Customizing the cluster access URL

Customize the Uniform Resource Locator (URL) that you use to log in to the IBM® Cloud Private cluster management console.

• Supported customization formats
• Customize the cluster access URL
  • Customize the cluster access URL with cloudctl (OR)
  • Customize the cluster access URL with kubectl
• Edit allowed host headers

Supported customization formats

The following customization formats are supported:

• https://<Public IP>:8443/console
• https://<Public IP>:8443/console/
• https://<Private IP>:8443/console/
• https://<Private IP>:custom-port/console/
• https://<host name>:8443/console
• https://<host name>:custom-port/console
• https://localhost:8443/console
• https://localhost:<custom port>/console
• https://<Regex host name>:8443/console
• https://<Regex IP>:8443/console
• https://<Regex host name>:<custom port>/console
• https://<Regex IP>:<custom port>/console
• https://<Regex host name>:<Regex port>/console
• https://<Regex IP>:<Regex Port>/console

Required user type or access level: Cluster administrator

Customize the cluster access URL with cloudctl

Complete the following tasks on any node of your IBM Cloud Private cluster that has cloudctl and kubectl installed:

• For more information about installing cloudctl CLI, see Installing the IBM® Cloud Private CLI.
• For more information about installing kubectl CLI, see Installing the Kubernetes CLI (kubectl).

1. Log in to cloudctl as a user with cluster administrator access.

2. Save the client ID with the following command:

   WLP_CLIENT_ID=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep WLP_CLIENT_ID | awk '{ print $2}' | base64 --decode)
   

3. Get the platform-oidc-registration.json data with the following command:

   cloudctl iam oauth-client $WLP_CLIENT_ID  > platform-oidc-registration.json
   

4. Update the platform-oidc-registration.json file with the following procedure:
   The content of the platform-oidc-registration.json file resembles the following text:

    OK    
    {
        "allow_regexp_redirects": false,
        "appPasswordAllowed": false,
        "appTokenAllowed": false,
        "application_type": "web",
        "client_id": "515da8f96cc161795a03b77b4129a3f3",
        "client_id_issued_at": 1559051605
        "client_name": "515da8f96cc161795a03b77b4129a3f3",
        "client_secret": "*",
        "client_secret_expires_at": 0,
        "functional_user_groupIds": [],
        "grant_types": [
            "authorization_code",
            "client_credentials",
            "password",
            "implicit",
            "refresh_token",
            "urn:ietf:params:oauth:grant-type:jwt-bearer"
        ],
        "introspect_tokens": true,
        "post_logout_redirect_uris": [
            "https://10.21.9.140:8443/console/logout",
            "https://9.46.76.19:8443/console/logout",
            "https://mycluster.icp:8443/console/logout"
        ],
        "preauthorized_scope": "openid profile email general",
        "redirect_uris": [
            "https://10.21.9.140:8443/auth/liberty/callback",
            "https://9.46.76.19:8443/auth/liberty/callback",
            "https://mycluster.icp:8443/auth/liberty/callback",
            "https://127.0.0.1:8443/oidc/endpoint/OP"
        ],
        "registration_client_uri": "https://9.46.76.19:8443/oidc/endpoint/OP/registration/515da8f96cc161795a03b77b4129a3f3",
        "resource_ids": [],
        "response_types": [
            "code",
            "token",
            "id_token token"
        ],
        "scope": "openid profile email",
        "subject_type": "public",
        "token_endpoint_auth_method": "client_secret_basic",
        "trusted_uri_prefixes": [
            "https://10.21.9.140:8443/",
            "https://9.46.76.19:8443/",
            "https://mycluster.icp:8443/"
        ]
    }
   

   Update the file content based on the following instructions:

   • Delete the lines that are output-only fields or are non-JSON data. For example, you must remove the following text from the sample output:
     • OK
     • "client_id_issued_at": 1559051605
     • "registration_client_uri": "https://9.46.76.19:8443/oidc/endpoint/OP/registration/515da8f96cc161795a03b77b4129a3f3",
   • Ensure that "allow_regexp_redirects": is set to "true".
     After you update the file, the content resembles the following text:

