Rechercher
SupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 3. Configure additional OpenID Connect providers

download PDF

3.1. Configuring Google as an OpenID Connect provider for Trusted Artifact Signer

You can use Google OAuth 2.0 as your OpenID Connect (OIDC) provider for Red Hat’s Trusted Artifact Signer (RHTAS) service. You can decide to configure Google OAuth during the deployment of RHTAS, or at a later time.

Important

You can define several different OIDC providers in the same configuration.

Prerequisites

  • Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, and podman binaries installed.

  • From the Google Cloud Console, create an OAuth client ID with the following settings:

Procedure

  1. Open a terminal on your workstation, and log in to OpenShift:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  2. Update the RHTAS configuration.

    1. Open for editing the Securesign resource:

      Syntax

      oc edit Securesign NAME -n NAMESPACE

      Example

      $ oc edit Securesign securesign-sample -n trusted-artifact-signer

      Note

      You must use the project name created for the RHTAS installation as the namespace.

    2. Under the OIDCIssuers section, add a new subsection with your Google client identifier, issuer’s URL, and set the Type value to email:

      Syntax

      ...
OIDCIssuers:
  - Issuer: "https://accounts.google.com"
    IssuerURL: "https://accounts.google.com"
    ClientID: "CLIENT_ID"
    Type: email
...

      Add you Google client identifier to the ClientID field.

    3. Save your changes, and quit the editor. After a few seconds the operator automatically reconfigures the RHTAS software stack.

  3. Change the OIDC issuer, and client id environment variables to use Google:

    Example

    $ export OIDC_ISSUER_URL=https://accounts.google.com
$ export COSIGN_OIDC_CLIENT_ID="314919563931-35zke44ouf2oiztjg7v8o8c2ge9usnd1.apps.googleexample.com"

  4. Copy and paste your secret from the Google Console to a plain text file:

    Syntax

    echo SECRET > my-google-client-secret

  5. If you already have the RHTAS service running, you can verify the updated configuration by signing a test container image.

    1. Create an empty container image:

      Example

      $ echo "FROM scratch" > ./tmp.Dockerfile
$ podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1h

    2. Push the empty container image to the ttl.sh ephemeral registry:

      Example

      $ podman push ttl.sh/rhtas/test-image:1h

    3. Remove the temporary Docker file:

      Example

      $ rm ./tmp.Dockerfile

    4. Sign the container image:

      Syntax

      cosign sign -y --oidc-client-secret-file=SECRET_FILE IMAGE_NAME:TAG

      Example

      $ cosign sign -y --oidc-client-secret-file=my-google-client-secret ttl.sh/rhtas/test-image:1h

      A web browser opens allowing you to sign the container image with an email address.

Additional resources

3.2. Configuring Red Hat SSO as an OpenID Connect provider for Trusted Artifact Signer

You can use Red Hat Single Sign-On (SSO) as your OpenID Connect provider for Red Hat’s Trusted Artifact Signer (RHTAS) service. This gives you a Keycloak authentication environment for applications and secure services.

Prerequisites

  • Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
  • Access to the OpenShift web console with the cluster-admin role.
  • Have 1 GB of container storage available for the Keycloak PostgreSQL database.
  • A workstation with the oc binary installed.

Procedure

  1. Log in to the OpenShift web console with a user that has the cluster-admin role.

  2. Create a new project to deploy the Keycloak service.

    1. From the Administrator perspective, expand Home from the navigation menu, and click Projects.
    2. Click the Create Project button.
    3. The new project name is keycloak-system, and click the Create button.
  3. Expand Operators from the navigation menu, and click OperatorHub.
  4. In the search field, type sso, and click the Red Hat Single Sign-on tile.
  5. Click the Install button to show the operator details.
  6. If not already set, select keycloak-system from the Installed Namespace drop-down menu.
  7. Click Install on the Install Operator page, and wait for the installation to finish.
  8. After the installation finishes, click View Operator.

