Customizing the cluster access URL

Customize the Uniform Resource Locator (URL) that you use to log in to IBM Cloud Pak for Multicloud Management console.

• Supported customization formats

• Customize the cluster access URL

  • Customize the cluster access URL with cloudctl (OR)
  • Customize the cluster access URL with kubectl

• Edit allowed host headers

Supported customization formats

The following customization formats are supported:

• https://<Public IP>:8443/console
• https://<Public IP>:8443/console/
• https://<Private IP>:8443/console/
• https://<Private IP>:custom-port/console/
• https://<host name>:8443/console
• https://<host name>:custom-port/console
• https://localhost:8443/console
• https://localhost:<custom port>/console
• https://<Regex host name>:8443/console
• https://<Regex IP>:8443/console
• https://<Regex host name>:<custom port>/console
• https://<Regex IP>:<custom port>/console
• https://<Regex host name>:<Regex port>/console
• https://<Regex IP>:<Regex Port>/console

Required user type or access level: Cluster administrator

Customize the cluster access URL with cloudctl

Complete the following tasks on any node of your cluster that has IBM Cloud Pak CLI (cloudctl) and the Kubernetes CLI (kubectl) installed:

1. Log in to cloudctl as a user with cluster administrator access.

2. Save the client ID with the following command:

   WLP_CLIENT_ID=$(kubectl -n ibm-common-services get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_ID}" | base64 --decode)
   

3. Get the platform-oidc-registration.json data with the following command:

   cloudctl iam oauth-client $WLP_CLIENT_ID  > platform-oidc-registration.json
   

4. Update the platform-oidc-registration.json file with the following procedure: The content of the platform-oidc-registration.json file resembles the following text:

    OK
    {
        "allow_regexp_redirects": false,
        "appPasswordAllowed": false,
        "appTokenAllowed": false,
        "application_type": "web",
        "client_id": "515da8f96cc161795a03b77b4129a3f3",
        "client_id_issued_at": 1559051605
        "client_name": "515da8f96cc161795a03b77b4129a3f3",
        "client_secret": "*",
        "client_secret_expires_at": 0,
        "functional_user_groupIds": [],
        "grant_types": [
            "authorization_code",
            "client_credentials",
            "password",
            "implicit",
            "refresh_token",
            "urn:ietf:params:oauth:grant-type:jwt-bearer"
        ],
        "introspect_tokens": true,
        "post_logout_redirect_uris": [
            "https://10.21.9.140:8443/console/logout",
            "https://9.46.76.19:8443/console/logout",
            "https://mycluster.icp:8443/console/logout"
        ],
        "preauthorized_scope": "openid profile email general",
        "redirect_uris": [
            "https://10.21.9.140:8443/auth/liberty/callback",
            "https://9.46.76.19:8443/auth/liberty/callback",
            "https://mycluster.icp:8443/auth/liberty/callback",
            "https://127.0.0.1:8443/oidc/endpoint/OP"
        ],
        "registration_client_uri": "https://9.46.76.19:8443/oidc/endpoint/OP/registration/515da8f96cc161795a03b77b4129a3f3",
        "resource_ids": [],
        "response_types": [
            "code",
            "token",
            "id_token token"
        ],
        "scope": "openid profile email",
        "subject_type": "public",
        "token_endpoint_auth_method": "client_secret_basic",
        "trusted_uri_prefixes": [
            "https://10.21.9.140:8443/",
            "https://9.46.76.19:8443/",
            "https://mycluster.icp:8443/"
        ]
    }
   

   Update the file content based on the following instructions:

   • Delete the lines that are output-only fields or are non-JSON data. For example, you must remove the following text from the sample output:
     • OK
     • "client_id_issued_at": 1559051605
     • "registration_client_uri": "https://9.46.76.19:8443/oidc/endpoint/OP/registration/515da8f96cc161795a03b77b4129a3f3",
   • Ensure that "allow_regexp_redirects": is set to "true". After you update the file, the content resembles the following text:

