Delegating authentication to OpenShift
Authenticate with Red Hat OpenShift.
If you are installing your product on an environment that uses the built-in OpenShift OAuth server, you can use the OpenShift OAuth server for authentication.
Authentication with OpenShift is enabled by default. You can disable it, if required.
Note: If you are upgrading your cluster, the authentication configuration is not changed after the upgrade. For example, if you did not configure OpenShift authentication in the previous release, the OpenShift authentication is not enabled after you upgrade.
Updating OpenShift authentication before you install the IAM Operator
Complete the following steps to update the OpenShift authentication parameters. You must complete these steps after you install the IBM Cloud Pak foundational services operator, but before you install the foundational services in your cluster:
- From your Red Hat® OpenShift® Container Platform console, click Operators > Installed Operators.
- Search for IBM Cloud Pak foundational services and click the IBM Cloud Pak foundational services operator name to open the Details tab for the operator.
- Select the Common Service tab. You see an instance of the CommonService that is installed in your cluster.
- Edit the
common-service
instance. - In the YAML file, scroll down to
spec.services.ibm-iam-operator.spec.authentication.config
section.
Note: Create the spec.services.ibm-iam-operator.spec.authentication.config
section if it does not exist.
The following example shows the spec.services.ibm-iam-operator.spec.authentication.config
section in the YAML file:
```
apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
name: common-service
namespace: ibm-common-services
spec:
size: ...
...
services:
- name: ibm-iam-operator
spec:
authentication:
config:
roksEnabled: false
roksURL: <endpoint url>
roksUserPrefix: 'IAM#'
```
-
Update the values of the following parameters:
roksEnabled:
Set tofalse:
to disable authentication with Red Hat OpenShift. The default value istrue
.roksURL:
The public service endpoint URL of your public cloud cluster. Use the following command to get the endpoint URL.roksUserPrefix:
Prefix to be used with the username. When you access your cluster console or CLI, you use the prefix along with the username to authenticate with OpenShift. The default value is""
. If you are using IAM with Red Hat® OpenShift® Kubernetes Service in the IBM Cloud, you must set the prefix toIAM#
.
Note: You need
jq
to run the following command. To installjq
, see Download jq.curl -sk https://<server-URL>/.well-known/oauth-authorization-server | jq -r '.issuer'
For example,
- Code sample:
curl -sk https://api.par-test.os.fyre.ibm.com:6443/.well-known/oauth-authorization-server | jq -r '.issuer'
- Output of the code sample:
https://oauth-openshift.apps.par-test.os.fyre.ibm.com
.
The following shows a configuration of the
ibm-iam-operator
with the OpenShift authentication configuration in the CommonService YAML file:- name: ibm-iam-operator spec: authentication: config: roksEnabled: true roksURL: 'https://oauth-openshift.apps.par-test.os.fyre.ibm.com' roksUserPrefix: 'IAM#' oidcclientwatcher: {} pap: {} policycontroller: {} policydecision: {} secretwatcher: {} securityonboarding: {}
-
Save the YAML file.
When you access your product console, you can see the OpenShift authentication as a login option.
Changing the default cloud pak administrator
The IBM Cloud Pak foundational services installation creates a default admin
user, who is a cluster administrator. If you are delegating authentication to OpenShift, you can customize the default openshift username by using the bootstrapUserId
parameter. This user will have the cloud pak administrator access.
To add the bootstrapUserId
parameter before IAM service installation, see Assigning the cloud pak administrator privileges to an OpenShift user.
To add the bootstrapUserId
parameter after IAM service installation, complete these steps:
-
Log in to your infrastructure node by using the
oc login
command. -
Edit the
platform-auth-idp
configmap.oc edit cm platform-auth-idp --n ibm-common-services
In the
data
section, the"BOOTSTRAP_USERID"
is set tokubeadmin
by default. Changekubeadmin
to the OpenShift user who you want to make the cloud pak administrator. -
Restart the
auth-idp
pod by deleting it.-
Get the
auth-idp
pod name.oc get pods -n ibm-common-services | grep auth-idp
Following is a sample output:
auth-idp-785df784f5-qcx4z 4/4 Running 0 39d
-
Delete the
auth-idp
pod.oc delete pod <auth-idp-pod-name> -n ibm-common-services
After the pod restarts, the OpenShift user can access the cluster with cloud pak administrator privileges.
-
Updating OpenShift authentication after you install the IAM operator
If you installed the ibm-iam-operator
in your cluster with OpenShift authentication enabled, and you want to disable OpenShift authentication or you want to update the parameters, complete the following steps:
- Follow the steps in Updating OpenShift authentication before you install the IAM Operator to either provide the OpenShift authentication parameters or to disable the authentication.
- Restart the following pods. You can restart the pods by deleting them from your Red Hat® OpenShift® Container Platform console Workloads > Pods page.
auth-pdp
common-web-ui
auth-idp
oidcclient-watcher
Clear the browser cache and access your product console login page.
IAM integration with Red Hat® OpenShift® Kubernetes Service in the IBM Cloud
If you are using IAM with Red Hat® OpenShift® Kubernetes Service in the IBM Cloud, there are some known limitations to consider:
- The
cloudctl login
command does function for OpenShift IBMid users. These users might need to log in to the console to obtain the Kubectl context for completing CLI operations, such as runningcloudctl
commands. - Searching for groups in a Red Hat® OpenShift® Kubernetes Service environment to add users to a team is not supported. You can search for only users in an Red Hat® OpenShift® Kubernetes Service environment to add to a team for authorization purposes. Even after an LDAP group synchronization, you can search for only users from an Red Hat® OpenShift® Kubernetes Service environment with IAM for adding users to teams. You cannot search or add groups.
- Delegating authentication to multiple providers that use different
user_prefix
values at the same time is not supported. For a Red Hat® OpenShift® Kubernetes Service in the IBM Cloud cluster, you can delegate authentication to either the default IBMid provider or the LDAP provider, but not both as theROKS_USER_PREFIX
value is used for all users. - For user authorization, add users to teams either by searching for the users, or set rolebinding or clusterrolebinding for the users on the Red Hat® OpenShift® Kubernetes Service environment in the IBM Cloud platform.
- Configuring the OpenShift server URL as the
ROKS_URL
might be a different procedure across OpenShift versions.