Introduction
Identity configuration management for Kubernetes is intended to allow you to quickly and easily configure OAuth authentication across your fleet of OpenShift clusters. Through the creation of an AuthRealm custom resource, you are able to specify one or more identity providers (such as GitHub or LDAP) and a placement rule to indicate to which clusters the identity providers should apply. As more clusters are brought under management, their OAuth configuration will be automatically configured simply by matching the specified placement rule. The existing OAuth configuration will be replaced by the configurations defined in the different AuthRealms. The existing OAuth configuration is saved in the cluster namespace and will be restored once the cluster is no longer under management.
An identity configuration management operator configuration is composed of:
-
A namespace in which the identity configuration will be defined
-
A managedclusterset custom resource which holds the managed clusters which may be part of the identity configuration.
-
A placement custom resource which defines the matching labels to select the clusters.
-
A managedclustersetbinding custom resource to bind that placement to the managedclusterset.
-
For each identity configuration provider, a secret custom resource containing the client ID and client secret to connect to the identity configuration provider.
-
An authrealm custom resource which defines the identiry configuration providers.
We will first walk through setting up your managed cluster set and placement, then prepare the configuration for your preferred identity provider(s).
Preparing your managed cluster set and placement
In order to add managed clusters to a managed cluster set, the managed clusters must be under management of the hub cluster. Follow these instructions if managed clusters need to be brought under management by the hub cluster:
-
Red Hat Advanced Cluster Management - Importing a target managed cluster to the hub cluster
-
Red Hat multicluster engine operator - Importing a target managed cluster to the hub cluster
Once there are managed clusters, create a managed cluster set and managedclustersetbinding. Then select the managed clusters that will be a part of the set:
-
Red Hat Advanced Cluster Management - creating and managing managedclustersets
-
Red Hat multicluster engine operator - creating and managing managedclustersets
Now a placement can be created. This will be used to determine which managed clusters in the managedclusterset will have the identity configuration applied. See:
-
Red Hat Advanced Cluster Management - using managedclustersets with placement
-
Red Hat multicluster engine operator - creating and managing managedclustersets
Important
|
The identity configuration management for Kubernetes Technology Preview does not yet utilize custom role definitions for controlling access to work with AuthRealms. Instead, it relies on the role-based access control implemented by multicluster engine and Advanced Cluster Management around ManagedClusterSets, ManagedClusterSetBindings, and Placements. AuthRealms must exist in a namespace containing a Placement, and the Placement leverages the ManagedClusterSets that are bound to that namespace. Access to namespaces with existing bound ManagedClusterSets and/or existing Placements should be managed accordingly. |
Important
|
If you are using v0.1.0, before detaching a cluster from the hub, you must make sure the managed cluster is no longer managed by identity configuration management. You can remove the cluster from identity configuration management either by removing the cluster from the ManagedClusterSet, or by removing labels from the managed cluster as appropriate to no longer match the Placement. Once your cluster no longer matches the Placement of any AuthRealm, your original OAuth configuration should be restored on the cluster. If the cluster is detached without first being unmanaged from identity provider management, you will lose access to the cluster. If you are using v0.2.0 or higher, it is recommended that you follow the steps above to take the cluster out of identity configuration management prior to detaching the cluster from the hub. In this case, your original OAuth configuration should be restored for you on the managed cluster, and you can then detach the cluster from the hub. As an alternative, prior to detaching the managed cluster from the hub, you can copy your original OAuth from the ConfigMap named |
Creating your AuthRealm
The AuthRealm custom resoure specifies a combination of one or more identity providers and a placement that determines to which managed clusters the identity provider(s) should be applied.
An AuthRealm resource example is as follows:
apiVersion: identityconfig.identitatem.io/v1alpha1
kind: AuthRealm
metadata:
name: identity-config-developers
namespace: identity-config-authrealm
spec:
identityProviders:
- github:
clientID: <Github OAuth client ID>
clientSecret:
name: identitatem-github-client-secret
organizations:
- identitatem
mappingMethod: claim
name: identitatem-developers
type: GitHub
placementRef:
name: dev-clusters-placement
routeSubDomain: identitatem-devs
type: dex
The AuthRealm name
becomes an identity provider name on each managed cluster to which the AuthRealm applies, and is therefore the label that will appear on the managed cluster OpenShift login button.
