Customizing the cluster access URL
Customize the Uniform Resource Locator (URL) that you use to log in to your product console.
- Supported customization formats
- Customize the cluster access URL
Supported customization formats
The following customization formats are supported:
https://<Public IP>:8443/console
https://<Public IP>:8443/console/
https://<Private IP>:8443/console/
https://<Private IP>:custom-port/console/
https://<host name>:8443/console
https://<host name>:custom-port/console
https://localhost:8443/console
https://localhost:<custom port>/console
https://<Regex host name>:8443/console
https://<Regex IP>:8443/console
https://<Regex host name>:<custom port>/console
https://<Regex IP>:<custom port>/console
https://<Regex host name>:<Regex port>/console
https://<Regex IP>:<Regex Port>/console
Required user type or access level: Administrator
Customize the cluster access URL with oc
command
Complete the following tasks on the boot node of your cluster.
- Log in to the boot node as a user with root permissions.
- Set up the OpenShift client (oc).
-
Copy the content that is in the
registration-json
configmap into the fileregistration.yaml
.oc get cm registration-json -n <your-foundational-services-namespace> -o yaml > registration.yaml
The
registration.yaml
file content resembles the following code:apiVersion: v1 data: platform-oidc-registration.json: | { "token_endpoint_auth_method":"client_secret_basic", "client_id": "d2a00fc99163f85169ac7c6de758bad1", "client_secret": "01661d22bd0b2025fd87e26e994a4894", "scope":"openid profile email", "grant_types":[ "authorization_code", "client_credentials", "password", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "response_types":[ "code", "token", "id_token token" ], "application_type":"web", "subject_type":"public", "post_logout_redirect_uris":[ "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout" ], "introspect_tokens":true, "trusted_uri_prefixes":[ "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443" ], "redirect_uris":[ "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP" ] } kind: ConfigMap metadata: creationTimestamp: 2018-06-06T11:53:21Z name: registration-json namespace: <your-foundational-services-namespace> resourceVersion: "1255" selfLink: /api/v1/namespaces/<your-foundational-services-namespace>/configmaps/registration-json uid: 3620b003-6980-11e8-9420-fa163ea0dafe
-
Create a
platform-oidc-registration.json
file. Place the file in the<installation directory>/cluster/cfc-components/
folder. -
Copy the content that is in the
data:
section of theregistration.yaml
file into theplatform-oidc-registration.json
file. Theplatform-oidc-registration.json
file content resembles the following code:{ "token_endpoint_auth_method":"client_secret_basic", "client_id": "d2a00fc99163f85169ac7c6de758bad1", "client_secret": "01661d22bd0b2025fd87e26e994a4894", "scope":"openid profile email", "grant_types":[ "authorization_code", "client_credentials", "password", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "response_types":[ "code", "token", "id_token token" ], "application_type":"web", "subject_type":"public", "post_logout_redirect_uris":[ "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout" ], "preauthorized_scope":"openid profile email general", "introspect_tokens":true, "trusted_uri_prefixes":[ "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443" ], "redirect_uris":[ "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP" ] }
-
Add the following piece of code to the
platform-oidc-registration.json
file:"allow_regexp_redirects":"true",
The updated code resembles the following text:
{ "token_endpoint_auth_method":"client_secret_basic", "client_id": "d2a00fc99163f85169ac7c6de758bad1", "client_secret": "01661d22bd0b2025fd87e26e994a4894", "scope":"openid profile email", "allow_regexp_redirects":"true", <========== "grant_types":[ "authorization_code", "client_credentials", "password", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ...
-
Add your custom URIs in the
"redirect_uris"
section of theplatform-oidc-registration.json
file. See Supported customization formats for the types of URIs that you can add."<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",
Where, you add
<regexp>:
only if you are using a regex in the custom URI.Consider the following example URIs that you want to use to access the cluster:
- Use the master node IP address and any port that starts with
84
. You would then add"regexp:https://<master node IP address>:84!d!d/auth/liberty/callback"
. - Use the host name
example.abc.com
and port4002
. You would then add"https://example.abc.com:4002/auth/liberty/callback"
. - Use a variable host name and a dynamic port assignment. You would then add
"regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback"
.
If you added the example custom URIs, the updated code resembles the following text:
... "application_type":"web", "subject_type":"public", "post_logout_redirect_uris":[ "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout" ], "preauthorized_scope":"openid profile email general", "introspect_tokens":true, "trusted_uri_prefixes":[ "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443" ], "redirect_uris":[ "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback", <========== "https://example.abc.com:4002/auth/liberty/callback", <========== "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback", <========== "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP" ] }
- Use the master node IP address and any port that starts with
-
Save and exit the file.
-
Save the client ID, client secret, and access IP to the following variables:
-
Save the client secret:
OAUTH2_CLIENT_REGISTRATION_SECRET=$(oc -n <your-foundational-services-namespace> get secret platform-oidc-credentials -o "jsonpath={.data.OAUTH2_CLIENT_REGISTRATION_SECRET}" | base64 --decode)
-
Save the client ID:
WLP_CLIENT_ID=$(oc -n <your-foundational-services-namespace> get secret platform-oidc-credentials -o "jsonpath={.data.WLP_CLIENT_ID}" | base64 --decode)
-
Save the access IP:
FIP=<master node IP address>
-
-
Apply the changes that you made to the
platform-oidc-registration.json
file.curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" -d @<installation directory>/cluster/cfc-components/platform-oidc-registration.json https://$FIP:8443/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID
-
Update the
registration-json
configmap with the custom URIs. Make the same changes that you made to theplatform-oidc-registration.json
.-
Open the
registration-json
configmap for editing.oc edit cm registration-json -n <your-foundational-services-namespace>
-
Add the following piece of code:
"allow_regexp_redirects":"true",
-
Add the custom URIs. If you added the example custom URIs, you would then add the following piece of code:
"redirect_uris":[ "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback", "https://example.abc.com:4002/auth/liberty/callback", "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",
-