Red Hat SummitIdentity configuration management for Kubernetes enhances the capabilities of Red Hat Advanced Cluster Management for Kubernetes (RHACM) or the multicluster engine for Kubernetes by enabling OpenShift administrators to define their identity provider configuration, once in the management hub cluster. Using simple placement rules, that same configuration can be used across multiple managed clusters within the fleet.
Prerequisites
Based on the full list of requirements, here are the most important ones to highlight:
-
Red Hat OpenShift Container Platform (RHOCP) 4.10, 4.9, or 4.8.12+ (due to BZ 1969902) for hub cluster
-
RHACM 2.4 or Red Hat multicluster engine for Kubernetes (Technical Preview)
-
Signed certificate used by RHOCP
A signed certificate is required for the components used to authenticate the OpenID authentication requests. See the Security Requirements documentation.
An easy way to do this is using letsencrypt and the instructions in the Add an ACME certificate section.
NOTE: These instructions assume you have AWS access to allow proper registration of the certificate.
Install the Operator
From the OpenShift console, navigate to the OperatorHub page (Operators > OperatorHub) and enter identity in the search box (it might take a few seconds for it to appear). Once the operator appears, select it, and the following appears in the OpenShift console:
Select install, and take all the defaults to get identity configuration management for Kubernetes installed in the idp-mgmt-config namespace. Wait for the operator to install. After the installation completes, an IDPConfig must be created. This can be done using the Operator Hub page shown after the install completes:
Select Create IDP Config. Once installed, navigate to Operators > Installed Operator to verify the operator is installed:
Add a Managed Cluster
A managed cluster must be registered with the hub cluster. Use one of the various ways to do so. For this example, I use my managed cluster cahl-mc.
Once the managed cluster is registered, wait until the the managed cluster is JOINED and the MANAGED CLUSTER URL appears. For example, use the command line to verify if the managed cluster cahl-mc is fully registered:
oc get managedclusters
NAME HUB ACCEPTED MANAGED CLUSTER URLS JOINED AVAILABLE AGE
cahl-mc true https://api.aws-4-9-sno-2x-rrt25.redhat.com:6443 True True 47h
local-cluster true https://api.aws-4-10-5-sno-2x-2zsqs.redhat.com:6443 True True 2d22h
Create a Namespace
A new namespace is used to contain the various custom resources. For example, run the following command from the command line:
echo '
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: github-sample-ns' | kubectl create -f -
Create a Cluster Set
A cluster set must be defined to determine the managed clusters that have the identity configuration changes applied. Use either the RHACM console or the command line. For example, run the following command from the command line:
echo '
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: ManagedClusterSet
metadata:
name: github-clusterset
namespace: github-sample-ns' | kubectl create -f -
Bind the Managed Cluster to the Cluster Set
Use the following command to bind the managed cluster to the cluster set:
echo '
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: ManagedClusterSetBinding
metadata:
name: github-clusterset
namespace: github-sample-ns
spec:
clusterSet: github-clusterset' | kubectl create -f -
Label the Managed Cluster So It Joins the Cluster Set
From the command line, run the following command:
oc label managedclusters cahl-mc cluster.open-cluster-management.io/clusterset=github-clusterset --overwrite
Create a Placement Rule
Placement rules define what AuthRealm must be deployed to the managed clusters in the managed cluster set. For this example, a label is applied to the managed cluster to determine placement. For example, run the following command:
echo '
apiVersion: cluster.open-cluster-management.io/v1alpha1
kind: Placement
metadata:
name: github-placement
namespace: github-sample-ns
spec:
predicates:
- requiredClusterSelector:
labelSelector:
matchLabels:
authdeployment: east' | kubectl create -f -
Set Up the GitHub OAuth Application
For this example, set up OAuth authentication using GitHub:
-
Open a web browser, and navigate to GitHub. Go to Settings > Developer Settings > OAuth Apps, or use this link as a shortcut.
-
Add a
New OAuthApp. Copy the Client ID and Client Secret values. You will need these values later to set environment variables used by thegenerate-cr.shscript. -
Fill in the Application name with something to help identify the owner and hub cluster it's used for.
NOTE: If you have more than one hub cluster, each needs its own entry.
-
Fill in Homepage URL and Authorization callback URL with
http://www.redhat.com.NOTE: A little later in this post, I explain how to correct the
Homepage and Authorization callback URLvalue once the correct generated value is received. -
Click Register Application.
