Enabling administrator authentication on IBM Cloud

Before you begin

You must meet these prerequisites:

  • The IBMid of the user that is being enabled for authentication in OpenShift must be a valid member of the IBM Cloud account.

  • The user that is being enabled must log in to this IBM Cloud Account at least once with their IBMid before you use this procedure.

  • You have the OpenShift Contain Platform command-line interface (CLI) installed. To download the CLI, use the link that is provided by the Cluster Manager website and add the files to your PATH. These files are accessible directly over the internet, and do not require a Red Hat ID to download.

Initial setup

  1. Log in to the cluster from the CLI:

    oc login <openshift_url> -u <username> -p <password> -n <namespace>
  2. To verify the list of users that can be authenticated in OpenShift, run:

    oc get users | awk '{print $1}'

    Check the list for email IDs containing the prefix IAM#. These users can be authenticated in OpenShift using their w3id.

  3. Verify that the IBM Cloud Pak® foundational services OperandConfig is available:

    oc get OperandConfig -n ibm-common-services common-service

This should return something similar to:

NAME             AGE   PHASE     CREATED AT
common-service   84m   Running   2021-06-18T12:44:37Z

If the OperandConfig is not available, you should follow the instructions Deploying IBM Cloud Pak for Integration using the OpenShift console first.

Update platform-auth-idp configmap and restart pods

  1. To edit the platform-auth-idp configmap, run:

    oc edit cm platform-auth-idp -n ibm-common-services

    In the data section, the "BOOTSTRAP_USERID" is set to either kubeadmin or an empty string ('') by default, for example:

    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: platform-auth-idp
      namespace: ibm-common-services
    ...
    data:
      ...
      BOOTSTRAP_USERID: ''
      ...

    Change this value to the name or email address of the OpenShift user who will be the Cloud Pak administrator.

    Note: Do not use the IAM# prefix with this value.
  2. Restart the relevant pods:

    for pod in auth-pdp auth-idp common-web-ui oidcclient-watcher
    do
     oc get pod -n ibm-common-services --no-headers | grep $pod | awk '{print $1}' | xargs oc delete pod -n ibm-common-services
    done

In the Platform UI, set the user as an Administrator and Automation Administrator

  1. In your web browser, log into the IBM Cloud Pak Platform UI using your OpenShift cluster admin credentials. For details on accessing the Platform UI, see Deploying IBM Cloud Pak for Integration using the OpenShift console, "Logging into the Platform UI" section.

  2. Click Manage users.

  3. On the Access control page, click the Add users button.

  4. In the Add user dialog, make sure Profile information is selected, and enter the value you set for BOOTSTRAP_USERID in the previous section (Step 2). This should locate the correct email address. Once you get it, click Next.

  5. On the Platform access page, click Assign roles directly, then click Next.

  6. On the Roles page, select Administrator and Automation Administrator, then click Next.

  7. On the Summary page, confirm that the account and roles are correct, then click Add.

The listed user should now be able to use their w3id credentials to log into the Platform UI using OpenShift authentication.