Configuring authentication for IBM Cloud Private with OpenShift

You can configure OpenShift to use the IBM Cloud Private OpenID Connect (OIDC) authentication provider.

Prerequisites

Install the required CLI tools on the master node of the OpenShift cluster, such as the OpenShift oc command, cloudctl, kubectl, and Helm.

Configure the kubectl CLI

The kubectl CLI is used to collect prerequisite information that is required for IBM Cloud Private authentication integration with OpenShift as the OIDC provider.

Log in to the master node of the OpenShift cluster as a user with root permissions.
Log in by using either OpenShift, IBM Cloud Private, or the kubectl client configuration. Follow the steps in the appropriate option:

Option 1: Log in by using the OpenShift command line, oc login, with the admin user:
1. Log in with user name and password by running the following command:
```
oc login <openshift URL> -u <openshift admin username> -p <openshift admin password>
```
2. Log in with an OAuth token, by following these steps:
  
  a) Log in to the web console by using admin.
  
  b) Click the user name. Copy and run the following command:
```
    oc login <openshift URL> --token=<tokenID>
```
  See the following list for the command descriptions:
  - <openshift URL>: OpenShift web console URL. For example, https://api.your-openshift-server.com
  - <openshift admin username>: OpenShift admin user name
  - <openshift admin password>: OpenShift admin user password
  - <tokenID>: OpenShift admin user login token
3. Paste the copied login command to your command line and press Enter.
Option 2: Log in by using the IBM Cloud Private command line with your user name and password, by running the following command:
```
 cloudctl login [-a CLUSTER_URL] [-u USERNAME] [-p PASSWORD] [-c ACCOUNT_ID or ACCOUNT_NAME] [--skip-ssl-validation]
```
Option 3: Log in by using kubectl client configuration, by following these steps:
1. Log in to your IBM Cloud Private cluster management console as the cluster administrator.
2. Select Configure client and copy the cluster configuration details:
```
kubectl config set-cluster {cluster_name} --server=https://master_ip:5443 --insecure-skip-tls-verify=true
kubectl config set-context {cluster_name}-context --cluster={cluster_name}
kubectl config set-credentials {cluster_name}-user --token={token}
kubectl config set-context {cluster_name}-context --user={cluster_name}-user --name
space=default
kubectl config use-context {cluster_name}-context
```
  Note: The master_ip is the IP address of the master node for your IBM Cloud Private cluster.
3. Paste the copied client configuration information for your IBM Cloud Private cluster.

IBM Cloud Private Authentication integration with OpenShift as the OIDC provider

Obtain and save the following required information:

Save OAUTH2_CLIENT_REGISTRATION_SECRET:

export OAUTH2_CLIENT_REGISTRATION_SECRET=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep OAUTH2_CLIENT_REGISTRATION_SECRET | awk '{ print$2}' | base64 --decode)

Save WLP_CLIENT_ID:

export WLP_CLIENT_ID=$(kubectl -n kube-system get secret platform-oidc-credentials-o yaml | grep WLP_CLIENT_ID | awk' { print $2}' | base64 --decode)

Save WLP_CLIENT_SECRET:

export WLP_CLIENT_SECRET=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep WLP_CLIENT_SECRET | awk '{ print $2}' | base64 --decode)

Save the access IP:

export MASTER_NODE_IP=<master node IP address>

Save the OIDC registration JSON data to the platform-oidc-registration.json file:

kubectl -n kube-system get cm registration-json -o "jsonpath={.data['platform-oidc-registration\.json']}" > platform-oidc-registration.json

Save the IBM Cloud Private cluster CA certificate to a icp-ca.crt file:

kubectl -n kube-system get secret cluster-ca-cert -o yaml | grep tls.crt | awk '{ print $2}' | base64 --decode > icp-ca.crt

Update the platform-oidc-registration.json file, and add the following URL to redirect_uris array.
```
https://<openshift console access hostname or ipaddress>:<port>/oauth2callback/OIDC
```

Update the OIDC registration in IBM Cloud Private for the OpenShift callback URL by applying the changes that you made to the platform-oidc-registration.json file.

curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type:
application/json" -d @platform-oidc-registration.json https://$MASTER_NODE_IP:<port>/oidc/endpoint/OP/registration/$WLP_CLIENT_ID

Configure the IBM Cloud Private OIDC as the identityProvider for OpenShift.

Update the master-config.yaml with the following content in the identityProvider section:

identityProvider:
...
...
- name: OIDC
challenge: true
login: true
provider:
apiVersion: v1
kind: OpenIDIdentityProvider
ca: icp-ca.crt
clientID: <WLP_CLIENT_ID>
clientSecret: <WLP_CLIENT_SECRET>
claims:
 id:
  - sub
urls:
 authorize: https://<ICP console hostname of ipaddress>:<port>/idprovider/v1/auth/authorize
 token: https://<ICP console hostname of ipaddress>:<port>/idprovider/v1/auth/token

Note Ensure that the lines are aligned properly in the master-config.yaml file.

Copy the icp-ca.crt CA certificate to the /etc/origin/master/ folder:
```
cp icp-ca.crt /etc/origin/master/
```

Restart the OpenShift Master API service with the following command:

systemctl restart <openShift master api servicename>
For example:
systemctl restart atomic-openshift-master-api.service

Log in to OpenShift by using the OIDC

Launch the OpenShift web console URL in a browser. The Login with.. providers are listed in the OpenShift web console.
Click the OIDC provider to open the IBM Cloud Private login page.
Enter the IBM Cloud Private log in credentials and press Enter.

You are logged in and redirected to the OpenShift web console.