NOTE: You must return to the GitHub OAuth a little later to correct the Authorization callback URL after the value is generated for you. Therefore, leave this page open.
Add a New identity provider AuthRealm
Use the GitHub OAuth application information to create the secret and AuthRealm:
-
Create a GitHub secret needed by the AuthRealm. For example, run the following command:
oc create secret generic github-client-secret -n github-sample-ns --from-literal=clientSecret=<github-oauth-clientID-secret>
-
Create the AuthRealm. For example, run the following command using the command line:
echo '
apiVersion: identityconfig.identitatem.io/v1alpha1
kind: AuthRealm
metadata:
name: github
namespace: github-sample-ns
spec:
type: dex
routeSubDomain: testdomain
placementRef:
name: github-placement
identityProviders:
- name: "idpname"
mappingMethod: add
type: GitHub
github:
clientID: "<your GitHub OAth Application clientID name>"
clientSecret:
name: github-client-secret' | kubectl create -f -
Correct the GitHub OAuth Application Authorization Callback URL
With your AuthRealm created, you're ready to update your GitHub OAuth application authorization callback URL. Use this link as a shortcut. To generate the proper value, use the routeSubDomain specified in the AuthRealm, and run the following script while logged in to your hub cluster. For this example, change the routeSubDomain where the parameter value was set to testdomain:
export ROUTE_SUBDOMAIN=<your_route_subdomain>
export APPS=$(oc get infrastructure cluster -ojsonpath='{.status.apiServerURL}' | cut -d':' -f2 | sed 's/\/\/api/apps/g')
echo "Authorization callback URL: https://${ROUTE_SUBDOMAIN}.${APPS}/callback"
Label the Managed Cluster So It's Part of the Placement
Run the following command to label the managed cluster:
oc label managedclusters cahl-mc authdeployment=east
Check the Managed Cluster Identity Configuration
Fairly soon after the label is added for your Placement, the managed cluster OAuth configuration is updated, usually less than 10 seconds later. Once the OAuth configuration change is made, it may take up to 5 minutes for the various pods used for authetication on the managed cluster to restart and pick up the change.
Once the oauth-openshift pod in namespace openshift-authentication has restarted, log out of the managed cluster console. The new GitHub login option appears.
Log in using the GitHub option.
Additional Resources
-
Identity configuration management for Kubernetes documentation
-
Script to help generate example CRs
NOTE: The following environment variables must be defined for GitHub before using the
generate-cr.shscript.export AUTHREALM_GITHUB_NAME=<AuthRelam name>
export AUTHREALM_GITHUB_NS=<namespace to create resources>
export IDP_NAME=<identity provider name>
export GITHUB_APP_CLIENT_ID=<GitHub OAuth application client ID>
export GITHUB_APP_CLIENT_SECRET=<GitHub OAuth application client secret>
export ROUTE_SUBDOMAIN=<AuthRealm routeSubDomain>
Sobre o autor
Navegue por canal
Automação
Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes
Inteligência artificial
Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente
Nuvem híbrida aberta
Veja como construímos um futuro mais flexível com a nuvem híbrida
Segurança
Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias
Edge computing
Saiba quais são as atualizações nas plataformas que simplificam as operações na borda
Infraestrutura
Saiba o que há de mais recente na plataforma Linux empresarial líder mundial
Aplicações
Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações
Programas originais
Veja as histórias divertidas de criadores e líderes em tecnologia empresarial
Produtos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Red Hat Cloud Services
- Veja todos os produtos
Ferramentas
- Treinamento e certificação
- Minha conta
- Suporte ao cliente
- Recursos para desenvolvedores
- Encontre um parceiro
- Red Hat Ecosystem Catalog
- Calculadora de valor Red Hat
- Documentação
Experimente, compre, venda
Comunicação
- Contate o setor de vendas
- Fale com o Atendimento ao Cliente
- Contate o setor de treinamento
- Redes sociais
Sobre a Red Hat
A Red Hat é a líder mundial em soluções empresariais open source como Linux, nuvem, containers e Kubernetes. Fornecemos soluções robustas que facilitam o trabalho em diversas plataformas e ambientes, do datacenter principal até a borda da rede.
Selecione um idioma
Red Hat legal and privacy links
- Sobre a Red Hat
- Oportunidades de emprego
- Eventos
- Escritórios
- Fale com a Red Hat
- Blog da Red Hat
- Diversidade, equidade e inclusão
- Cool Stuff Store
- Red Hat Summit