     {
     "allow_regexp_redirects": true,
     "appPasswordAllowed": false,
     "appTokenAllowed": false,
     "application_type": "web",
     "client_id": "515da8f96cc161795a03b77b4129a3f3",
     "client_name": "515da8f96cc161795a03b77b4129a3f3",
     "client_secret": "*",
     "client_secret_expires_at": 0,
     "functional_user_groupIds": [],
     "grant_types": [
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
     ],
     "introspect_tokens": true,
     "post_logout_redirect_uris": [
         "https://10.21.9.140:8443/console/logout",
         "https://9.46.76.19:8443/console/logout",
         "https://mycluster.icp:8443/console/logout"
     ],
     "preauthorized_scope": "openid profile email general",
     "redirect_uris": [
         "https://10.21.9.140:8443/auth/liberty/callback",
         "https://9.46.76.19:8443/auth/liberty/callback",
         "https://mycluster.icp:8443/auth/liberty/callback",
         "https://127.0.0.1:8443/oidc/endpoint/OP"
     ],
     "resource_ids": [],
     "response_types": [
         "code",
         "token",
         "id_token token"
     ],
     "scope": "openid profile email",
     "subject_type": "public",
     "token_endpoint_auth_method": "client_secret_basic",
     "trusted_uri_prefixes": [
         "https://10.21.9.140:8443/",
         "https://9.46.76.19:8443/",
         "https://mycluster.icp:8443/"
     ]
     }
     

5. Add your custom URIs in the "redirect_uris" section of the platform-oidc-registration.json file. See Supported customization formats for the types of URIs that you can add. Your custom URI might resemble the following example:

   "<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",
   

   Note: Add <regexp>: only if you are using a regex in the custom URI.

   Consider the following example URIs that you want to use to access the cluster:

   • Use the master node IP address and any port that starts with 84, then add "regexp:https://<master node IP address>:84!d!d/auth/liberty/callback".
   • Use the host name example.abc.com and port 4002, then add "https://example.abc.com:4002/auth/liberty/callback".
   • Use a variable host name and a dynamic port assignment, then add "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback".

   If you added the example custom URIs, the updated code resembles the following text:

   ...
   "application_type":"web",
   "subject_type":"public",
   "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
   "preauthorized_scope":"openid profile email general",
   "introspect_tokens":true,
   "trusted_uri_prefixes":[
     "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
   "redirect_uris":[
     "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       <==========
     "https://example.abc.com:4002/auth/liberty/callback",         <==========
     "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",          <==========
     "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
   }
   

6. Run the following command to apply your changes:

   cloudctl iam oauth-client-update $WLP_CLIENT_ID -f platform-oidc-registration.json
   

7. Update the registration-json configmap with the custom URIs. Make the same changes that you made to the platform-oidc-registration.json.

   1. Open the registration-json configmap for editing.

      kubectl edit cm registration-json -n ibm-common-services
      

   2. Add the following piece of code:

      "allow_regexp_redirects":"true",
      

   3. Add the custom URIs. If you added the example custom URIs, you would then add the following piece of code:

      "redirect_uris":[
      "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",
      "https://example.abc.com:4002/auth/liberty/callback",
      "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",
      

Customize the cluster access URL with kubectl

Complete the following tasks on the boot node of your cluster.

1. Log in to the boot node as a user with root permissions.
2. Set up the Kubernetes CLI (kubectl).

3. Copy the content that is in the registration-json configmap into the file registration.yaml.

   kubectl get cm registration-json -n ibm-common-services -o yaml > registration.yaml
   

   The registration.yaml file content resembles the following code:

   apiVersion: v1
   data:
    platform-oidc-registration.json: |
      {
      "token_endpoint_auth_method":"client_secret_basic",
      "client_id": "d2a00fc99163f85169ac7c6de758bad1",
      "client_secret": "01661d22bd0b2025fd87e26e994a4894",
      "scope":"openid profile email",
      "grant_types":[
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
      ],
      "response_types":[
         "code",
         "token",
         "id_token token"
      ],
      "application_type":"web",
      "subject_type":"public",
      "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
      "introspect_tokens":true,
      "trusted_uri_prefixes":[
         "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
      "redirect_uris":[
         "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
      }
   kind: ConfigMap
   metadata:
    creationTimestamp: 2018-06-06T11:53:21Z
    name: registration-json
    namespace: ibm-common-services
    resourceVersion: "1255"
    selfLink: /api/v1/namespaces/ibm-common-services/configmaps/registration-json
    uid: 3620b003-6980-11e8-9420-fa163ea0dafe
   

4. Create a platform-oidc-registration.json file. Place the file in the <installation directory>/cluster/cfc-components/ folder.

