Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 3. Configure additional OpenID Connect providers
3.1. Configuring Google as an OpenID Connect provider for Trusted Artifact Signer
You can use Google OAuth 2.0 as your OpenID Connect (OIDC) provider for Red Hat’s Trusted Artifact Signer (RHTAS) service. You can decide to configure Google OAuth during the deployment of RHTAS, or at a later time.
You can define several different OIDC providers in the same configuration.
Prerequisites
- Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
-
Access to the OpenShift web console with the
cluster-admin
role. -
A workstation with the
oc
, andpodman
binaries installed. From the Google Cloud Console, create an OAuth client ID with the following settings:
- Set the application type to “Web Application”.
- Authorized redirect URIs must include: http://localhost/auth/callback .
Procedure
Open a terminal on your workstation, and log in to OpenShift:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORT
Example
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
NoteYou can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.
Update the RHTAS configuration.
Open for editing the
Securesign
resource:Syntax
oc edit Securesign NAME -n NAMESPACE
Example
$ oc edit Securesign securesign-sample -n trusted-artifact-signer
NoteYou must use the project name created for the RHTAS installation as the namespace.
Under the
OIDCIssuers
section, add a new subsection with your Google client identifier, issuer’s URL, and set theType
value toemail
:Syntax
... OIDCIssuers: - Issuer: "https://accounts.google.com" IssuerURL: "https://accounts.google.com" ClientID: "CLIENT_ID" Type: email ...
Add you Google client identifier to the
ClientID
field.- Save your changes, and quit the editor. After a few seconds the operator automatically reconfigures the RHTAS software stack.
Change the OIDC issuer, and client id environment variables to use Google:
Example
$ export OIDC_ISSUER_URL=https://accounts.google.com $ export COSIGN_OIDC_CLIENT_ID="314919563931-35zke44ouf2oiztjg7v8o8c2ge9usnd1.apps.googleexample.com"
Copy and paste your secret from the Google Console to a plain text file:
Syntax
echo SECRET > my-google-client-secret
If you already have the RHTAS service running, you can verify the updated configuration by signing a test container image.
Create an empty container image:
Example
$ echo "FROM scratch" > ./tmp.Dockerfile $ podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1h
Push the empty container image to the
ttl.sh
ephemeral registry:Example
$ podman push ttl.sh/rhtas/test-image:1h
Remove the temporary Docker file:
Example
$ rm ./tmp.Dockerfile
Sign the container image:
Syntax
cosign sign -y --oidc-client-secret-file=SECRET_FILE IMAGE_NAME:TAG
Example
$ cosign sign -y --oidc-client-secret-file=my-google-client-secret ttl.sh/rhtas/test-image:1h
A web browser opens allowing you to sign the container image with an email address.
Additional resources
3.2. Configuring Red Hat SSO as an OpenID Connect provider for Trusted Artifact Signer
You can use Red Hat Single Sign-On (SSO) as your OpenID Connect provider for Red Hat’s Trusted Artifact Signer (RHTAS) service. This gives you a Keycloak authentication environment for applications and secure services.
Prerequisites
- Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
-
Access to the OpenShift web console with the
cluster-admin
role. - Have 1 GB of container storage available for the Keycloak PostgreSQL database.
-
A workstation with the
oc
binary installed.
Procedure
-
Log in to the OpenShift web console with a user that has the
cluster-admin
role. Create a new project to deploy the Keycloak service.
- From the Administrator perspective, expand Home from the navigation menu, and click Projects.
- Click the Create Project button.
-
The new project name is
keycloak-system
, and click the Create button.
- Expand Operators from the navigation menu, and click OperatorHub.
- In the search field, type sso, and click the Red Hat Single Sign-on tile.
- Click the Install button to show the operator details.
-
If not already set, select
keycloak-system
from the Installed Namespace drop-down menu. - Click Install on the Install Operator page, and wait for the installation to finish.
- After the installation finishes, click View Operator.
From your workstation terminal, log in to the OpenShift cluster:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORT
Example
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
NoteYou can find your login token and URL to use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.