The identityProviders
list values directly correspond to OpenShift Container Platform’s identity provider configuration. Only GitHub and LDAP are supported in this Technology Preview. Take special note of the mappingMethod
field, which controls how mappings are established between the provider’s identities and User objects.
The placementRef
contains the name of the Placement custom resource located in the same namespace as the AuthRealm that will determine to which clusters this AuthRealm will apply.
The routeSubDomain
is used to form the Issuer URL of the intermediary OpenID connect server that is installed and configured automatically on the hub cluster by identity configuration management in order to achieve fleet-wide identity configuration. The managed clusters' cluster OAuth configurations connect to this OpenID connect server via the Issuer URL, rather than connecting to the desired identity provider directly.
Important
|
|
The type
field must be set to dex
for the Technology Preview. The Technology Preview leverages Dex under the covers as described above to achieve fleet-wide identity configuration.
The sections below outline more details and specific steps necessary to create your AuthRealm for GitHub or LDAP.
GitHub authentication
To use GitHub-based authentication, an OAuth application must be defined in GitHub.
GitHub OAuth
-
The GitHub Oauth app can be created in your personal profile or in a Github organization that you are an administrator for.
-
To create a GitHub Oauth app in your personal profile: Open a web browser and navigate to https://github.com, go to Settings > Developer Settings > OAuth Apps (The shortcut is https://github.com/settings/developers)
-
To create a GitHub Oauth app in a GitHub organization that you are an administrator for: Open a web browser and navigate to https://github.com/{organization_name}, go to Settings > Developer Settings > OAuth Apps (The shortcut is https://github.com/{organization_name}/settings/developers)
-
-
Add a New OAuth App. In the new OAuth app, Generate a new client secret. Copy the Client ID and Client Secret values and save them. They will be needed later.
-
Fill in the Application name with something to help identify the owner and hub it will be used for. NOTE: If you have more than one hub, each one will need its own OAuth app.
-
Fill in Homepage URL and Authorization callback URL with the OpenShift console URL. (NOTE: A little bit later we will correct the Authorization callback URL value once we have the proper value.)
-
Click Register Application NOTE: Leave this web page open so you can quickly correct the Authorization callback URL value once you have the proper value.
AuthRealm custom resource for GitHub
With your GitHub OAuth app created and your client id and secret in hand, you are ready to create your AuthRealm custom resource.
An example of an AuthRealm custom resource configured for the Github identity provider is provided below. Make note of the identityProviders
field and the configuration of the github
identity provider under it:
apiVersion: identityconfig.identitatem.io/v1alpha1
kind: AuthRealm
metadata:
name: identity-config-developers
namespace: identity-config-authrealm
spec:
identityProviders:
- github:
clientID: <Github OAuth client ID>
clientSecret:
name: identitatem-github-client-secret
organizations:
- identitatem
mappingMethod: claim
name: identitatem-developers
type: GitHub
placementRef:
name: dev-clusters-placement
routeSubDomain: identitatem-devs
type: dex
The identityProviders
list contains the configurations for one or more identity providers. The example above contains a single identity provider (GitHub).
An entry under identityProviders
has the following fields:
-
name
contains the unique name that is used to identify the identity provider. -
type
specifies the identity provider type and it is set to GitHub. -
mappingMethod
(add, claim or lookup) controls how mappings are established between this provider’s identities and User objects. -
github
contains the GitHub specific configurations:-
clientID
contains the client ID of a registered GitHub OAuth application. -
clientSecret
contains a reference to a secret object containing the client secret of a registered GitHub OAuth application. Example secret:oc create secret generic <github-oauth-clientID-name> --from-literal=clientSecret=<github-oauth-clientID-secret>
-
organizations
contains a list of organizations to authenticate the user against (authentication against specific teams within GitHub organizations is currently not supported). This field can be left blank to skip authentication against specific GitHub organizations. If organizations are specified in the config then the user must be a member of at least one of the specified orgs.
