If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
The oc get oauth command can be used to list the OAuth Identity Providers that have been created. If you are not familiar with OAuth, check out my article What is an OAuth token. By default, there is a single OAuth Identity Provider named cluster.
~]$ oc get oauth
NAME AGE
cluster 373d
The oc describe oauth command can be used to display more details on the OAuth Identity Provider. In this example, the OAuth Identity Provider is using LDAP. OpenShift can be configured with the following identity providers.
- GitHub
- htpasswd (flat file with a users username and password)
- keystone
- kubeadmin (default administrator user ID)
- LDAP
- OpenID Connect
~]$ oc describe oauth cluster
Name: cluster
Namespace:
Labels: <none>
Annotations: release.openshift.io/create-only: true
API Version: config.openshift.io/v1
Kind: OAuth
Metadata:
Creation Timestamp: 2021-07-16T17:10:50Z
Generation: 21
Managed Fields:
API Version: config.openshift.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:release.openshift.io/create-only:
f:spec:
Manager: cluster-version-operator
Operation: Update
Time: 2021-07-16T17:10:50Z
API Version: config.openshift.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
f:identityProviders:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2021-10-20T12:36:44Z
Resource Version: 104630825
UID: 718713e8-e62f-45f0-a605-e04f84af99a0
Spec:
Identity Providers:
Ldap:
Attributes:
Email:
mail
Id:
dn
Name:
cn
Preferred Username:
uid
Bind DN: cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=acme
Bind Password:
Name: ldap-secret
Insecure: true
URL: ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)
Mapping Method: claim
Name: acme-ldap
Type: LDAP
Events: <none>
Or, the oc get oauth command with the --output json or --output yaml option can be used.
~]$ oc get oauth cluster --output yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"config.openshift.io/v1","kind":"OAuth","metadata":{"annotations":{},"name":"cluster"},"spec":{"identityProviders":[{"ldap":{"attributes":{"email":["mail"],"id":["dn"],"name":["cn"],"preferredUsername":["uid"]},"bindDN":"cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=acme","bindPassword":{"name":"ldap-secret"},"insecure":true,"url":"ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)"},"mappingMethod":"claim","name":"acme-ldap","type":"LDAP"}]}}
release.openshift.io/create-only: "true"
creationTimestamp: "2021-07-16T17:10:50Z"
generation: 21
name: cluster
resourceVersion: "104630825"
uid: 718713e8-e62f-45f0-a605-e04f84af99a0
spec:
identityProviders:
- ldap:
attributes:
email:
- mail
id:
- dn
name:
- cn
preferredUsername:
- uid
bindDN: cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=acme
bindPassword:
name: ldap-secret
insecure: true
url: ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)
mappingMethod: claim
name: acme-ldap
type: LDAP
The openshift-authentication amespace should contain a config map that contains the enabled authentication methods.
~]$ oc get configmaps --namespace openshift-authentication
NAME DATA AGE
kube-root-ca.crt 1 161d
openshift-service-ca.crt 1 161d
v4-0-config-system-cliconfig 1 355d
v4-0-config-system-metadata 1 355d
v4-0-config-system-service-ca 1 355d
v4-0-config-system-trusted-ca-bundle 1 355d
In this example, the config map named v4-0-config-system-cliconfig in the openshift-authentication namespace contains an LDAP identity provider
~]$ oc get configmap v4-0-config-system-cliconfig --namespace openshift-authentication --output json
"identityProviders": [
{
"challenge": true,
"login": true,
"mappingMethod": "claim",
"name": "acme-ldap",
"provider": {
"apiVersion": "osin.config.openshift.io/v1",
"attributes": {
"email": [
"mail"
],
"id": [
"dn"
],
"name": [
"cn"
],
"preferredUsername": [
"uid"
]
},
"bindDN": "cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=acme",
"bindPassword": {
"env": "",
"file": "/var/config/user/idp/0/secret/v4-0-config-user-idp-0-bind-password/bindPassword",
"keyFile": "",
"value": ""
},
"ca": "",
"insecure": true,
"kind": "LDAPPasswordIdentityProvider",
"url": "ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)"
}
}
],
There are also oauth pods in the openshift-authentication namespace.
~]$ oc get pods --namespace openshift-authentication
NAME READY STATUS RESTARTS AGE
oauth-openshift-564bfbb8d9-4vwft 1/1 Running 0 51d
oauth-openshift-564bfbb8d9-cxvtb 1/1 Running 0 51d
oauth-openshift-564bfbb8d9-f6gmh 1/1 Running 0 51d
Did you find this article helpful?
If so, consider buying me a coffee over at 