There are multiple ways to authenticate in OpenShift.

• htpasswd OAuth Identity Provider
• kubeadmin
• SSO keycloak
  • Install Red Hat Single Sign On (SSO) Operator on the command line
  • Install Red Hat Single Sign On (SSO) Operator using the console

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

To setup OpenShift with an htpasswd Identity Provider, you must first create the htpasswd file and append at least one user account to the htpasswd file.

htpasswd -b -B -c /path/to/htpasswd.file john.doe itsasecret

Then create a secret that contains the htpasswd file (such as htpasswd-secret) in the openshift-config namespace. 

oc create secret generic htpasswd-secret --from-file=htpasswd=/path/to/htpasswd.file --namespace openshift-config

You will then update the OAuth YAML with htpasswd.

oc edit oauth

Here is an example of what you would have in the OAuth YAML file.

AVOID TROUBLE

This must be done by a user that has the cluster-admin role. The oc describe clusterrolebinding command can be used to list the users and groups that have the cluster-admin role.

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - htpasswd:
      fileData:
        name: htpasswd-secret <- must be an exact match of secret name
    mappingMethod: claim <- must be claim
    name: my_htpasswd_identity_provider <- any name you want
    type: HTPasswd <- this is CaSe SenSiTiVe

In the openshift-authentication namespace, there should be a "cliconfig" config map that contains the enabled authentication methods.

~]$ oc get configmaps --namespace openshift-authentication
NAME                                   DATA   AGE
kube-root-ca.crt                       1      161d
openshift-service-ca.crt               1      161d
v4-0-config-system-cliconfig           1      355d
v4-0-config-system-metadata            1      355d
v4-0-config-system-service-ca          1      355d
v4-0-config-system-trusted-ca-bundle   1      355d

After the OAuth YAML has been updated with htpasswd, the "cliconfig" config map should contain htpasswd.

~]$ oc get configmap v4-0-config-system-cliconfig --namespace openshift-authentication --output json
{
    "data": {
        "v4-0-config-system-cliconfig": {
                "challenge": true,
                "login": true,
                "mappingMethod": "claim",
                "name": "htpasswd_provider",
                "provider": {
                    "apiVersion": "osin.config.openshift.io/v1",
                    "file": "/var/config/user/idp/1/secret/v4-0-config-user-idp-1-file-data/htpasswd",
                    "kind": "HTPasswdPasswordIdentityProvider"
                }
            }
}

Let's say your htpasswd file contains a user named john.doe. If john.doe has not logged into OpenShift at least once, the oc get users command should return not found. 

~]$ oc get users john.doe
Error from server (NotFound): users.user.openshift.io "john.doe" not found

John Doe will need to log into OpenShift.

~]$ oc login -u john.doe api.openshift.example.com:6443
Authentication required for https://api.openshift.example.com:6443 (openshift)
Username: john.doe
Password: 
Login successful.

And now the oc get users command should return john.doe. In this example, since the name of the identitiy provider in oauth is "name: my_htpasswd_identity_provider" IDENTITIES has "my_htpasswd_identity_provider".

~]$ oc get users john.doe
NAME       UID                                    FULL NAME   IDENTITIES
john.doe   127a869c-342a-4ea4-9f8e-9945276dc842               my_htpasswd_identity_provider:john.doe

And the oc get identities command show the users had the same identity provider.

~]$ oc get identities
NAME                                      IDP NAME                         IDP USER NAME    USER NAME       USER UID
my_htpasswd_identity_provider:john.doe    my_htpasswd_identity_provider    john.doe         john.doe        127a869c-342a-4ea4-9f8e-9945276dc842