Note: If the GitHub OAuth application is not owned by an organization specified inorganizations
, an organization owner must grant third-party access to use this option. This can be done in two ways:-
by the GitHub organization’s administrator from the GitHub organization settings,
-
or, during the first GitHub login when the user will be presented with a UI to explicitly request access to the GitHub organization. The request will flow to the GitHub organization’s administrator for approval and the user will only be able to login after the request for access is approved.
-
-
To create your AuthRealm, copy the sample yaml above and update as appropriate with your client id and secret, GitHub organization(s) (if desired), and preferred names, namespace, route subdomain, and mapping method. Then, run the following command on your hub cluster:
oc create -f <authrealm_file_name>.yaml
With your AuthRealm created, you are ready to update your GitHub OAuth app’s authorization callback URL. Leverage the routeSubDomain
you specified in your AuthRealm, and run the script below while logged in to your hub cluster to generate the proper value:
export ROUTE_SUBDOMAIN=<your_route_subdomain>
export APPS=$(oc get infrastructure cluster -ojsonpath='{.status.apiServerURL}' | cut -d':' -f2 | sed 's/\/\/api/apps/g')
echo "Authorization callback URL: https://${ROUTE_SUBDOMAIN}.${APPS}/callback"
At this point, any managed cluster that matches your Placement should be updated with an OAuth configuration that leverages an OpenID identity provider to connect to the proxy server that identity configuration management has stood up under the covers. Allow several minutes for the new login button to appear on your managed cluster.
LDAP authentication
LDAP
The LDAP identity provider configuration allows email/password based authentication backed by a LDAP directory. During authentication, the LDAP directory is searched for an entry that matches the provided user name. If a single unique match is found, a simple bind is attempted using the distinguished name (DN) of the entry plus the provided password.
Setting up LDAP:
There are multiple options available for setting up an LDAP directory. For example:
-
OpenLDAP: an open-source implementation of LDAP. The following article has information on hosting and deploying an OpenLDAP server: https://medium.com/ibm-garage/how-to-host-and-deploy-an-openldap-sever-in-openshift-affab06a4365
-
Secure LDAP using Azure Active Directory: The following tutorial describes the steps for setting up Secure LDAP with Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps
AuthRealm custom resource for LDAP
An example of an AuthRealm custom resource configured for the LDAP identity provider is provided below. Make note of the identityProviders
field and the configuration of the ldap
identity provider under it:
apiVersion: identityconfig.identitatem.io/v1alpha1
kind: AuthRealm
metadata:
name: authrealm-ldap
namespace: authrealm-ldap-ns
spec:
type: dex
routeSubDomain: identitatem-devs
placementRef:
name: authrealm-ldap-placement
ldapExtraConfigs:
openldap:
baseDN: "dc=example,dc=com"
filter: "(objectClass=person)"
identityProviders:
- name: openldap
type: LDAP
mappingMethod: add
ldap:
url: <LDAP server URL>
insecure: false
bindDN: cn=Manager,dc=example,dc=com
ca:
name: authrealm-ldap-ca
namespace: authrealm-ldap-ns
bindPassword:
name: authrealm-ldap-secret
namespace: authrealm-ldap-ns
attributes:
id:
- DN
preferredUsername:
- mail
name:
- cn
email:
- mail
The identityProviders
list contains the configurations for one or more identity providers. The example above contains a single identity provider (LDAP).
