7.2. 在 Red Hat Developer Hub 中使用 Amazon Cognito 作为身份验证供应商

先决条件

• 您有一个 User Pool，或者您已创建一个新池。有关用户池的更多信息，请参阅 Amazon Cognito 用户池 文档。

  注意

  确保您已记下用户池所在的 AWS 区域，以及用户池 ID。

• 您已在用户池中创建了 App Client 来集成托管 UI。如需更多信息，请参阅使用 Amazon Cognito 控制台设置托管 UI。

  当使用 Amazon Cognito 控制台设置托管 UI 时，请确保进行以下调整：

  1. 在 Allowed callback URL (s) 部分中，包含 URL https://<rhdh_url>/api/auth/oidc/handler/frame。确保将 &lt ;rhdh_url > 替换为您的 Developer Hub 应用程序的 URL，如 my.rhdh.example.com。
  2. 同样，在 Allowed sign-out URL (s) 部分中，添加 https://<rhdh_url>。将 <rhdh_url > 替换为您的 Developer Hub 应用程序的 URL，如 my.rhdh.example.com。
  3. 在 OAuth 2.0 授权类型 下，选择 Authorization code grant 以返回授权代码。

  4. 在 OpenID Connect 范围 下，确保至少选择以下范围：

     • OpenID
     • profile
     • 电子邮件

  Helm 部署

  流程

  1. 编辑或创建自定义 app-config-rhdh ConfigMap，如下所示：

     apiVersion: v1
     kind: ConfigMap
     metadata:
       name: app-config-rhdh
     data:
       "app-config-rhdh.yaml": |
         # --- Truncated ---
         app:
           title: Red Hat Developer Hub
     
         signInPage: oidc
         auth:
           environment: production
           session:
             secret: ${AUTH_SESSION_SECRET}
           providers:
             oidc:
               production:
                 clientId: ${AWS_COGNITO_APP_CLIENT_ID}
                 clientSecret: ${AWS_COGNITO_APP_CLIENT_SECRET}
                 metadataUrl: ${AWS_COGNITO_APP_METADATA_URL}
                 callbackUrl: ${AWS_COGNITO_APP_CALLBACK_URL}
                 scope: 'openid profile email'
                 prompt: auto

     Copy to Clipboard Toggle word wrap

  2. 使用以下模板编辑或创建自定义 secret-rhdh Secret：

     apiVersion: v1
     kind: Secret
     metadata:
       name: secrets-rhdh
     stringData:
       AUTH_SESSION_SECRET: "my super auth session secret - change me!!!"
       AWS_COGNITO_APP_CLIENT_ID: "my-aws-cognito-app-client-id"
       AWS_COGNITO_APP_CLIENT_SECRET: "my-aws-cognito-app-client-secret"
       AWS_COGNITO_APP_METADATA_URL: "https://cognito-idp.[region].amazonaws.com/[userPoolId]/.well-known/openid-configuration"
       AWS_COGNITO_APP_CALLBACK_URL: "https://[rhdh_dns]/api/auth/oidc/handler/frame"

     Copy to Clipboard Toggle word wrap

  3. 在 values.yaml 文件中添加 ConfigMap 和 Secret 资源的引用：

     upstream:
       backstage:
         image:
           pullSecrets:
           - rhdh-pull-secret
         podSecurityContext:
           fsGroup: 2000
         extraAppConfig:
           - filename: app-config-rhdh.yaml
             configMapRef: app-config-rhdh
         extraEnvVarsSecrets:
           - secrets-rhdh

     Copy to Clipboard Toggle word wrap

  4. 升级 Helm 部署：

     helm upgrade rhdh \
       openshift-helm-charts/redhat-developer-hub \
       [--version 1.2.6] \
       --values /path/to/values.yaml

     Copy to Clipboard Toggle word wrap

  Operator 支持的部署

  1. 将以下代码添加到 app-config-rhdh ConfigMap 中：

     apiVersion: v1
     kind: ConfigMap
     metadata:
       name: app-config-rhdh
     data:
       "app-config-rhdh.yaml": |
         # --- Truncated ---
     
         signInPage: oidc
         auth:
           # Production to disable guest user login
           environment: production
           # Providing an auth.session.secret is needed because the oidc provider requires session support.
           session:
             secret: ${AUTH_SESSION_SECRET}
           providers:
             oidc:
               production:
                 # See https://github.com/backstage/backstage/blob/master/plugins/auth-backend-module-oidc-provider/config.d.ts
                 clientId: ${AWS_COGNITO_APP_CLIENT_ID}
                 clientSecret: ${AWS_COGNITO_APP_CLIENT_SECRET}
                 metadataUrl: ${AWS_COGNITO_APP_METADATA_URL}
                 callbackUrl: ${AWS_COGNITO_APP_CALLBACK_URL}
                 # Minimal set of scopes needed. Feel free to add more if needed.
                 scope: 'openid profile email'
     
                 # Note that by default, this provider will use the 'none' prompt which assumes that your are already logged on in the IDP.
                 # You should set prompt to:
                 # - auto: will let the IDP decide if you need to log on or if you can skip login when you have an active SSO session
                 # - login: will force the IDP to always present a login form to the user
                 prompt: auto

     Copy to Clipboard Toggle word wrap

  2. 将以下代码添加到 secret-rhdh Secret 中：

     apiVersion: v1
     kind: Secret
     metadata:
       name: secrets-rhdh
     stringData:
       # --- Truncated ---
     
       # TODO: Change auth session secret.
       AUTH_SESSION_SECRET: "my super auth session secret - change me!!!"
     
       # TODO: user pool app client ID
       AWS_COGNITO_APP_CLIENT_ID: "my-aws-cognito-app-client-id"
     
       # TODO: user pool app client Secret
       AWS_COGNITO_APP_CLIENT_SECRET: "my-aws-cognito-app-client-secret"
     
       # TODO: Replace region and user pool ID
       AWS_COGNITO_APP_METADATA_URL: "https://cognito-idp.[region].amazonaws.com/[userPoolId]/.well-known/openid-configuration"
     
       # TODO: Replace <rhdh_dns>
       AWS_COGNITO_APP_CALLBACK_URL: "https://[rhdh_dns]/api/auth/oidc/handler/frame"

     Copy to Clipboard Toggle word wrap

  3. 确保您的自定义资源包含对 app-config-rhdh ConfigMap 和 secrets-rhdh Secret 的引用：

     apiVersion: rhdh.redhat.com/v1alpha1
     kind: Backstage
     metadata:
      # TODO: this the name of your Developer Hub instance
       name: my-rhdh
     spec:
       application:
         imagePullSecrets:
         - "rhdh-pull-secret"
         route:
           enabled: false
         appConfig:
           configMaps:
             - name: "app-config-rhdh"
         extraEnvs:
           secrets:
             - name: "secrets-rhdh"

     Copy to Clipboard Toggle word wrap

  4. 可选：如果您有一个由自定义资源支持的现有 Developer Hub 实例，且没有编辑它，您可以手动删除 Developer Hub 部署以使用 Operator 重新创建它。运行以下命令以删除 Developer Hub 部署：

     kubectl delete deployment -l app.kubernetes.io/instance=<CR_NAME>

     Copy to Clipboard Toggle word wrap