Switch to the Keycloak project:
Example
$ oc project keycloak-system
Create a Keycloak instance:
Example
$ cat <<EOF | oc apply -f - apiVersion: keycloak.org/v1alpha1 kind: Keycloak metadata: labels: app: sso name: keycloak spec: externalAccess: enabled: true instances: 1 keycloakDeploymentSpec: imagePullPolicy: Always postgresDeploymentSpec: imagePullPolicy: Always EOF
Create a Keycloak realm:
Example
$ cat <<EOF | oc apply -f - apiVersion: keycloak.org/v1alpha1 kind: KeycloakRealm metadata: labels: app: sso name: trusted-artifact-signer spec: instanceSelector: matchLabels: app: sso realm: displayName: Red-Hat-Trusted-Artifact-Signer enabled: true id: trusted-artifact-signer realm: trusted-artifact-signer sslRequired: none EOF
Create a Keycloak client:
Example
$ cat <<EOF | oc apply -f - apiVersion: keycloak.org/v1alpha1 kind: KeycloakClient metadata: labels: app: sso name: trusted-artifact-signer spec: client: attributes: request.object.signature.alg: RS256 user.info.response.signature.alg: RS256 clientAuthenticatorType: client-secret clientId: trusted-artifact-signer defaultClientScopes: - profile - email description: Client for Red Hat Trusted Artifact Signer authentication directAccessGrantsEnabled: true implicitFlowEnabled: false name: trusted-artifact-signer protocol: openid-connect protocolMappers: - config: claim.name: email id.token.claim: "true" jsonType.label: String user.attribute: email userinfo.token.claim: "true" name: email protocol: openid-connect protocolMapper: oidc-usermodel-property-mapper - config: claim.name: email-verified id.token.claim: "true" user.attribute: emailVerified userinfo.token.claim: "true" name: email-verified protocol: openid-connect protocolMapper: oidc-usermodel-property-mapper - config: claim.name: aud claim.value: trusted-artifact-signer id.token.claim: "true" access.token.claim: "true" userinfo.token.claim: "true" name: audience protocol: openid-connect protocolMapper: oidc-hardcoded-claim-mapper publicClient: true standardFlowEnabled: true redirectUris: - "*" realmSelector: matchLabels: app: sso EOF
Create a Keycloak user:
Example
$ cat <<EOF | oc apply -f - apiVersion: keycloak.org/v1alpha1 kind: KeycloakUser metadata: labels: app: sso name: jdoe spec: realmSelector: matchLabels: app: sso user: email: jdoe@redhat.com enabled: true emailVerified: true credentials: - type: "password" value: "secure" firstName: Jane lastName: Doe username: jdoe EOF
Set a user name, the user’s email address, and a password or reference a secret object.
- Go back to the OpenShift web console, click the All instances tab to watch and wait until the Keycloak system initializes successfully.
Additional resources
3.3. Configuring Amazon STS as an OpenID Connect provider for Trusted Artifact Signer
You can use Amazon’s Security Token Service (STS) as your OpenID Connect (OIDC) provider for Red Hat’s Trusted Artifact Signer (RHTAS) service. You can decide to configure Amazon STS during the deployment of RHTAS, or at a later time.
You can define several different OIDC providers in the same configuration.
Prerequisites
- A RHTAS installation on Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
-
Access to the OpenShift web console with the
cluster-admin
role. -
A workstation with the
oc
,podman
, andaws
binaries installed. - Enable managed Amazon Web Service (AWS) Resources for OpenShift environments.
A created Amazon Identity and Access Management (IAM) user with full permissions. This allows access to run IAM operations.
- Created access keys for this user.
Procedure
Open a terminal on your workstation, and log in to OpenShift:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORT
Example
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
NoteYou can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.
Find the AWS OIDC provider URL:
Example
$ oc get authentication cluster -o jsonpath='{.spec.serviceAccountIssuer}'
Update RHTAS the configuration.
Open for editing the
Securesign
resource:Syntax
oc edit Securesign NAME -n NAMESPACE
Example
$ oc edit Securesign securesign-sample -n trusted-artifact-signer
NoteYou must use the project name created for the RHTAS installation as the namespace.
