Customizing the cluster access URL

Customize the Uniform Resource Locator (URL) that you use to log in to the IBM® Cloud Private cluster management console.

Supported customization formats

The following customization formats are supported:

Required user type or access level: Cluster administrator

Customize the cluster access URL

Complete the following tasks on the boot node of your IBM Cloud Private cluster.

  1. Log in to the boot node as a user with root permissions.
  2. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  3. Copy the content that is in the registration-json configmap into the file registration.yaml.

    kubectl get cm registration-json -n kube-system -o yaml > registration.yaml

    The registration.yaml file content resembles the following code:

    apiVersion: v1
data:
 platform-oidc-registration.json: |
   {
   "token_endpoint_auth_method":"client_secret_basic",
   "client_id": "d2a00fc99163f85169ac7c6de758bad1",
   "client_secret": "01661d22bd0b2025fd87e26e994a4894",
   "scope":"openid profile email",
   "grant_types":[
      "authorization_code",
      "client_credentials",
      "password",
      "implicit",
      "refresh_token",
      "urn:ietf:params:oauth:grant-type:jwt-bearer"
   ],
   "response_types":[
      "code",
      "token",
      "id_token token"
   ],
   "application_type":"web",
   "subject_type":"public",
   "post_logout_redirect_uris":[
    "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
   "introspect_tokens":true,
   "trusted_uri_prefixes":[
      "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
   "redirect_uris":[
      "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
   }
kind: ConfigMap
metadata:
 creationTimestamp: 2018-06-06T11:53:21Z
 name: registration-json
 namespace: kube-system
 resourceVersion: "1255"
 selfLink: /api/v1/namespaces/kube-system/configmaps/registration-json
 uid: 3620b003-6980-11e8-9420-fa163ea0dafe

  4. Create a platform-oidc-registration.json file. Place the file in the <installation directory>/cluster/cfc-components/ folder.

  5. Copy the content that is in the data: section of the registration.yaml file into the platform-oidc-registration.json file. The platform-oidc-registration.json file content resembles the following code:

      {
   "token_endpoint_auth_method":"client_secret_basic",
   "client_id": "d2a00fc99163f85169ac7c6de758bad1",
   "client_secret": "01661d22bd0b2025fd87e26e994a4894",
   "scope":"openid profile email",
   "grant_types":[
      "authorization_code",
      "client_credentials",
      "password",
      "implicit",
      "refresh_token",
      "urn:ietf:params:oauth:grant-type:jwt-bearer"
   ],
   "response_types":[
      "code",
      "token",
      "id_token token"
   ],
   "application_type":"web",
   "subject_type":"public",
   "post_logout_redirect_uris":[
    "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
   "preauthorized_scope":"openid profile email general",
   "introspect_tokens":true,
   "trusted_uri_prefixes":[
      "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
   "redirect_uris":[        
   "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
   }

  6. Add the following piece of code to the platform-oidc-registration.json file: 

    "allow_regexp_redirects":"true",

    The updated code resembles the following text:

    {
 "token_endpoint_auth_method":"client_secret_basic",
 "client_id": "d2a00fc99163f85169ac7c6de758bad1",
 "client_secret": "01661d22bd0b2025fd87e26e994a4894",
 "scope":"openid profile email",
 "allow_regexp_redirects":"true",                               <==========
 "grant_types":[
    "authorization_code",
    "client_credentials",
    "password",
    "implicit",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
    ...

  7. Add your custom URIs in the "redirect_uris" section of the platform-oidc-registration.json file. See Supported customization formats for the types of URIs that you can add.

    "<regexp>:https://<custom IP address or host name>:<custom port>/auth/liberty/callback",

    Where, you add <regexp>: only if you are using a regex in the custom URI.

    Consider the following example URIs that you want to use to access the cluster:

    • Use the master node IP address and any port that starts with 84. You would then add "regexp:https://<master node IP address>:84!d!d/auth/liberty/callback".
    • Use the host name example.abc.com and port 4002. You would then add "https://example.abc.com:4002/auth/liberty/callback".

    • Use a variable host name and a dynamic port assignment. You would then add "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback".

      Note: Port changes are not supported in the IBM® Cloud Private 3.1.2 release.

    If you added the example custom URIs, the updated code would resemble the following text:

    ...
"application_type":"web",
"subject_type":"public",
"post_logout_redirect_uris":[
    "https://10.10.25.213:8443/console/logout","https://9.37.239.32:8443/console/logout","https://mycluster.icp:8443/console/logout"    ],
"preauthorized_scope":"openid profile email general",
"introspect_tokens":true,
"trusted_uri_prefixes":[
  "https://10.10.25.213:8443","https://9.37.239.32:8443","https://mycluster.icp:8443"    ],
"redirect_uris":[
  "regexp:https://10.10.25.213:84!d!d/auth/liberty/callback",       <==========
  "https://example.abc.com:4002/auth/liberty/callback",         <==========
  "regexp:https://example.[a-z]*.com:[0-9]*/auth/liberty/callback",          <==========   
  "https://10.10.25.213:8443/auth/liberty/callback","https://9.37.239.32:8443/auth/liberty/callback","https://mycluster.icp:8443/auth/liberty/callback","https://mycluster.icp:8443/oidc/endpoint/OP"    ]
}

  8. Save and exit the file.

  9. Save the client ID, client secret, and access IP to the following variables:

    1. Save the client secret:

      OAUTH2_CLIENT_REGISTRATION_SECRET=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep OAUTH2_CLIENT_REGISTRATION_SECRET | awk '{ print $2}' | base64 --decode)

    2. Save the client ID:

      WLP_CLIENT_ID=$(kubectl -n kube-system get secret platform-oidc-credentials -o yaml | grep WLP_CLIENT_ID | awk '{ print $2}' | base64 --decode)

    3. Save the access IP:

      FIP=<master node IP address>

  10. Apply the changes that you made to the platform-oidc-registration.json file.

     curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" -d @<installation directory>/cluster/cfc-components/platform-oidc-registration.json https://$FIP:8443/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID

Edit allowed host headers

If you have changed the host name to access the cluster, you need to modify the allowed host headers in the DaemonSet icp-management-ingress.

  1. Edit the DaemonSet icp-management-ingress by running the following command:

    kubectl edit ds -n kube-system icp-management-ingress

  2. Edit the environment variable ALLOWED_HOST_HEADERS in the DaemonSet. For example, add the new hostname mycluster.icp.new to the cluster access URL and then change the environment variable from:

    env:
- name: ALLOWED_HOST_HEADERS
value: 10.10.25.213 9.37.239.32 mycluster.icp icp-management-ingress icp-management-ingress.kube-system

    To:

    env:
- name: ALLOWED_HOST_HEADERS
value: 10.10.25.213 9.37.239.32 mycluster.icp mycluster.icp.new icp-management-ingress icp-management-ingress.kube-system

The icp-management-ingress pod restarts.

Now, you can access the management console with the new URL.