     {
     "allow_regexp_redirects": true,
     "appPasswordAllowed": false,
     "appTokenAllowed": false,
     "application_type": "web",
     "client_id": "515da8f96cc161795a03b77b4129a3f3", 
     "client_name": "515da8f96cc161795a03b77b4129a3f3",
     "client_secret": "*",
     "client_secret_expires_at": 0,
     "functional_user_groupIds": [],
     "grant_types": [
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
     ],
     "introspect_tokens": true,
     "post_logout_redirect_uris": [
         "https://10.21.9.140:8443/console/logout",
         "https://9.46.76.19:8443/console/logout",
         "https://mycluster.icp:8443/console/logout"
     ],
     "preauthorized_scope": "openid profile email general",
     "redirect_uris": [
         "https://10.21.9.140:8443/auth/liberty/callback",
         "https://9.46.76.19:8443/auth/liberty/callback",
         "https://mycluster.icp:8443/auth/liberty/callback",
         "https://127.0.0.1:8443/oidc/endpoint/OP"
     ],        
     "resource_ids": [],
     "response_types": [
         "code",
         "token",
         "id_token token"
     ],
     "scope": "openid profile email",
     "subject_type": "public",
     "token_endpoint_auth_method": "client_secret_basic",
     "trusted_uri_prefixes": [
         "https://10.21.9.140:8443/",
         "https://9.46.76.19:8443/",
         "https://mycluster.icp:8443/"
     ]
     }
     

5. Add your custom URIs in the "redirect_uris" section of the platform-oidc-registration.json file. See Supported customization formats for the types of URIs that you can add. Your custom URI might resemble the following example:

   "<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",
   

   Note: Add <regexp>: only if you are using a regex in the custom URI.

   Consider the following example URIs that you want to use to access the cluster:

   • Use the master node IP address and any port that starts with 84, then add "regexp:https://<master node IP address>:84!d!d/auth/liberty/callback".
   • Use the host name example.abc.com and port 4002, then add "https://example.abc.com:4002/auth/liberty/callback".
   • Use a variable host name and a dynamic port assignment, then add "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback".

   If you added the example custom URIs, the updated code resembles the following text:

   ...
   "application_type":"web",
   "subject_type":"public",
   "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
   "preauthorized_scope":"openid profile email general",
   "introspect_tokens":true,
   "trusted_uri_prefixes":[
     "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
   "redirect_uris":[
     "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       <==========
     "https://example.abc.com:4002/auth/liberty/callback",         <==========
     "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",          <==========   
     "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
   }
   

6. Run the following command to apply your changes:

   cloudctl iam oauth-client-update $WLP_CLIENT_ID -f platform-oidc-registration.json
   

7. Update the registration-json configmap with the custom URIs. Make the same changes that you made to the platform-oidc-registration.json.

   1. Open the registration-json configmap for editing.

      kubectl edit cm registration-json -n kube-system
      

   2. Add the following piece of code:

      "allow_regexp_redirects":"true",
      

   3. Add the custom URIs. If you added the example custom URIs, you would then add the following piece of code:

      "redirect_uris":[
      "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       
      "https://example.abc.com:4002/auth/liberty/callback",        
      "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",
      

Customize the cluster access URL with kubectl

Complete the following tasks on the boot node of your IBM Cloud Private cluster.

1. Log in to the boot node as a user with root permissions.
2. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

3. Copy the content that is in the registration-json configmap into the file registration.yaml.

   kubectl get cm registration-json -n kube-system -o yaml > registration.yaml
   

   The registration.yaml file content resembles the following code:

   apiVersion: v1
   data:
    platform-oidc-registration.json: |
      {
      "token_endpoint_auth_method":"client_secret_basic",
      "client_id": "d2a00fc99163f85169ac7c6de758bad1",
      "client_secret": "01661d22bd0b2025fd87e26e994a4894",
      "scope":"openid profile email",
      "grant_types":[
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
      ],
      "response_types":[
         "code",
         "token",
         "id_token token"
      ],
      "application_type":"web",
      "subject_type":"public",
      "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
      "introspect_tokens":true,
      "trusted_uri_prefixes":[
         "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
      "redirect_uris":[
         "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
      }
   kind: ConfigMap
   metadata:
    creationTimestamp: 2018-06-06T11:53:21Z
    name: registration-json
    namespace: kube-system
    resourceVersion: "1255"
    selfLink: /api/v1/namespaces/kube-system/configmaps/registration-json
    uid: 3620b003-6980-11e8-9420-fa163ea0dafe
   

4. Create a platform-oidc-registration.json file. Place the file in the <installation directory>/cluster/cfc-components/ folder.

