Bootstrap FreeKB - OpenShift - Add Update Remove Identity Providers
OpenShift - Add Update Remove Identity Providers
Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

The oc get oauth command can be used to list the OAuth Identity Providers that have been created. If you are not familiar with OAuth, check out my article What is an OAuth token. By default, there is a single OAuth Identity Provider named cluster.

~]$ oc get oauth
NAME      AGE
cluster   373d

 

The oc describe oauth command or the oc get oauth command with the --output json or --output yaml option can be used. In this example, an LDAP Identity Provider is being used.

~]$ oc get oauth cluster --output yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"config.openshift.io/v1","kind":"OAuth","metadata":{"annotations":{},"name":"cluster"},"spec":{"identityProviders":[{"ldap":{"attributes":{"email":["mail"],"id":["dn"],"name":["cn"],"preferredUsername":["uid"]},"bindDN":"cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=acme","bindPassword":{"name":"ldap-secret"},"insecure":true,"url":"ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)"},"mappingMethod":"claim","name":"acme-ldap","type":"LDAP"}]}}
    release.openshift.io/create-only: "true"
  creationTimestamp: "2021-07-16T17:10:50Z"
  generation: 21
  name: cluster
  resourceVersion: "104630825"
  uid: 718713e8-e62f-45f0-a605-e04f84af99a0
spec:
  identityProviders:
  - ldap:
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - cn
        preferredUsername:
        - uid
      bindDN: cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=acme
      bindPassword:
        name: ldap-secret
      insecure: true
      url: ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)
    mappingMethod: claim
    name: acme-ldap
    type: LDAP

 

OpenShift can be configured with the following identity providers.

  • GitHub
  • htpasswd (flat file with a users username and password)
  • keystone
  • kubeadmin (default administrator user ID)
  • LDAP
  • OpenID Connect

Let's say you want to enable an additional OAuth Identity Provider. The oc edit command can be used to update an identity providers template YAML file.

AVOID TROUBLE

This command must be issued by a user or group that has the cluster-admin role. The oc describe clusterrolebinding or oc describe rolebinding command can be used to list the users and groups that have the cluster-admin role.

~]$ oc edit oauth cluster
oauth.config.openshift.io/cluster edited

 

For example, here is what you could have to enable both the LDAP and htpasswd identity providers.

items:
- apiVersion: config.openshift.io/v1
  kind: OAuth
  spec:
    identityProviders:
    - ldap:
        attributes:
          email:
          - mail
          id:
          - dn
          name:
          - cn
          preferredUsername:
          - uid
        bindDN: cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=Acme
        bindPassword:
          name: ldap-secret
        insecure: true
        url: ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)
      mappingMethod: claim
      name: my-ldap
      type: LDAP
    - htpasswd:
        fileData:
          name: htpasswd-secret
      mappingMethod: claim
      name: htpasswd_provider
      type: HTPasswd

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 4d3ccd in the box below so that we can be sure you are a human.