  9. From your workstation terminal, log in to the OpenShift cluster:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL to use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  10. Switch to the Keycloak project:

    Example

    $ oc project keycloak-system

  11. Create a Keycloak instance:

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  labels:
    app: sso
  name: keycloak
spec:
  externalAccess:
    enabled: true
  instances: 1
  keycloakDeploymentSpec:
    imagePullPolicy: Always
  postgresDeploymentSpec:
    imagePullPolicy: Always
EOF

  12. Create a Keycloak realm:

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  labels:
    app: sso
  name: trusted-artifact-signer
spec:
  instanceSelector:
    matchLabels:
      app: sso
  realm:
    displayName: Red-Hat-Trusted-Artifact-Signer
    enabled: true
    id: trusted-artifact-signer
    realm: trusted-artifact-signer
    sslRequired: none
EOF

  13. Create a Keycloak client:

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  labels:
    app: sso
  name: trusted-artifact-signer
spec:
  client:
    attributes:
      request.object.signature.alg: RS256
      user.info.response.signature.alg: RS256
    clientAuthenticatorType: client-secret
    clientId: trusted-artifact-signer
    defaultClientScopes:
    - profile
    - email
    description: Client for Red Hat Trusted Artifact Signer authentication
    directAccessGrantsEnabled: true
    implicitFlowEnabled: false
    name: trusted-artifact-signer
    protocol: openid-connect
    protocolMappers:
    - config:
        claim.name: email
        id.token.claim: "true"
        jsonType.label: String
        user.attribute: email
        userinfo.token.claim: "true"
      name: email
      protocol: openid-connect
      protocolMapper: oidc-usermodel-property-mapper
    - config:
        claim.name: email-verified
        id.token.claim: "true"
        user.attribute: emailVerified
        userinfo.token.claim: "true"
      name: email-verified
      protocol: openid-connect
      protocolMapper: oidc-usermodel-property-mapper
    - config:
        claim.name: aud
        claim.value: trusted-artifact-signer
        id.token.claim: "true"
        access.token.claim: "true"
        userinfo.token.claim: "true"
      name: audience
      protocol: openid-connect
      protocolMapper: oidc-hardcoded-claim-mapper
    publicClient: true
    standardFlowEnabled: true
    redirectUris:
    - "*"
  realmSelector:
    matchLabels:
      app: sso
EOF

  14. Create a Keycloak user:

    Example

    $ cat <<EOF | oc apply -f -
apiVersion: keycloak.org/v1alpha1
kind: KeycloakUser
metadata:
  labels:
    app: sso
  name: jdoe
spec:
  realmSelector:
    matchLabels:
      app: sso
  user:
    email: jdoe@redhat.com
    enabled: true
    emailVerified: true
    credentials:
      - type: "password"
        value: "secure"
    firstName: Jane
    lastName: Doe
    username: jdoe
EOF

    Set a user name, the user’s email address, and a password or reference a secret object.

  15. Go back to the OpenShift web console, click the All instances tab to watch and wait until the Keycloak system initializes successfully.

Additional resources

3.3. Configuring Amazon STS as an OpenID Connect provider for Trusted Artifact Signer

You can use Amazon’s Security Token Service (STS) as your OpenID Connect (OIDC) provider for Red Hat’s Trusted Artifact Signer (RHTAS) service. You can decide to configure Amazon STS during the deployment of RHTAS, or at a later time.

Important

You can define several different OIDC providers in the same configuration.

Prerequisites

  • A RHTAS installation on Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, podman, and aws binaries installed.
  • Enable managed Amazon Web Service (AWS) Resources for OpenShift environments.

  • A created Amazon Identity and Access Management (IAM) user with full permissions. This allows access to run IAM operations.

    • Created access keys for this user.

Procedure

  1. Open a terminal on your workstation, and log in to OpenShift:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  2. Find the AWS OIDC provider URL:

    Example

    $ oc get authentication cluster -o jsonpath='{.spec.serviceAccountIssuer}'

  3. Update RHTAS the configuration.

    1. Open for editing the Securesign resource:

      Syntax

      oc edit Securesign NAME -n NAMESPACE

      Example

      $ oc edit Securesign securesign-sample -n trusted-artifact-signer

      Note

      You must use the project name created for the RHTAS installation as the namespace.

    2. Under the OIDCIssuers section, add a new subsection with your AWS STS client identifier, issuer’s URL, and set the Type value to kubernetes:

      Example

      ...
OIDCIssuers:
  - Issuer: "https://example.s3.us-east-1.aws.com/47bd6cg0vs5nn01mue83fbof94dj4m9c"
    IssuerURL: "https://example.s3.us-east-1.aws.com/47bd6cg0vs5nn01mue83fbof94dj4m9c"
    ClientID: "trusted-artifact-signer"
    Type: kubernetes
...