An entry under identityProviders
has the following fields:
-
name
contains the unique name that is used to identify the identity provider. -
type
specifies the identity provider type and it is set to LDAP. -
mappingMethod
(add, claim or lookup) controls how mappings are established between this provider’s identities and User objects. -
ldapExtraConfigs
contains extra server configuration setting for LDAP, the key being the idp.name-
baseDN
contains information to start the LDAP user search from. For example "cn=users,dc=example,dc=com" -
filter
contains optional filter to apply when searching the directory. For example "(objectClass=person)"
-
-
ldap
contains the LDAP specific configurations:-
url
contains the LDAP host and search parameters to use. The url syntax isldap://host:port/basedn?attribute?scope?filter
-
insecure
must befalse
. ldaps:// URLs will attempt to connect using TLS, and ldap:// URLs will be upgraded to TLS. The identity configuration management operator does not support insecure=true. -
bindDN
contains an optional DN to bind with during the search phase. -
bindPassword
contains an optional reference to a secret by name containing a password to bind with during the search phase. Note: bindDN and bindPassword need to be provided if the LDAP server requires authentication for search. -
ca
contains reference to the secret containing a trusted Root CA file - file name and format: "ca.crt" Note: If the server uses self-signed certificates, include files with names "tls.crt" and "tls.key" (representing client certificate and key) in the same secret
-
-
attributes
maps LDAP attributes to identities-
id
is the attribute whose value should be used as the user ID. Required. Only the first attribute is used; all other values are ignored. If the first attribute does not have a value, authentication fails. LDAP standard identity attribute is "dn". -
preferredUsername
is currently ignored by the identity configuration management operator. -
name
is the attribute whose values should be used as the display name. Required. Only the first attribute is used; all other values are ignored. LDAP standard display name attribute is "cn". -
email
is the attribute whose values should be used as the email address. Required. Only the first attribute is used; all other values are ignored.
-
To configure group search for LDAP provider, please refer https://identitatem.github.io/idp-mgmt-docs/groups
To create your AuthRealm, copy the sample yaml above and update as appropriate with your ldap configuration, preferred names, namespace, route subdomain, and mapping method. Then, run the following command on your hub cluster:
oc create -f <authrealm_file_name>.yaml
At this point, any managed cluster that matches your Placement should be updated with an OAuth configuration that leverages an OpenID identity provider to connect to the proxy server that identity configuration management has stood up under the covers. Allow several minutes for the new login button to appear on your managed cluster. You will be able to login with the ldap user.
OpenID authentication
Version 0.3.1 of the technology preview introduces limited support for integrating with OpenID Connect identity providers. We have only tested the integration with dex, Keycloak, and Red Hat Single Sign-On.
NOTE: When integrating with Keycloak, ensure the Keycloak client has default or optional client scopes enabled for email and profile.
AuthRealm custom resource for OpenID
An example of an AuthRealm custom resource configured with an OpenID identity provider is provided below. Make note of the identityProviders
field and the configuration of the opeinid
identity provider under it:
apiVersion: identityconfig.identitatem.io/v1alpha1
kind: AuthRealm
metadata:
name: authrealm-openid
namespace: authrealm-openid-ns
spec:
placementRef:
name: dev-clusters-placement
routeSubDomain: identitatem-devs
type: dex
identityProviders:
- name: identitatem-developers
mappingMethod: add
type: OpenID
openID:
clientID: <OpenID client ID>
clientSecret:
name: identitatem-openid-client-secret
claims:
preferredUsername:
- username
name:
- name
email:
- mail
issuer: <openid auth URL>
The identityProviders
list contains the configurations for one or more identity providers. The example above contains a single identity provider (OpenID).
An entry under identityProviders
has the following fields:
-
name
contains the unique name that is used to identify the identity provider. -
type
specifies the identity provider type and it is set to OpenID. -
mappingMethod
(add, claim or lookup) controls how mappings are established between this provider’s identities and User objects. -
openID
contains the OpenID specific configurations:-
clientID
contains the client ID of a client registered with the OpenID provider. -
clientSecret
contains a reference to a secret object containing the OpenID client secret. Example secret:oc create secret generic <openid-oauth-clientID-name> --from-literal=clientSecret=<openid-oauth-clientID-secret>
-
-
claims
maps attributes on the user entry.-
preferredUsername
is the list of attributes whose values should be used as the preferred username. Optional. If unspecified, the preferred username is determined from the value of the sub claim. OpenShift supports an array of preferredUsername, but identity configuration management for Kubernetes is only supporting the first value from the array. -
name
is the list of attributes whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity. OpenShift supports an array of name, but identity configuration management for Kubernetes is only supporting the first value from the array. -
email
is the list of attributes whose values should be used as the email address. Optional. If unspecified, no email is set for the identity. OpenShift supports an array of email, but identity configuration management for Kubernetes is only supporting the first value from the array.
-
-
issuer
the URL of the OpenID authentication provider.