Under the
OIDCIssuers
section, add a new subsection with your AWS STS client identifier, issuer’s URL, and set theType
value tokubernetes
:Example
... OIDCIssuers: - Issuer: "https://example.s3.us-east-1.aws.com/47bd6cg0vs5nn01mue83fbof94dj4m9c" IssuerURL: "https://example.s3.us-east-1.aws.com/47bd6cg0vs5nn01mue83fbof94dj4m9c" ClientID: "trusted-artifact-signer" Type: kubernetes ...
- Save your changes, and quit the editor. After a few seconds the operator automatically reconfigures the RHTAS software stack.
Configure the AWS command-line tool by entering your access key, secret key, default region, and output format:
Example
$ aws configure
Set the following environment variables:
Example
$ export account_id=$(aws sts get-caller-identity --query "Account" --output text) $ export oidc_provider="$(oc get authentication cluster -o jsonpath='{.spec.serviceAccountIssuer}' | cut -d '/' -f3-)" $ export role_name=rhtas-sts $ export namespace=rhtas-sts $ export service_account=cosign-sts
Create a Trust Policy that gets associated with newly created IAM roles:
Example
$ cat >trust-relationship.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_provider}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${oidc_provider}:aud": "trusted-artifact-signer" } } } ] } EOF
Create a new IAM role for the RHTAS service by using the trust policy:
Example
$ aws iam create-role --role-name rhtas-sts --assume-role-policy-document file://trust-relationship.json --description "Red Hat Trusted Artifact Signer STS Role"
On the OpenShift cluster with STS enabled, create a new project namespace:
Syntax
oc new-project NAMESPACE
Example
$ oc new-project rhtas-sts
Create a service account for assuming an IAM role, and running a workload within the OpenShift project namespace.
Create the service account manifest:
Example
$ cat >service_account.yaml <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: $service_account namespace: $namespace annotations: eks.amazonaws.com/role-arn: "arn:aws:iam::${account_id}:role/${role_name}" # optional: Defaults to "sts.amazonaws.com" if not set eks.amazonaws.com/audience: "trusted-artifact-signer" # optional: When "true", adds AWS_STS_REGIONAL_ENDPOINTS env var to containers eks.amazonaws.com/sts-regional-endpoints: "true" # optional: Defaults to 86400 for expirationSeconds if not set eks.amazonaws.com/token-expiration: "86400" EOF
Apply the service account manifest to OpenShift:
Example
$ oc apply -f service_account.yaml
Create a new deployment workload for signing container images within a image registry.
Create the deployment manifest:
Example
$ cat >deployment.yaml <<EOF apiVersion: apps/v1 kind: Deployment metadata: name: cosign-sts namespace: ${namespace} spec: selector: matchLabels: app: cosign-sts template: metadata: labels: app: cosign-sts spec: securityContext: runAsNonRoot: true serviceAccountName: cosign-sts containers: - args: - -c - env; cosign initialize --mirror=\$COSIGN_MIRROR --root=\$COSIGN_ROOT; while true; do sleep 86400; done command: - /bin/sh name: cosign image: registry.redhat.io/rhtas-tech-preview/cosign-rhel9@sha256:f4c2cec3fc1e24bbe094b511f6fe2fe3c6fa972da0edacaf6ac5672f06253a3e pullPolicy: IfNotPresent env: - name: AWS_ROLE_SESSION_NAME value: signer-identity-session - name: AWS_REGION value: us-east-1 - name: OPENSHIFT_APPS_SUBDOMAIN value: $(oc get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//') - name: OIDC_AUTHENTICATION_REALM value: "trusted-artifact-signer" - name: COSIGN_FULCIO_URL value: $(oc get fulcio -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer) - name: COSIGN_OIDC_ISSUER value: $(oc get authentication cluster -o jsonpath='{.spec.serviceAccountIssuer}') - name: COSIGN_CERTIFICATE_OIDC_ISSUER value: $(oc get authentication cluster -o jsonpath='{.spec.serviceAccountIssuer}') - name: COSIGN_REKOR_URL value: $(oc get rekor -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer) - name: COSIGN_MIRROR value: $(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer) - name: COSIGN_ROOT value: "$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)/root.json" - name: COSIGN_YES value: "true" securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: runAsNonRoot: true serviceAccount: ${service_account} serviceAccountName: ${service_account} terminationGracePeriodSeconds: 30 EOF
Apply the deployment manifest to OpenShift:
Example
$ oc apply -f deployment.yaml
Create a test container image to sign.
