Customizing the cluster access URL

Customize the Uniform Resource Locator (URL) that you use to log in to the IBM® Cloud Private cluster management console.

Supported customization formats

The following customization formats are supported:

• https://<Public IP>:8443/console
• https://<Public IP>:8443/console/
• https://<Private IP>:8443/console/
• https://<Private IP>:custom-port/console/
• https://<host name>:8443/console
• https://<host name>:custom-port/console
• https://localhost:8443/console
• https://localhost:<custom port>/console
• https://<Regex host name>:8443/console
• https://<Regex IP>:8443/console
• https://<Regex host name>:<custom port>/console
• https://<Regex IP>:<custom port>/console
• https://<Regex host name>:<Regex port>/console
• https://<Regex IP>:<Regex Port>/console

Required user type or access level: Cluster administrator

Customize the cluster access URL

Complete the following tasks on the boot node of your IBM Cloud Private cluster.

1. Log in to the boot node as a user with root permissions.
2. Set up kubectl CLI. See Accessing your cluster from the kubectl CLI.

3. Copy the content that is in the registration-json configmap into the file registration.yaml.

   kubectl get cm registration-json -n kube-system -o yaml > registration.yaml
   

   The registration.yaml file content resembles the following code:

   apiVersion: v1
   data:
    platform-oidc-registration.json: |
      {
      "token_endpoint_auth_method":"client_secret_basic",
      "client_id": "d2a00fc99163f85169ac7c6de758bad1",
      "client_secret": "01661d22bd0b2025fd87e26e994a4894",
      "scope":"openid profile email",
      "grant_types":[
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
      ],
      "response_types":[
         "code",
         "token",
         "id_token token"
      ],
      "application_type":"web",
      "subject_type":"public",
      "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
      "introspect_tokens":true,
      "trusted_uri_prefixes":[
         "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
      "redirect_uris":[
         "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:9443/oidc/endpoint/OP"    ]
      }
   kind: ConfigMap
   metadata:
    creationTimestamp: 2018-06-06T11:53:21Z
    name: registration-json
    namespace: kube-system
    resourceVersion: "1255"
    selfLink: /api/v1/namespaces/kube-system/configmaps/registration-json
    uid: 3620b003-6980-11e8-9420-fa163ea0dafe
   

4. Create a platform-oidc-registration.json file. Place the file in the <installation directory>/cluster/cfc-components/ folder.

5. Copy the content that is in the data: section of the registration.yaml file into the platform-oidc-registration.json file. The platform-oidc-registration.json file content resembles the following code:

     {
      "token_endpoint_auth_method":"client_secret_basic",
      "client_id": "d2a00fc99163f85169ac7c6de758bad1",
      "client_secret": "01661d22bd0b2025fd87e26e994a4894",
      "scope":"openid profile email",
      "grant_types":[
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
      ],
      "response_types":[
         "code",
         "token",
         "id_token token"
      ],
      "application_type":"web",
      "subject_type":"public",
      "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
      "preauthorized_scope":"openid profile email general",
      "introspect_tokens":true,
      "trusted_uri_prefixes":[
         "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
      "redirect_uris":[        
      "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:9443/oidc/endpoint/OP"    ]
      }
   

6. Add the following piece of code to the platform-oidc-registration.json file:

   "allow_regexp_redirects":"true",
   

   The updated code resembles the following text:

   {
    "token_endpoint_auth_method":"client_secret_basic",
    "client_id": "d2a00fc99163f85169ac7c6de758bad1",
    "client_secret": "01661d22bd0b2025fd87e26e994a4894",
    "scope":"openid profile email",
    "allow_regexp_redirects":"true",                               <==========
    "grant_types":[
       "authorization_code",
       "client_credentials",
       "password",
       "implicit",
       "refresh_token",
       "urn:ietf:params:oauth:grant-type:jwt-bearer"
       ...
   

7. Add your custom URIs in the "redirect_uris" section of the platform-oidc-registration.json file. See Supported customization formats for the types of URIs that you can add.

   "<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",
   

   Where, you add <regexp>: only if you are using a regex in the custom URI.

   Consider the following example URIs that you want to use to access the cluster:

   • Use the master node IP address and any port that starts with 84. You would then add "regexp:https://<master node IP address>:84!d!d/auth/liberty/callback".
   • Use the host name example.abc.com and port 4002. You would then add "https://example.abc.com:4002/auth/liberty/callback".
   • Use a variable host name and a dynamic port assignment. You would then add "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback".

   If you added the example custom URIs, the updated code would resemble the following text:

   ...
   "application_type":"web",
   "subject_type":"public",
   "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
   "preauthorized_scope":"openid profile email general",
   "introspect_tokens":true,
   "trusted_uri_prefixes":[
     "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
   "redirect_uris":[
     "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       <==========
     "https://example.abc.com:4002/auth/liberty/callback",         <==========
     "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",          <==========   
     "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:9443/oidc/endpoint/OP"    ]
   }
   

8. Save and exit the file.

9. Save the client ID, client secret, and access IP to the following variables:

   1. Save the client secret:

      OAUTH2_CLIENT_REGISTRATION_SECRET=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep OAUTH2_CLIENT_REGISTRATION_SECRET | awk '{ print $2}' | base64 --decode)
      

   2. Save the client ID:

      WLP_CLIENT_ID=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep WLP_CLIENT_ID | awk '{ print $2}' | base64 --decode)
      

   3. Save the access IP:

      FIP=<master node IP address>
      

10. Apply the changes that you made to the platform-oidc-registration.json file.

     curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" -d @<installation directory>/cluster/cfc-components/platform-oidc-registration.json https://$FIP:8443/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID
    

Now, you can access the management console with the new URL.