, such as a certificate file, by using the following command:Secret$ oc create secret generic <secret_name> --from-file=<path_to_file> -n openshift-config
7.7.4. Creating a config map
Identity providers use OpenShift Container Platform
ConfigMapopenshift-configThis procedure is only required for GitHub Enterprise.
Procedure
Define an OpenShift Container Platform
object containing the certificate authority by using the following command. The certificate authority must be stored in theConfigMapkey of theca.crtobject.ConfigMap$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-configTipYou can alternatively apply the following YAML to create the config map:
apiVersion: v1 kind: ConfigMap metadata: name: ca-config-map namespace: openshift-config data: ca.crt: | <CA_certificate_PEM>
7.7.5. Sample GitLab CR
The following custom resource (CR) shows the parameters and acceptable values for a GitLab identity provider.
GitLab CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: gitlabidp
mappingMethod: claim
type: GitLab
gitlab:
clientID: {...}
clientSecret:
name: gitlab-secret
url: https://gitlab.com
ca:
name: ca-config-map- 1
- This provider name is prefixed to the GitLab numeric user ID to form an identity name. It is also used to build the callback URL.
- 2
- Controls how mappings are established between this provider’s identities and
Userobjects. - 3
- The client ID of a registered GitLab OAuth application. The application must be configured with a callback URL of
https://oauth-openshift.apps.<cluster-name>.<cluster-domain>/oauth2callback/<idp-provider-name>. - 4
- Reference to an OpenShift Container Platform
Secretobject containing the client secret issued by GitLab. - 5
- The host URL of a GitLab provider. This could either be
https://gitlab.com/or any other self hosted instance of GitLab. - 6
- Optional: Reference to an OpenShift Container Platform
ConfigMapobject containing the PEM-encoded certificate authority bundle to use in validating server certificates for the configured URL.
7.7.6. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyLog in to the cluster as a user from your identity provider, entering the password when prompted.
$ oc login -u <username>Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.8. Configuring a Google identity provider
Configure the
google7.8.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.8.2. About Google authentication
Using Google as an identity provider allows any Google user to authenticate to your server. You can limit authentication to members of a specific hosted domain with the
hostedDomainUsing Google as an identity provider requires users to get a token using
<namespace_route>/oauth/token/request7.8.3. Creating the secret
Identity providers use OpenShift Container Platform
Secretopenshift-configProcedure
Create a
object containing a string by using the following command:Secret$ oc create secret generic <secret_name> --from-literal=clientSecret=<secret> -n openshift-configTipYou can alternatively apply the following YAML to create the secret:
apiVersion: v1 kind: Secret metadata: name: <secret_name> namespace: openshift-config type: Opaque data: clientSecret: <base64_encoded_client_secret>You can define a
object containing the contents of a file, such as a certificate file, by using the following command:Secret$ oc create secret generic <secret_name> --from-file=<path_to_file> -n openshift-config
7.8.4. Sample Google CR
The following custom resource (CR) shows the parameters and acceptable values for a Google identity provider.
Google CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: googleidp
mappingMethod: claim
type: Google
google:
clientID: {...}
clientSecret:
name: google-secret
hostedDomain: "example.com" - 1
- This provider name is prefixed to the Google numeric user ID to form an identity name. It is also used to build the redirect URL.
- 2
- Controls how mappings are established between this provider’s identities and
Userobjects. - 3
- The client ID of a registered Google project. The project must be configured with a redirect URI of
https://oauth-openshift.apps.<cluster-name>.<cluster-domain>/oauth2callback/<idp-provider-name>. - 4
- Reference to an OpenShift Container Platform
Secretobject containing the client secret issued by Google. - 5
- A hosted domain used to restrict sign-in accounts. Optional if the
lookupmappingMethodis used. If empty, any Google account is allowed to authenticate.
7.8.5. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyObtain a token from the OAuth server.
As long as the
user has been removed, thekubeadmincommand provides instructions on how to access a web page where you can retrieve the token.oc loginYou can also access this page from the web console by navigating to (?) Help
Command Line Tools Copy Login Command. Log in to the cluster, passing in the token to authenticate.
$ oc login --token=<token>NoteThis identity provider does not support logging in with a user name and password.
Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.9. Configuring a OpenID Connect identity provider
Configure the
oidc7.9.1. About identity providers in OpenShift Container Platform
By default, only a
kubeadminOpenShift Container Platform user names containing
/:%7.9.2. Creating the secret
Identity providers use OpenShift Container Platform
Secretopenshift-configProcedure
Create a
object containing a string by using the following command:Secret$ oc create secret generic <secret_name> --from-literal=clientSecret=<secret> -n openshift-configTipYou can alternatively apply the following YAML to create the secret:
apiVersion: v1 kind: Secret metadata: name: <secret_name> namespace: openshift-config type: Opaque data: clientSecret: <base64_encoded_client_secret>You can define a
object containing the contents of a file, such as a certificate file, by using the following command:Secret$ oc create secret generic <secret_name> --from-file=<path_to_file> -n openshift-config
7.9.3. Creating a config map
Identity providers use OpenShift Container Platform
ConfigMapopenshift-configThis procedure is only required for GitHub Enterprise.
