Delegating authentication to OpenShift

Authenticate with Red Hat OpenShift.

If you are installing your product on an environment that uses the built-in OpenShift OAuth server, you can use the OpenShift OAuth server for authentication.

Note: In foundational services version 4.x.x, OpenShift authentication is enabled by default. You can disable it by using Identity Provider V3 API. To disable the OpenShift authentication, see Disabling OpenShift authentication by using IdP V3 API.

Note: If you are upgrading your cluster, the authentication configuration is not changed after the upgrade. For example, if you did not configure OpenShift authentication in the previous release, the OpenShift authentication is not enabled after you upgrade.

Updating OpenShift authentication before you install the IM Operator

Complete the following steps to update the OpenShift authentication parameters. You must complete these steps after you install the IBM Cloud Pak foundational services operator, but before you install the foundational services in your cluster:

1. From your OpenShift Container Platform console, click Operators > Installed Operators.
2. Search for IBM Cloud Pak foundational services and click the IBM Cloud Pak foundational services operator name to open the Details tab for the operator.
3. Select the Common Service tab. You see an instance of the CommonService that is installed in your cluster.
4. Edit the common-service instance.

5. In the YAML file, scroll down to spec.services.ibm-im-operator.spec.authentication.config section.

   Note: Create the spec.services.ibm-im-operator.spec.authentication.config section if it does not exist.

   The following example shows the spec.services.ibm-im-operator.spec.authentication.config section in the YAML file:

     apiVersion: operator.ibm.com/v3
     kind: CommonService
     metadata:
       name: common-service
       namespace: <your-foundational-services-namespace>
     spec:
     size: ...
       ...
       services:
        - name: ibm-im-operator
          spec:
            authentication:
             config:
              roksEnabled: false
              roksURL: <endpoint url>
              roksUserPrefix: 'IAM#'
   

6. Update the values of the following parameters:

   • roksEnabled: Set to false: to disable authentication with Red Hat OpenShift. The default value is true.
   • roksURL: The public service endpoint URL of your public cloud cluster. Use the following command to get the endpoint URL.
   • roksUserPrefix: Prefix to be used with the username. When you access your cluster console or CLI, you use the prefix along with the username to authenticate with OpenShift. The default value is "". If you are using IM with Red Hat OpenShift Kubernetes Service in the IBM Cloud, you must set the prefix to IAM#.

   Note: You need jq to run the following command. To install jq, see Download jq.

   curl -sk https://<server-URL>/.well-known/oauth-authorization-server | jq -r '.issuer'
   

   For example:

   curl -sk https://api.par-test.os.fyre.ibm.com:6443/.well-known/oauth-authorization-server | jq -r '.issuer'
   

   Following is a sample output:

    https://oauth-openshift.apps.par-test.os.fyre.ibm.com
   

   The following shows a configuration of the ibm-im-operator with the OpenShift authentication configuration in the CommonService YAML file:

   - name: ibm-im-operator
       spec:
         authentication:
           config:
             roksEnabled: true
             roksURL: 'https://oauth-openshift.apps.par-test.os.fyre.ibm.com'
             roksUserPrefix: 'IAM#'
   

7. Save the YAML file.

When you access your product console, you can see the OpenShift authentication as a login option.

Changing the default cloud pak administrator

The IBM Cloud Pak foundational services installation creates a default admin user, who is a administrator. If you are delegating authentication to OpenShift, you can customize the default openshift username by using the bootstrapUserId parameter. This user will have the cloud pak administrator access.

To add the bootstrapUserId parameter before IM service installation, see Assigning the cloud pak administrator privileges to an OpenShift user.

To add the bootstrapUserId parameter after IM service installation, complete these steps:

1. Log in to your infrastructure node by using the oc login command.

2. Edit the platform-auth-idp configmap.

   oc edit cm platform-auth-idp -n <your-foundational-services-namespace>
   

   In the data section, the "BOOTSTRAP_USERID" is set to kubeadmin by default. Change kubeadmin to the OpenShift user who you want to make the cloud pak administrator.

3. Run the following CURL command to update default admin username:

    curl -X PUT 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idmgmt/identity/api/v1/users/defaultAdmin' \
        --header 'Content-Type: application/json' \
        --header 'Accept: application/json' \
        --header "Authorization: Bearer $ACCESS_TOKEN" \
        -d "{\"username\": \"${new_admin_username}\"}" \
        --insecure
   

4. Restart the platform-identity-provider and platform-auth-service pods by deleting them.

   1. Get the platform-identity-provider pod name and platform-auth-service pod name .

      oc get pods -n <your-foundational-services-namespace> | grep platform-identity-provider
      

      oc get pods -n <your-foundational-services-namespace> | grep platform-auth-service
      

1. Delete the platform-identity-provider pod and platform-auth-service pod.

   oc delete pod <platform-identity-management-pod-name> -n <your-foundational-services-namespace>
   

   oc delete pod <platform-auth-service-pod-name> -n <your-foundational-services-namespace>
   

After the pods restart, the OpenShift user can access with administrator privileges.