Customizing the cluster access URL

Customize the Uniform Resource Locator (URL) that you use to log in to your product console.

Supported customization formats

The following customization formats are supported:

Required user type or access level: Administrator

Customize the cluster access URL with oc command

Complete the following tasks on the boot node of your cluster.

  1. Log in to the boot node as a user with root permissions.
  2. Set up the OpenShift client (oc).
  3. Copy the content that is in the registration-json configmap into the file registration.yaml.

     oc get cm registration-json -n <your-foundational-services-namespace> -o yaml > registration.yaml
    

    The registration.yaml file content resembles the following code:

     apiVersion: v1
     data:
       platform-oidc-registration.json: |
         {
         "token_endpoint_auth_method":"client_secret_basic",
         "client_id": "d2a00fc99163f85169ac7c6de758bad1",
         "client_secret": "01661d22bd0b2025fd87e26e994a4894",
         "scope":"openid profile email",
         "grant_types":[
            "authorization_code",
            "client_credentials",
            "password",
            "implicit",
            "refresh_token",
            "urn:ietf:params:oauth:grant-type:jwt-bearer"
         ],
         "response_types":[
            "code",
            "token",
            "id_token token"
         ],
         "application_type":"web",
         "subject_type":"public",
         "post_logout_redirect_uris":[
          "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
         "introspect_tokens":true,
         "trusted_uri_prefixes":[
            "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
         "redirect_uris":[
            "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
         }
     kind: ConfigMap
     metadata:
       creationTimestamp: 2018-06-06T11:53:21Z
       name: registration-json
       namespace: <your-foundational-services-namespace>
       resourceVersion: "1255"
       selfLink: /api/v1/namespaces/<your-foundational-services-namespace>/configmaps/registration-json
       uid: 3620b003-6980-11e8-9420-fa163ea0dafe
    
  4. Create a platform-oidc-registration.json file. Place the file in the <installation directory>/cluster/cfc-components/ folder.

  5. Copy the content that is in the data: section of the registration.yaml file into the platform-oidc-registration.json file. The platform-oidc-registration.json file content resembles the following code:

      {
       "token_endpoint_auth_method":"client_secret_basic",
       "client_id": "d2a00fc99163f85169ac7c6de758bad1",
       "client_secret": "01661d22bd0b2025fd87e26e994a4894",
       "scope":"openid profile email",
       "grant_types":[
          "authorization_code",
          "client_credentials",
          "password",
          "implicit",
          "refresh_token",
          "urn:ietf:params:oauth:grant-type:jwt-bearer"
       ],
       "response_types":[
          "code",
          "token",
          "id_token token"
       ],
       "application_type":"web",
       "subject_type":"public",
       "post_logout_redirect_uris":[
        "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
       "preauthorized_scope":"openid profile email general",
       "introspect_tokens":true,
       "trusted_uri_prefixes":[
          "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
       "redirect_uris":[
       "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
       }
    
  6. Add the following piece of code to the platform-oidc-registration.json file:

     "allow_regexp_redirects":"true",
    

    The updated code resembles the following text:

     {
      "token_endpoint_auth_method":"client_secret_basic",
      "client_id": "d2a00fc99163f85169ac7c6de758bad1",
      "client_secret": "01661d22bd0b2025fd87e26e994a4894",
      "scope":"openid profile email",
      "allow_regexp_redirects":"true",                               <==========
      "grant_types":[
         "authorization_code",
         "client_credentials",
         "password",
         "implicit",
         "refresh_token",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
         ...
    
  7. Add your custom URIs in the "redirect_uris" section of the platform-oidc-registration.json file. See Supported customization formats for the types of URIs that you can add.

     "<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",
    

    Where, you add <regexp>: only if you are using a regex in the custom URI.

    Consider the following example URIs that you want to use to access the cluster:

    • Use the master node IP address and any port that starts with 84. You would then add "regexp:https://<master node IP address>:84!d!d/auth/liberty/callback".
    • Use the host name example.abc.com and port 4002. You would then add "https://example.abc.com:4002/auth/liberty/callback".
    • Use a variable host name and a dynamic port assignment. You would then add "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback".

    If you added the example custom URIs, the updated code resembles the following text:

    ...
    "application_type":"web",
    "subject_type":"public",
    "post_logout_redirect_uris":[
         "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
    "preauthorized_scope":"openid profile email general",
    "introspect_tokens":true,
    "trusted_uri_prefixes":[
       "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
    "redirect_uris":[
       "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       <==========
       "https://example.abc.com:4002/auth/liberty/callback",         <==========
       "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",          <==========
       "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
    }
    
  8. Save and exit the file.

  9. Save the client ID, client secret, and access IP to the following variables:

    1. Save the client secret:

      OAUTH2_CLIENT_REGISTRATION_SECRET=$(oc -n <your-foundational-services-namespace> get secret platform-oidc-credentials -o "jsonpath={.data.OAUTH2_CLIENT_REGISTRATION_SECRET}" | base64 --decode)
      
    2. Save the client ID:

      WLP_CLIENT_ID=$(oc -n <your-foundational-services-namespace> get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_ID}" | base64 --decode)
      
    3. Save the access IP:

      FIP=<master node IP address>
      
  10. Apply the changes that you made to the platform-oidc-registration.json file.

    curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" -d @<installation directory>/cluster/cfc-components/platform-oidc-registration.json https://$FIP:8443/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID
    
  11. Update the registration-json configmap with the custom URIs. Make the same changes that you made to the platform-oidc-registration.json.

    1. Open the registration-json configmap for editing.

      oc edit cm registration-json -n <your-foundational-services-namespace>
      
    2. Add the following piece of code:

      "allow_regexp_redirects":"true",
      
    3. Add the custom URIs. If you added the example custom URIs, you would then add the following piece of code:

      "redirect_uris":[
      "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",
      "https://example.abc.com:4002/auth/liberty/callback",
      "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",