Customizing the cluster access URL
Customize the Uniform Resource Locator (URL) that you use to log in to the IBM® Cloud Private cluster management console.
Supported customization formats
The following customization formats are supported:
https://<Public IP>:8443/console
https://<Public IP>:8443/console/
https://<Private IP>:8443/console/
https://<Private IP>:custom-port/console/
https://<host name>:8443/console
https://<host name>:custom-port/console
https://localhost:8443/console
https://localhost:<custom port>/console
https://<Regex host name>:8443/console
https://<Regex IP>:8443/console
https://<Regex host name>:<custom port>/console
https://<Regex IP>:<custom port>/console
https://<Regex host name>:<Regex port>/console
https://<Regex IP>:<Regex Port>/console
Required user type or access level: Cluster administrator
Customize the cluster access URL
Complete the following tasks on the boot node of your IBM Cloud Private cluster.
- Log in to the boot node as a user with root permissions.
- Set up
kubectl
CLI. See Accessing your cluster from the Kubernetes CLI (kubectl). -
Copy the content that is in the
registration-json
configmap into the fileregistration.yaml
.kubectl get cm registration-json -n kube-system -o yaml > registration.yaml
The
registration.yaml
file content resembles the following code:apiVersion: v1 data: platform-oidc-registration.json: | { "token_endpoint_auth_method":"client_secret_basic", "client_id": "d2a00fc99163f85169ac7c6de758bad1", "client_secret": "01661d22bd0b2025fd87e26e994a4894", "scope":"openid profile email", "grant_types":[ "authorization_code", "client_credentials", "password", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "response_types":[ "code", "token", "id_token token" ], "application_type":"web", "subject_type":"public", "post_logout_redirect_uris":[ "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout" ], "introspect_tokens":true, "trusted_uri_prefixes":[ "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443" ], "redirect_uris":[ "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP" ] } kind: ConfigMap metadata: creationTimestamp: 2018-06-06T11:53:21Z name: registration-json namespace: kube-system resourceVersion: "1255" selfLink: /api/v1/namespaces/kube-system/configmaps/registration-json uid: 3620b003-6980-11e8-9420-fa163ea0dafe
-
Create a
platform-oidc-registration.json
file. Place the file in the<installation directory>/cluster/cfc-components/
folder. -
Copy the content that is in the
data:
section of theregistration.yaml
file into theplatform-oidc-registration.json
file. Theplatform-oidc-registration.json
file content resembles the following code:{ "token_endpoint_auth_method":"client_secret_basic", "client_id": "d2a00fc99163f85169ac7c6de758bad1", "client_secret": "01661d22bd0b2025fd87e26e994a4894", "scope":"openid profile email", "grant_types":[ "authorization_code", "client_credentials", "password", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "response_types":[ "code", "token", "id_token token" ], "application_type":"web", "subject_type":"public", "post_logout_redirect_uris":[ "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout" ], "preauthorized_scope":"openid profile email general", "introspect_tokens":true, "trusted_uri_prefixes":[ "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443" ], "redirect_uris":[ "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP" ] }
-
Add the following piece of code to the
platform-oidc-registration.json
file:"allow_regexp_redirects":"true",
The updated code resembles the following text:
{ "token_endpoint_auth_method":"client_secret_basic", "client_id": "d2a00fc99163f85169ac7c6de758bad1", "client_secret": "01661d22bd0b2025fd87e26e994a4894", "scope":"openid profile email", "allow_regexp_redirects":"true", <========== "grant_types":[ "authorization_code", "client_credentials", "password", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ...
-
Add your custom URIs in the
"redirect_uris"
section of theplatform-oidc-registration.json
file. See Supported customization formats for the types of URIs that you can add."<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",
Where, you add
<regexp>:
only if you are using a regex in the custom URI.Consider the following example URIs that you want to use to access the cluster:
- Use the master node IP address and any port that starts with
84
. You would then add"regexp:https://<master node IP address>:84!d!d/auth/liberty/callback"
. - Use the host name
example.abc.com
and port4002
. You would then add"https://example.abc.com:4002/auth/liberty/callback"
. -
Use a variable host name and a dynamic port assignment. You would then add
"regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback"
.Note: Port changes are not supported in the IBM® Cloud Private 3.1.2 release.
If you added the example custom URIs, the updated code would resemble the following text:
... "application_type":"web", "subject_type":"public", "post_logout_redirect_uris":[ "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout" ], "preauthorized_scope":"openid profile email general", "introspect_tokens":true, "trusted_uri_prefixes":[ "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443" ], "redirect_uris":[ "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback", <========== "https://example.abc.com:4002/auth/liberty/callback", <========== "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback", <========== "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP" ] }
- Use the master node IP address and any port that starts with
-
Save and exit the file.
-
Save the client ID, client secret, and access IP to the following variables:
-
Save the client secret:
OAUTH2_CLIENT_REGISTRATION_SECRET=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep OAUTH2_CLIENT_REGISTRATION_SECRET | awk '{ print $2}' | base64 --decode)
-
Save the client ID:
WLP_CLIENT_ID=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep WLP_CLIENT_ID | awk '{ print $2}' | base64 --decode)
-
Save the access IP:
FIP=<master node IP address>
-
-
Apply the changes that you made to the
platform-oidc-registration.json
file.curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" -d @<installation directory>/cluster/cfc-components/platform-oidc-registration.json https://$FIP:8443/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID
Edit allowed host headers
If you have changed the host name to access the cluster, you need to modify the allowed host headers in the DaemonSet icp-management-ingress.
-
Edit the DaemonSet icp-management-ingress by running the following command:
kubectl edit ds -n kube-system icp-management-ingress
-
Edit the environment variable
ALLOWED_HOST_HEADERS
in the DaemonSet. For example, add the new hostnamemycluster.icp.new
to the cluster access URL and then change the environment variable from:env: - name: ALLOWED_HOST_HEADERS value: 10.10.25.213 9.37.239.32 mycluster.icp icp-management-ingress icp-management-ingress.kube-system
To:
env: - name: ALLOWED_HOST_HEADERS value: 10.10.25.213 9.37.239.32 mycluster.icp mycluster.icp.new icp-management-ingress icp-management-ingress.kube-system
The icp-management-ingress pod restarts.
Now, you can access the management console with the new URL.