Create an empty container image:
Example
$ echo "FROM scratch" > ./tmp.Dockerfile $ podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1h
Push the empty container image to the
ttl.sh
ephemeral registry:Example
$ podman push ttl.sh/rhtas/test-image:1h
Remove the temporary Docker file:
Example
$ rm ./tmp.Dockerfile
Validate the configuration by signing and verifying the test container image.
Open a remote shell session within a running pod:
Syntax
oc rsh -n NAMESPACE deployment/cosign-sts env IMAGE=IMAGE_NAME:TAG /bin/sh
Example
$ oc rsh -n rhtas-sts deployment/cosign-sts env IMAGE=ttl.sh/rhtas/test-image:1h /bin/sh
Sign the container image:
Example
$ cosign sign -y --identity-token=$(cat $AWS_WEB_IDENTITY_TOKEN_FILE) ttl.sh/rhtas/test-image:1h
Verify the signed container image:
Example
$ cosign verify --certificate-identity=https://kubernetes.io/namespaces/$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)/serviceaccounts/cosign-sts --certificate-oidc-issuer=$COSIGN_CERTIFICATE_OIDC_ISSUER ttl.sh/rhtas/test-image:1h
3.4. Configuring GitHub as an OpenID Connect provider for Trusted Artifact Signer
You can use GitHub OAuth 2.0 when federating it with Red Hat’s Single Sign-On (SSO) service as an OpenID Connect (OIDC) provider for the Red Hat Trusted Artifact Signer (RHTAS) service. This procedure guides you on integrating GitHub OAuth with an existing Red Hat SSO deployment on OpenShift.
You can define several different OIDC providers in the same configuration.
Prerequisites
- A RHTAS installation on Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
- A running Red Hat SSO instance.
-
A workstation with the
oc
binary installed. Create a GitHub OAuth app, and after registering the application, make note of the client identifier and secret values.
ImportantWhen registering your new GitHub OAuth app, you must specify the Homepage URL, and the Authorization callback URL. Enter placeholder values for both of these fields, for example,
https://localhost:8080
. Later in this procedure you will modify your GitHub OAuth app with the intended values for these fields.
Procedure
Open a terminal on your workstation, and log in to OpenShift:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORT
Example
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
NoteYou can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.
Log in to the Red Hat SSO console.
Find the Red Hat SSO console URL from the command line:
Example
$ oc get routes -n keycloak-system keycloak -o jsonpath='https://{.spec.host}'
- Copy and paste the Red Hat SSO console URL into your web browser.
- Click Administration Console.
Retrieve the
admin
password from the command line:Example
$ oc get secret/credential-keycloak -n keycloak-system -o jsonpath='{ .data.ADMIN_PASSWORD }' | base64 -d
Copy the output from this command.
-
From your web browser, log in as the
admin
user, and paste the password in the corresponding field. Click the Sign In button.
- Select your realm from the dropdown on the navigation menu.
Add the GitHub identity provider.
- From the navigational menu, click Identity Providers.
- From the Add provider… drop-down menu, select GitHub.
- Add your GitHub OAuth client identifier to the Client ID field.
- Add your GitHub OAuth client secret to the Client Secret field.
- Turn on the Trust Email option.
- Click the Save button.
Add the identity provider mapper to the newly created identity provider.
- Click the Mapper tab.
- Click the Create button.
- Give a Name to the new mapper.
- Change the Mapper Type to Hardcoded Attribute.
-
Set the User Attribute field to
emailVerified
. -
Set the User Attribute Value field to
true
. - Click the Save button.
-
From the GitHub Identity Provider Settings page, copy the Redirect URI value and paste it to your GitHub OAuth app Authorization Callback URL field. Also, paste this same value into the Homepage URL field, but remove the
broker/github/endpoint
part of the URL string. - Click Update Application. You can now sign commits, and containers by using GitHub as your OIDC provider.
- When signing artifacts, a web browser opens and prompts you to sign in to your Red Hat SSO account. Click the GitHub button to sign in with your credentials.
- Click the Authorize button to enable GitHub user details to be accessible by Red Hat SSO.