Delegating authentication to OpenShift

This version of documentation is no longer updated. For the latest information, see the following links:
- Continuous Delivery (CD) documentation
- Support Cycle-2 (SC-2) documentation

Authenticate with Red Hat OpenShift.

If you are installing your product on an environment that uses the built-in OpenShift OAuth server, you can use the OpenShift OAuth server for authentication.

Authentication with OpenShift is enabled by default. You can disable it, if required.

Note: If you are upgrading your cluster, the authentication configuration is not changed after the upgrade. For example, if you did not configure OpenShift authentication in the previous release, the OpenShift authentication is not enabled after you upgrade.

Updating OpenShift authentication before you install the IAM Operator

Complete the following steps to update the OpenShift authentication parameters. You must complete these steps after you install the IBM Cloud Pak foundational services operator, but before you install the foundational services in your cluster:

1. From your OpenShift Container Platform console, click Operators > Installed Operators.

2. Search for IBM Cloud Pak foundational services and click the IBM Cloud Pak foundational services operator name to open the Details tab for the operator.

3. Select the Common Service tab. You see an instance of the CommonService that is installed in your cluster.

4. Edit the common-service instance.

5. In the YAML file, scroll down to spec.services.ibm-iam-operator.spec.authentication.config section. Note: Create the spec.services.ibm-iam-operator.spec.authentication.config section if it does not exist. The following example shows the spec.services.ibm-iam-operator.spec.authentication.config section in the YAML file:

    apiVersion: operator.ibm.com/v3
    kind: CommonService
    metadata:
      name: common-service
      namespace: ibm-common-services
    spec:
    size: ...
      ...
      services:
       - name: ibm-iam-operator
         spec:
           authentication:
            config:
             roksEnabled: false
             roksURL: <endpoint url>
             roksUserPrefix: 'IAM#'
   

6. Update the values of the following parameters:

   • roksEnabled: Set to false: to disable authentication with Red Hat OpenShift. The default value is true.
   • roksURL: The public service endpoint URL of your public cloud cluster. Use the following command to get the endpoint URL.
   • roksUserPrefix: Prefix to be used with the username. When you access your cluster console or CLI, you use the prefix along with the username to authenticate with OpenShift. The default value is "". If you are using IAM with Red Hat OpenShift Kubernetes Service in the IBM Cloud, you must set the prefix to IAM#.

   Note: You need jq to run the following command. To install jq, see Download jq.b

   curl -sk https://<server-URL>/.well-known/oauth-authorization-server | jq -r '.issuer'
   

   For example,

   • Code sample: curl -sk https://api.par-test.os.fyre.ibm.com:6443/.well-known/oauth-authorization-server | jq -r '.issuer'
   • Output of the code sample: https://oauth-openshift.apps.par-test.os.fyre.ibm.com The following shows a configuration of the ibm-iam-operator with the OpenShift authentication configuration in the CommonService YAML file: ```yaml
   • name: ibm-iam-operator spec:

     authentication:
       config:
         roksEnabled: true
         roksURL: 'https://oauth-openshift.apps.par-test.os.fyre.ibm.com'
         roksUserPrefix: 'IAM#'
     oidcclientwatcher: {}
     pap: {}
     policycontroller: {}
     policydecision: {}
     secretwatcher: {}
     securityonboarding: {}
     

     ```

7. Save the YAML file.

When you access your product console, you can see the OpenShift authentication as a login option.

Changing the default cloud pak administrator

The IBM Cloud Pak foundational services installation creates a default admin user, who is a cluster administrator. If you are delegating authentication to OpenShift, you can customize the default openshift username by using the bootstrapUserId parameter. This user will have the cloud pak administrator access.

To add the bootstrapUserId parameter before IAM service installation, see Assigning the cloud pak administrator privileges to an OpenShift user.

To add the bootstrapUserId parameter after IAM service installation, complete these steps:

1. Log in to your infrastructure node by using the oc login command.

2. Edit the platform-auth-idp configmap.

    oc edit cm platform-auth-idp --n ibm-common-services
   

   In the data section, the "BOOTSTRAP_USERID" is set to kubeadmin by default. Change kubeadmin to the OpenShift user who you want to make the cloud pak administrator.

3. Restart the auth-idp pod by deleting it.

   1. Get the auth-idp pod name.

       oc get pods -n ibm-common-services | grep auth-idp
      

      Following is a sample output:

       auth-idp-785df784f5-qcx4z                          4/4     Running   0          39d
      

   2. Delete the auth-idp pod.

       oc delete pod <auth-idp-pod-name> -n ibm-common-services
      

      After the pod restarts, the OpenShift user can access the cluster with cloud pak administrator privileges.

Updating OpenShift authentication after you install the IAM operator

If you installed the ibm-iam-operator in your cluster with OpenShift authentication enabled, and you want to disable OpenShift authentication or you want to update the parameters, complete the following steps:

1. Follow the steps in Updating OpenShift authentication before you install the IAM Operator to either provide the OpenShift authentication parameters or to disable the authentication.
2. Restart the following pods. You can restart the pods by deleting them from your OpenShift Container Platform console Workloads > Pods page.
   • auth-pdp
   • common-web-ui
   • auth-idp
   • oidcclient-watcher

Clear the browser cache and access your product console login page.

IAM integration with Red Hat OpenShift Kubernetes Service in the IBM Cloud

If you are using IAM with Red Hat OpenShift Kubernetes Service in the IBM Cloud, there are some known limitations to consider:

• The cloudctl login command does function for OpenShift IBMid users. These users might need to log in to the console to obtain the Kubectl context for completing CLI operations, such as running cloudctl commands.
• Searching for groups in a Red Hat OpenShift Kubernetes Service environment to add users to a team is not supported. You can search for only users in an Red Hat OpenShift Kubernetes Service environment to add to a team for authorization purposes. Even after an LDAP group synchronization, you can search for only users from an Red Hat OpenShift Kubernetes Service environment with IAM for adding users to teams. You cannot search or add groups.
• Delegating authentication to multiple providers that use different user_prefix values at the same time is not supported. For a Red Hat OpenShift Kubernetes Service in the IBM Cloud cluster, you can delegate authentication to either the default IBMid provider or the LDAP provider, but not both as the ROKS_USER_PREFIX value is used for all users.
• For user authorization, add users to teams either by searching for the users, or set rolebinding or clusterrolebinding for the users on the Red Hat OpenShift Kubernetes Service environment in the IBM Cloud platform.
• Configuring the OpenShift server URL as the ROKS_URL might be a different procedure across OpenShift versions.