    3. Save your changes, and quit the editor. After a few seconds the operator automatically reconfigures the RHTAS software stack.

  4. Configure the AWS command-line tool by entering your access key, secret key, default region, and output format:

    Example

    $ aws configure

  5. Set the following environment variables:

    Example

    $ export account_id=$(aws sts get-caller-identity --query "Account" --output text)
$ export oidc_provider="$(oc get authentication cluster -o jsonpath='{.spec.serviceAccountIssuer}' | cut -d '/' -f3-)"
$ export role_name=rhtas-sts
$ export namespace=rhtas-sts
$ export service_account=cosign-sts

  6. Create a Trust Policy that gets associated with newly created IAM roles:

    Example

    $ cat >trust-relationship.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_provider}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${oidc_provider}:aud": "trusted-artifact-signer"
        }
      }
    }
  ]
}
EOF

  7. Create a new IAM role for the RHTAS service by using the trust policy:

    Example

    $ aws iam create-role --role-name rhtas-sts --assume-role-policy-document file://trust-relationship.json --description "Red Hat Trusted Artifact Signer STS Role"

  8. On the OpenShift cluster with STS enabled, create a new project namespace:

    Syntax

    oc new-project NAMESPACE

    Example

    $ oc new-project rhtas-sts

  9. Create a service account for assuming an IAM role, and running a workload within the OpenShift project namespace.

    1. Create the service account manifest:

      Example

      $ cat >service_account.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: $service_account
  namespace: $namespace
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::${account_id}:role/${role_name}"
    # optional: Defaults to "sts.amazonaws.com" if not set
    eks.amazonaws.com/audience: "trusted-artifact-signer"
    # optional: When "true", adds AWS_STS_REGIONAL_ENDPOINTS env var to containers
    eks.amazonaws.com/sts-regional-endpoints: "true"
    # optional: Defaults to 86400 for expirationSeconds if not set
    eks.amazonaws.com/token-expiration: "86400"
EOF

    2. Apply the service account manifest to OpenShift:

      Example

      $ oc apply -f service_account.yaml

  10. Create a new deployment workload for signing container images within a image registry.

    1. Create the deployment manifest:

      Example

      $ cat >deployment.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cosign-sts
  namespace: ${namespace}
spec:
  selector:
    matchLabels:
      app: cosign-sts
  template:
    metadata:
      labels:
        app: cosign-sts
    spec:
      securityContext:
        runAsNonRoot: true
      serviceAccountName: cosign-sts
      containers:
      - args:
        - -c
        - env; cosign initialize --mirror=\$COSIGN_MIRROR --root=\$COSIGN_ROOT; while true; do sleep 86400; done
        command:
        - /bin/sh
        name: cosign
        image: registry.redhat.io/rhtas-tech-preview/cosign-rhel9@sha256:f4c2cec3fc1e24bbe094b511f6fe2fe3c6fa972da0edacaf6ac5672f06253a3e
        pullPolicy: IfNotPresent
        env:
        - name: AWS_ROLE_SESSION_NAME
          value: signer-identity-session
        - name: AWS_REGION
          value: us-east-1
        - name: OPENSHIFT_APPS_SUBDOMAIN
          value: $(oc get cm -n openshift-config-managed  console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//')
        - name: OIDC_AUTHENTICATION_REALM
          value: "trusted-artifact-signer"
        - name: COSIGN_FULCIO_URL
          value: $(oc get fulcio -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
        - name: COSIGN_OIDC_ISSUER
          value: $(oc get authentication cluster -o jsonpath='{.spec.serviceAccountIssuer}')
        - name: COSIGN_CERTIFICATE_OIDC_ISSUER
          value: $(oc get authentication cluster -o jsonpath='{.spec.serviceAccountIssuer}')
        - name: COSIGN_REKOR_URL
          value: $(oc get rekor -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
        - name: COSIGN_MIRROR
          value: $(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
        - name: COSIGN_ROOT
          value: "$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)/root.json"
        - name: COSIGN_YES
          value: "true"
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        runAsNonRoot: true
      serviceAccount: ${service_account}
      serviceAccountName: ${service_account}
      terminationGracePeriodSeconds: 30
EOF