5. Copy the content that is in the data: section of the registration.yaml file into the platform-oidc-registration.json file. The platform-oidc-registration.json file content resembles the following code:

     {
      "token_endpoint_auth_method":"client_secret_basic",
      "client_id": "d2a00fc99163f85169ac7c6de758bad1",
      "client_secret": "01661d22bd0b2025fd87e26e994a4894",
      "scope":"openid profile email",
      "grant_types":[
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
      ],
      "response_types":[
         "code",
         "token",
         "id_token token"
      ],
      "application_type":"web",
      "subject_type":"public",
      "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
      "preauthorized_scope":"openid profile email general",
      "introspect_tokens":true,
      "trusted_uri_prefixes":[
         "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
      "redirect_uris":[
      "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
      }
   

6. Add the following piece of code to the platform-oidc-registration.json file:

   "allow_regexp_redirects":"true",
   

   The updated code resembles the following text:

   {
    "token_endpoint_auth_method":"client_secret_basic",
    "client_id": "d2a00fc99163f85169ac7c6de758bad1",
    "client_secret": "01661d22bd0b2025fd87e26e994a4894",
    "scope":"openid profile email",
    "allow_regexp_redirects":"true",                               <==========
    "grant_types":[
       "authorization_code",
       "client_credentials",
       "password",
       "implicit",
       "refresh_token",
       "urn:ietf:params:oauth:grant-type:jwt-bearer"
       ...
   

7. Add your custom URIs in the "redirect_uris" section of the platform-oidc-registration.json file. See Supported customization formats for the types of URIs that you can add.

   "<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",
   

   Where, you add <regexp>: only if you are using a regex in the custom URI.

   Consider the following example URIs that you want to use to access the cluster:

   • Use the master node IP address and any port that starts with 84. You would then add "regexp:https://<master node IP address>:84!d!d/auth/liberty/callback".
   • Use the host name example.abc.com and port 4002. You would then add "https://example.abc.com:4002/auth/liberty/callback".
   • Use a variable host name and a dynamic port assignment. You would then add "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback".

   If you added the example custom URIs, the updated code resembles the following text:

   ...
   "application_type":"web",
   "subject_type":"public",
   "post_logout_redirect_uris":[
       "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
   "preauthorized_scope":"openid profile email general",
   "introspect_tokens":true,
   "trusted_uri_prefixes":[
     "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
   "redirect_uris":[
     "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       <==========
     "https://example.abc.com:4002/auth/liberty/callback",         <==========
     "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",          <==========
     "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
   }
   

8. Save and exit the file.

9. Save the client ID, client secret, and access IP to the following variables:

   1. Save the client secret:

      OAUTH2_CLIENT_REGISTRATION_SECRET=$(kubectl -n ibm-common-services get secret platform-oidc-credentials -o "jsonpath={.data.OAUTH2_CLIENT_REGISTRATION_SECRET}" | base64 --decode)
      

   2. Save the client ID:

      WLP_CLIENT_ID=$(kubectl -n ibm-common-services get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_ID}" | base64 --decode)
      

   3. Save the access IP:

      FIP=<master node IP address>
      

10. Apply the changes that you made to the platform-oidc-registration.json file.

     curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" -d @<installation directory>/cluster/cfc-components/platform-oidc-registration.json https://$FIP:8443/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID
    

11. Update the registration-json configmap with the custom URIs. Make the same changes that you made to the platform-oidc-registration.json.

    1. Open the registration-json configmap for editing.

       kubectl edit cm registration-json -n ibm-common-services
       

    2. Add the following piece of code:

       "allow_regexp_redirects":"true",
       

    3. Add the custom URIs. If you added the example custom URIs, you would then add the following piece of code:

       "redirect_uris":[
       "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",
       "https://example.abc.com:4002/auth/liberty/callback",
       "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",
       

Edit allowed host headers

If you changed the host name to access the cluster, you need to modify the allowed host headers in the DaemonSet icp-management-ingress.

1. Edit the DaemonSet icp-management-ingress by running the following command:

   kubectl edit ds -n ibm-common-services icp-management-ingress
   

2. Edit the environment variable ALLOWED_HOST_HEADERS in the DaemonSet. For example, add the new hostname mycluster.icp.new to the cluster access URL and then change the environment variable from:

   env:
   - name: ALLOWED_HOST_HEADERS
   value: 10.10.25.213 9.37.239.32 mycluster.icp icp-management-ingress icp-management-ingress.ibm-common-services
   

   To:

   env:
   - name: ALLOWED_HOST_HEADERS
   value: 10.10.25.213 9.37.239.32 mycluster.icp mycluster.icp.new icp-management-ingress icp-management-ingress.ibm-common-services
   

The icp-management-ingress pod restarts.

Now, you can access the console with the new URL.