Procedure
Define an OpenShift Container Platform
object containing the certificate authority by using the following command. The certificate authority must be stored in theConfigMapkey of theca.crtobject.ConfigMap$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-configTipYou can alternatively apply the following YAML to create the config map:
apiVersion: v1 kind: ConfigMap metadata: name: ca-config-map namespace: openshift-config data: ca.crt: | <CA_certificate_PEM>
7.9.4. Sample OpenID Connect CRs
The following custom resources (CRs) show the parameters and acceptable values for an OpenID Connect identity provider.
If you must specify a custom certificate bundle, extra scopes, extra authorization request parameters, or a
userInfoStandard OpenID Connect CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: oidcidp
mappingMethod: claim
type: OpenID
openID:
clientID: ...
clientSecret:
name: idp-secret
claims:
preferredUsername:
- preferred_username
name:
- name
email:
- email
issuer: https://www.idp-issuer.com - 1
- This provider name is prefixed to the value of the identity claim to form an identity name. It is also used to build the redirect URL.
- 2
- Controls how mappings are established between this provider’s identities and
Userobjects. - 3
- The client ID of a client registered with the OpenID provider. The client must be allowed to redirect to
https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>. - 4
- Reference to an OpenShift Container Platform
Secretobject containing the client secret. - 5
- List of claims to use as the identity. First non-empty claim is used. At least one claim is required. If none of the listed claims have a value, authentication fails. For example, this uses the value of the
subclaim in the returnedid_tokenas the user’s identity. - 6
- Issuer Identifier described in the OpenID spec. Must use
httpswithout query or fragment component.
Full OpenID Connect CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: oidcidp
mappingMethod: claim
type: OpenID
openID:
clientID: ...
clientSecret:
name: idp-secret
ca:
name: ca-config-map
extraScopes:
- email
- profile
extraAuthorizeParameters:
include_granted_scopes: "true"
claims:
preferredUsername:
- preferred_username
- email
name:
- nickname
- given_name
- name
email:
- custom_email_claim
- email
issuer: https://www.idp-issuer.com- 1
- Optional: Reference to an OpenShift Container Platform config map containing the PEM-encoded certificate authority bundle to use in validating server certificates for the configured URL.
- 2
- Optional list of scopes to request, in addition to the
openidscope, during the authorization token request. - 3
- Optional map of extra parameters to add to the authorization token request.
- 4
- List of claims to use as the preferred user name when provisioning a user for this identity. First non-empty claim is used.
- 5
- List of claims to use as the display name. First non-empty claim is used.
- 6
- List of claims to use as the email address. First non-empty claim is used.
7.9.5. Adding an identity provider to your cluster
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
- Create an OpenShift Container Platform cluster.
- Create the custom resource (CR) for your identity providers.
- You must be logged in as an administrator.
Procedure
Apply the defined CR:
$ oc apply -f </path/to/CR>NoteIf a CR does not exist,
creates a new CR and might trigger the following warning:oc apply. In this case you can safely ignore this warning.Warning: oc apply should be used on resources created by either oc create --save-config or oc applyObtain a token from the OAuth server.
As long as the
user has been removed, thekubeadmincommand provides instructions on how to access a web page where you can retrieve the token.oc loginYou can also access this page from the web console by navigating to (?) Help
Command Line Tools Copy Login Command. Log in to the cluster, passing in the token to authenticate.
$ oc login --token=<token>NoteIf your OpenID Connect identity provider supports the resource owner password credentials (ROPC) grant flow, you can log in with a user name and password. You might need to take steps to enable the ROPC grant flow for your identity provider.
After the OIDC identity provider is configured in OpenShift Container Platform, you can log in by using the following command, which prompts for your user name and password:
$ oc login -u <identity_provider_username> --server=<api_server_url_and_port>Confirm that the user logged in successfully, and display the user name.
$ oc whoami
7.9.6. Configuring identity providers using the web console
Configure your identity provider (IDP) through the web console instead of the CLI.
Prerequisites
- You must be logged in to the web console as a cluster administrator.
Procedure
-
Navigate to Administration
Cluster Settings. - Under the Global Configuration tab, click OAuth.
- Under the Identity Providers section, select your identity provider from the Add drop-down menu.
You can specify multiple IDPs through the web console without overwriting existing IDPs.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}