5. Copy the content that is in the data: section of the registration.yaml file into the platform-oidc-registration.json file. The platform-oidc-registration.json file content resembles the following code:

     {
      "token_endpoint_auth_method":"client_secret_basic",
      "client_id": "d2a00fc99163f85169ac7c6de758bad1",
      "client_secret": "01661d22bd0b2025fd87e26e994a4894",
      "scope":"openid profile email",
      "grant_types":[
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
      ],
      "response_types":[
         "code",
         "token",
         "id_token token"
      ],
      "application_type":"web",
      "subject_type":"public",
      "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
      "preauthorized_scope":"openid profile email general",
      "introspect_tokens":true,
      "trusted_uri_prefixes":[
         "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
      "redirect_uris":[        
      "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
      }
   

6. Add the following piece of code to the platform-oidc-registration.json file:

   "allow_regexp_redirects":"true",
   

   The updated code resembles the following text:

   {
    "token_endpoint_auth_method":"client_secret_basic",
    "client_id": "d2a00fc99163f85169ac7c6de758bad1",
    "client_secret": "01661d22bd0b2025fd87e26e994a4894",
    "scope":"openid profile email",
    "allow_regexp_redirects":"true",                               <==========
    "grant_types":[
       "authorization_code",
       "client_credentials",
       "password",
       "implicit",
       "refresh_token",
       "urn:ietf:params:oauth:grant-type:jwt-bearer"
       ...
   

7. Add your custom URIs in the "redirect_uris" section of the platform-oidc-registration.json file. See Supported customization formats for the types of URIs that you can add.

   "<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",
   

   Where, you add <regexp>: only if you are using a regex in the custom URI.

   Consider the following example URIs that you want to use to access the cluster:

   • Use the master node IP address and any port that starts with 84. You would then add "regexp:https://<master node IP address>:84!d!d/auth/liberty/callback".
   • Use the host name example.abc.com and port 4002. You would then add "https://example.abc.com:4002/auth/liberty/callback".
   • Use a variable host name and a dynamic port assignment. You would then add "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback".

   If you added the example custom URIs, the updated code resembles the following text:

   ...
   "application_type":"web",
   "subject_type":"public",
   "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
   "preauthorized_scope":"openid profile email general",
   "introspect_tokens":true,
   "trusted_uri_prefixes":[
     "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
   "redirect_uris":[
     "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       <==========
     "https://example.abc.com:4002/auth/liberty/callback",         <==========
     "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",          <==========   
     "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
   }
   

8. Save and exit the file.

9. Save the client ID, client secret, and access IP to the following variables:

   1. Save the client secret:

      OAUTH2_CLIENT_REGISTRATION_SECRET=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep OAUTH2_CLIENT_REGISTRATION_SECRET | awk '{ print $2}' | base64 --decode)
      

   2. Save the client ID:

      WLP_CLIENT_ID=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep WLP_CLIENT_ID | awk '{ print $2}' | base64 --decode)
      

   3. Save the access IP:

      FIP=<master node IP address>
      

10. Apply the changes that you made to the platform-oidc-registration.json file.

     curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" -d @<installation directory>/cluster/cfc-components/platform-oidc-registration.json https://$FIP:8443/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID
    

11. Update the registration-json configmap with the custom URIs. Make the same changes that you made to the platform-oidc-registration.json.

    1. Open the registration-json configmap for editing.

       kubectl edit cm registration-json -n kube-system
       

    2. Add the following piece of code:

       "allow_regexp_redirects":"true",
       

    3. Add the custom URIs. If you added the example custom URIs, you would then add the following piece of code:

       "redirect_uris":[
       "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       
       "https://example.abc.com:4002/auth/liberty/callback",        
       "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",
       

Edit allowed host headers

If you changed the host name to access the cluster, you need to modify the allowed host headers in the DaemonSet icp-management-ingress.

1. Edit the DaemonSet icp-management-ingress by running the following command:

   kubectl edit ds -n kube-system icp-management-ingress
   

2. Edit the environment variable ALLOWED_HOST_HEADERS in the DaemonSet. For example, add the new hostname mycluster.icp.new to the cluster access URL and then change the environment variable from:

   env:
   - name: ALLOWED_HOST_HEADERS
   value: 10.10.25.213 9.37.239.32 mycluster.icp icp-management-ingress icp-management-ingress.kube-system
   

   To:

   env:
   - name: ALLOWED_HOST_HEADERS
   value: 10.10.25.213 9.37.239.32 mycluster.icp mycluster.icp.new icp-management-ingress icp-management-ingress.kube-system
   

The icp-management-ingress pod restarts.

Now, you can access the management console with the new URL.