To create your AuthRealm, copy the sample yaml above and update as appropriate with your OpenID configuration, preferred names, namespace, route subdomain, and mapping method. Then, run the following command on your hub cluster:
oc create -f <authrealm_file_name>.yaml
At this point, any managed cluster that matches your Placement should be updated with an OAuth configuration that leverages an OpenID identity provider to connect to the proxy server that identity configuration management has stood up under the covers. Allow several minutes for the new login button to appear on your managed cluster. You will be able to login with the OpenID authentication.
Using a custom certificate
By default, identity configuration management stands up an OpenID Connect proxy service that leverages the hub cluster’s default ingress certificate. You can instead utilize a custom certificate by adding the following two fields to the AuthRealm spec:
spec:
certificatesSecretRef:
name: acme-cert
host: https://identitatem-devs.acme.com
Create a tls secret containing your custom certificate in the same namespace as your AuthRealm and provide the secret name in certificatesSecretRef.name
. For host
, specify the full URL of the domain you want created for the OpenID Connect proxy service, including the https://
protocol.
When creating the tls secret, be sure to specify the tls
type. For example:
kubectl create secret tls <acme-cert> --cert=<path/to/cert/file> --key=<path/to/key/file>
Note: When you specify a host
URL, the routeSubDomain
is used only for creating an OpenShift project on your hub cluster to hold resources pertaining to the AuthRealm. It is not reflected in the OpenID Connect proxy service issuer URL.
Command line interface
AuthRealm configuration can be created through the cm-cli.
cm create authrealm --values <values.yaml>
-
Fill the template form
The template can be retreived by running:
cm create authrealm -h
Fill the template and save it as for example my-authrealm.yaml
authRealm: # The name of the authrealm, can be override using the --name parameter name: # The namespace where the authrealm must be created, can be override using the --namespace namespace: #The strategy type, only dex is supported, can be override using --type type: dex # The routeSubDomain to use, can be override using --route-sub-domain routeSubDomain: # The placement rule to use, if not present then a new one will be created # in the authrealm namespace and having for labelSelector the matchLabels below. # It can be overridden using --placement placement: # The matchLabels to use to build the placement if not provided # For example: # matchLabels: # authdeployment: east matchLabels: # The managedClusterSet to link the placement to, can be override using --cluster-set managedClusterSet: # The managedClusterSetBinding, if not present then it will be created to bind # the provided placement with the managedClusterSet # It can be overridden using --cluster-set-binding managedClusterSetBinding: # The list of identity providers identityProviders: # Example for github, this section will be copied into the authrealm CR. # Reference: https://github.com/openshift/api/blob/master/config/v1/0000_10_config-operator_01_oauth.crd.yaml#L80 # The identity provider name - name: my-github-idp # The mappingMethod could be add, claim or lookup mappingMethod: claim # The identity provider type, here GitHub type: GitHub # The github specifics github: # The client ID of the github app clientID: # The github app secret, the cm-cli will create a local secret with it clientSecret: # Lists of GitHub Organizations (optionals) organizations: - myorg #,,,, # Example for LDAP, this section will be copied into the authrealm CR. # Reference: https://github.com/openshift/api/blob/master/config/v1/0000_10_config-operator_01_oauth.crd.yaml#L215 # The identity provider name - name: my-ldap-idp # The mappingMethod could be add, claim or lookup mappingMethod: claim # The identity provider type, here LDAP type: LDAP # The ldap specifics ldap: # The LDAP server url url: # The bind Domain name bindDN: # The bind password, the cm-cli will create a local secret with it bindPassword: #.... # Extra supported ldap configuration for the dex server # ldapExtraConfigs: # The name of the ldap identity provider my-ldap-idp: # The base Domain name baseDN: filter:
-
Create the authrealm
-
Create directly
cm create authrealm --values my-authrealm.yaml
-
Create a file and then apply
Options --dry-run with --output-file can be used to get the rendered file
cm create authrealm --values my-authrealm.yaml --dry-run --output-file my-authrealm-yamls.yaml
Then the my-authrealm-yamls.yaml can be applied using
oc apply -f my-authrealm-yamls.yaml
-