License Service Reporter authentication with OAuth/OIDC provider
You can configure the License Service Reporter to use the OAuth/OIDC provider with Identity Provider (IDP) as the authentication method to access the console. Learn how to enable the License Service Reporter to use the authentication server and
examples of configuration for IBMLicenseServiceReporter custom resource instance.
Configuration
You can edit the IBMLicenseServiceReporter custom resource to configure the authentication for the License Service Reporter.
spec:
authentication:
useradmin:
enabled: true
oauth:
enabled: true
parameters: [
]
OAuth parameters
| Option | Type | Description | Default value |
|---|---|---|---|
| --provider | String | OAuth providers such as oidc or keycloak-oidc |
|
| --provider-display-name | String | You can override the name of the provider with the specific string that is used for the sign-in page | Value depends on the provider |
| --client-id | String | OAuth Client ID | |
| --client-secret-name | String | The name of the K8s secret with the OAuth Client Secret | |
| --oidc-issuer-url | String | OpenID Connect issuer URL | |
| --provider-ca-secret-name | String | The name of the K8s secret with CA certificates that is used when you connect to the provider | |
| --allowed-group | String and list | Restrict logins for the members of this group. This can be given multiple times | |
| --allowed-role | String and list | Restrict logins for the users with this role. This can be given multiple times and works only with the keycloak-oidc provider |
|
| --email-domain | String and list | Authenticate emails with the specified domain and can be given multiple times. Use * to authenticate the email |
|
| --scope | String | OAuth scope specification | |
| --skip-oidc-discovery | Boolean | Bypass OIDC endpoint discovery. Configure the --login-url, --redeem-url, and --oidc-jwks-url parameters to use the --skip-oidc-discovery parameter |
False |
| --oidc-jwks-url | String | OIDC JWKS URI for token verification. This parameter is required if OIDC discovery is disabled | |
| --redeem-url | String | Token redemption endpoint. This parameter is required if OIDC discovery is disabled | |
| --login-url | String | Authentication endpoint. This parameter is required if OIDC discovery is disabled | |
| --ssl-insecure-skip-verify | Boolean | Skip validation of certificates presented with HTTPS providers. The provider-ca-secret-name parameter is ignored when you set the --ssl-insecure-skip-verify parameter to true |
False |
Creation of secrets
Create the secrets of the client-secret-name and provider-ca-secret-name in the same namespace where the License Service Reporter is installed.
-
The secret of the
client-secret-namemust include the following parameter:Key: data Value: <client-secret-value> -
The secret of the
provider-ca-secret-namemust include the following parameter:Key: ca.crt Value: <provider-ca-value>
Allowed group or role
It is recommended to set the role and group parameters with license-administrator to access to the License Service Reporter. You can assign the license-administrator role to the users in the IDP or provide the name
of the group or role to allow the users to login to the License Service Reporter.
The following is an example of the Custom Resource:
spec:
authentication:
useradmin:
enabled: true
oauth:
enabled: true
parameters:
'--allowed-group=license-administrator'
'--allowed-role=license-administrator'
Examples of configurations
Example for Identity and Access Management (IAM v3.x)
The following example includes the set of parameters for IBM Foundational Services Identity and Access Management OIDC provider. The authentication methods for the provider are admin/OCP (icp:default:member allowed group), custom
IDP (LDAP with my-ldap-group allowed group), and basic authentications. The lsr-auth-provider-ca-secret secret must be created based on cs-ca-certificate located in the foundational services namespace:
spec:
authentication:
useradmin:
enabled: true
oauth:
enabled: true
parameters:
- '--provider=oidc'
- '--provider-display-name=My IBM IAM'
- '--oidc-issuer-url=<IAM-cp-console-address>/idprovider/v1/auth'
- '--client-id=kVuRijY11NadyL8UpEfGxtaXNycTlT4U'
- '--client-secret-name=lsr-auth-client-secret'
- '--provider-ca-secret-name=lsr-auth-provider-ca-secret'
- '--allowed-group=icp:default:member'
- '--allowed-group=my-ldap-group'
Example for Identity Management (IM v4.x)
The following example includes the set of parameters for IBM Foundational Services Identity Management OIDC provider with cpadmin/OCP and basic authentications. The lsr-auth-provider-ca-secret secret must be created based on router-certs-default located in the openshift-ingress namespace:
spec:
authentication:
useradmin:
enabled: true
oauth:
enabled: true
parameters:
- '--provider=oidc'
- '--provider-display-name=My IBM IM'
- '--oidc-issuer-url=<IAM-cp-console-address>/idprovider/v1/auth'
- '--client-id=kVuRijY11NadyL8UpEfGxtaXNycTlT4U'
- '--client-secret-name=lsr-auth-client-secret'
- '--provider-ca-secret-name=lsr-auth-provider-ca-secret'