Authenticate Openshift Console with RH-SSO
#google , #rh-sso , #keycloak , #ansible , #authentication , #authorization
Authenticate Openshift Console with RH-SSO
Install based on OpenShift 3.7. Will probably work on other similar versions.
Be aware of default permissions on your platform.
Be aware of the implications of using Google as an Identity Broker.
Master and Node Configuration:
Here is a great step-by-step example workflow in Red Hat official documentation:
Edit /etc/origin/master/master-config.yaml
identityProviders:
- challenge: true
login: true
name: htpasswd_auth
provider:
apiVersion: v1
file: /etc/origin/openshift-passwd
kind: HTPasswdPasswordIdentityProvider
- name: rh_sso
challenge: false
login: true
mappingInfo: add
provider:
apiVersion: v1
kind: OpenIDIdentityProvider
clientID: openshift-demo
clientSecret: 7b0384a2-b832-16c5-9d73-2957842e89h7
ca: xpaas.crt
urls:
authorize: https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/protocol/openid-connect/auth
token: https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/protocol/openid-connect/token
userInfo: https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/protocol/openid-connect/userinfo
claims:
id:
- sub
preferredUsername:
- preferred_username
name:
- name
email:
- email
The above link is a great resource for modifying your OpenShift cluster if you did a basic install and you want to manually update all your master nodes. But that’s just silly. I hope you performed the advanced install with ansible. In that event, you will need an entry in your inventory file such as the below.
# OpenID auth
#openshift_master_identity_providers=[{"name": "openid_auth", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "my_client_id", "client_secret": "my_client_secret", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://myidp.example.com/oauth2/authorize", "token": "https://myidp.example.com/oauth2/token"}, "ca": "my-openid-ca-bundle.crt"}]
# OpenID auth
openshift_master_identity_providers=[{"name": "rh-sso", "login": "true", "challenge": "false", "kind": "OpenIDIdentityProvider", "client_id": "ocp", "client_secret": "SOME_SECRET_CODE", "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://sso.apps.example.com/auth/realms/ocp/protocol/openid-connect/auth", "token": "https://sso.apps.example.com/auth/realms/ocp/protocol/openid-connect/token", "userInfo": "https://sso.apps.example.com/auth/realms/ocp/protocol/openid-connect/userinfo"}, "ca": "ocp-sso.pem"}]
#
# Configure OpenID CA certificate
# Specify either the ASCII contents of the certificate or the path to
# the local file that will be copied to the remote host. CA
# certificate contents will be copied to master systems and saved
# within /etc/origin/master/ with a filename matching the "ca" key set
# within the OpenIDIdentityProvider.
#
openshift_master_openid_ca=INSERT_CA_ONE_LINE_OR_PATH_HERE
Did you recall where you wrote out your pem file to a one-liner? This is where it is useful. You can use the one-liner to set a value for openshift_master_openid_ca
Now re-run your ansible playbook.
$ ansible-playbook -i inventory-file playbooks/byo/openshift-master/config.yml