    2. Apply the deployment manifest to OpenShift:

      Example

      $ oc apply -f deployment.yaml

  11. Create a test container image to sign.

    1. Create an empty container image:

      Example

      $ echo "FROM scratch" > ./tmp.Dockerfile
$ podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1h

    2. Push the empty container image to the ttl.sh ephemeral registry:

      Example

      $ podman push ttl.sh/rhtas/test-image:1h

    3. Remove the temporary Docker file:

      Example

      $ rm ./tmp.Dockerfile

  12. Validate the configuration by signing and verifying the test container image.

    1. Open a remote shell session within a running pod:

      Syntax

      oc rsh -n NAMESPACE deployment/cosign-sts env IMAGE=IMAGE_NAME:TAG /bin/sh

      Example

      $ oc rsh -n rhtas-sts deployment/cosign-sts env IMAGE=ttl.sh/rhtas/test-image:1h /bin/sh

    2. Sign the container image:

      Example

      $ cosign sign -y --identity-token=$(cat $AWS_WEB_IDENTITY_TOKEN_FILE) ttl.sh/rhtas/test-image:1h

    3. Verify the signed container image:

      Example

      $ cosign verify --certificate-identity=https://kubernetes.io/namespaces/$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)/serviceaccounts/cosign-sts --certificate-oidc-issuer=$COSIGN_CERTIFICATE_OIDC_ISSUER ttl.sh/rhtas/test-image:1h

3.4. Configuring GitHub as an OpenID Connect provider for Trusted Artifact Signer

You can use GitHub OAuth 2.0 when federating it with Red Hat’s Single Sign-On (SSO) service as an OpenID Connect (OIDC) provider for the Red Hat Trusted Artifact Signer (RHTAS) service. This procedure guides you on integrating GitHub OAuth with an existing Red Hat SSO deployment on OpenShift.

Important

You can define several different OIDC providers in the same configuration.

Prerequisites

  • A RHTAS installation on Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
  • A running Red Hat SSO instance.
  • A workstation with the oc binary installed.

  • Create a GitHub OAuth app, and after registering the application, make note of the client identifier and secret values.

    Important

    When registering your new GitHub OAuth app, you must specify the Homepage URL, and the Authorization callback URL. Enter placeholder values for both of these fields, for example, https://localhost:8080. Later in this procedure you will modify your GitHub OAuth app with the intended values for these fields.

Procedure

  1. Open a terminal on your workstation, and log in to OpenShift:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  2. Log in to the Red Hat SSO console.

    1. Find the Red Hat SSO console URL from the command line:

      Example

      $ oc get routes -n keycloak-system keycloak -o jsonpath='https://{.spec.host}'

    2. Copy and paste the Red Hat SSO console URL into your web browser.
    3. Click Administration Console.

    4. Retrieve the admin password from the command line:

      Example

      $ oc get secret/credential-keycloak -n keycloak-system -o jsonpath='{ .data.ADMIN_PASSWORD }' | base64 -d

      Copy the output from this command.

    5. From your web browser, log in as the admin user, and paste the password in the corresponding field. Click the Sign In button.
  3. Select your realm from the dropdown on the navigation menu.

  4. Add the GitHub identity provider.

    1. From the navigational menu, click Identity Providers.
    2. From the Add provider… drop-down menu, select GitHub.
    3. Add your GitHub OAuth client identifier to the Client ID field.
    4. Add your GitHub OAuth client secret to the Client Secret field.
    5. Turn on the Trust Email option.
    6. Click the Save button.

  5. Add the identity provider mapper to the newly created identity provider.

    1. Click the Mapper tab.
    2. Click the Create button.
    3. Give a Name to the new mapper.
    4. Change the Mapper Type to Hardcoded Attribute.
    5. Set the User Attribute field to emailVerified.
    6. Set the User Attribute Value field to true.
    7. Click the Save button.
  6. From the GitHub Identity Provider Settings page, copy the Redirect URI value and paste it to your GitHub OAuth app Authorization Callback URL field. Also, paste this same value into the Homepage URL field, but remove the broker/github/endpoint part of the URL string.
  7. Click Update Application. You can now sign commits, and containers by using GitHub as your OIDC provider.
  8. When signing artifacts, a web browser opens and prompts you to sign in to your Red Hat SSO account. Click the GitHub button to sign in with your credentials.
  9. Click the Authorize button to enable GitHub user details to be accessible by Red Hat SSO.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.