Configure OKD OpenShift 4 authentication

December 13, 2021

Page content

In this Post I will show you how you can create multiple ingress route on an OpenShift 4 on premise.

Parts of the Openshift 4 series

Part1a: Install Opeshift 4
Part1b: Install Opeshift 4 with calico
Part1c: Install Opeshift 4 with cilium
Part2: Configure OKD OpenShift 4 ingress
Part3: Configure OKD OpenShift 4 authentication
Part4: Configure OKD OpenShift 4 Ceph Persisten Storage
Part5: Configuringure OKD OpenShift 4 registry for bare metal
Part6a: Install Cluster Logging Operator on OpenShift 4
Part6b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
Part7: Understand OKD OpenShift 4 Buildconfig Configurations
Part8: Install RadHat OpenShift pipelines (Tekton) OKD 4

Create a Cluster Admin User

The current kubeadmin user that we are using in the previous step is temporary. We need to create a permanent cluster administrator user. The fastest way to do this is by using htpasswd as an authentication provider. We will create a secret under the openshift-config namespace and add a htpasswd provider in the cluster oAuth.

htpasswd -c -B -b users.htpasswd adminuser adminpassword
htpasswd -c -B -b users.htpasswd testuser testpassword
oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd -n \
openshift-config
oc apply -f htpasswd_provider.yaml

You can create groups to the cluster:

nano groups.yaml
---
kind: Group
apiVersion: user.openshift.io/v1
metadata:
  name: admins
users:
  - adminuser
---
kind: Group
apiVersion: user.openshift.io/v1
metadata:
  name: cluster-admins
users:
  - adminuser
---
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  name: developers
users:
  - testuser
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: okd-admins
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: okd-cluster-admin
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: cluster-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: okd-cluster-developers
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: developers
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: basic-user

oc apply -f group-admins.yaml

Enable Oauth On OKD Cluster

I will use Keycloak as the oauth prowider. In Keycloak okd realm I created a client called okd4. The openid-client-secret is the base64 encodid secret for the okd4 Client ID.

nano oauth-config.yaml
---
kind: Secret
apiVersion: v1
metadata:
  name: openid-client-secret
  namespace: openshift-config
data:
  clientSecret: OWI4OWUyZjgtYrM6ZC10ODU2LTgyN3YtN2ZiODUzNDUyZDc4
type: Opaque
---
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
    - mappingMethod: add
      name: sso.mydomain.intra
      openID:
        claims:
          email:
            - email
          name:
            - name
          preferredUsername:
            - email
            - preferred_username
        clientID: okd4
        clientSecret:
          name: openid-client-secret
        extraScopes: []
        issuer: 'https://sso.mydomain.intra/auth/realms/okd'
      type: OpenID

Then apply the config oc apply -f oauth-config.yaml

Fix: x509: certificate signed by unknown authority

If you get the fallowing error: The authentication operator can’t honor OAuth configuration due to an x509: certificate signed by unknown authority error

Check the openshift-authentication-operator pod log:

oc -n openshift-authentication-operator logs $(oc -n openshift-authentication-operator get pods -l app=authentication-operator -o=custom-columns=NAME:.metadata.name --no-headers)
[...]
E1125 15:31:27.093873       1 oauth.go:69] failed to honor IDP v1.IdentityProvider{Name:"sso", MappingMethod:"claim", IdentityProviderConfig:v1.IdentityProviderConfig{Type:"OpenID", BasicAuth:(*v1.BasicAuthIdentityProvider)(nil), GitHub:(*v1.GitHubIdentityProvider)(nil), GitLab:(*v1.GitLabIdentityProvider)(nil), Google:(*v1.GoogleIdentityProvider)(nil), HTPasswd:(*v1.HTPasswdIdentityProvider)(nil), Keystone:(*v1.KeystoneIdentityProvider)(nil), LDAP:(*v1.LDAPIdentityProvider)(nil), OpenID:(*v1.OpenIDIdentityProvider)(0xc010181ef0), RequestHeader:(*v1.RequestHeaderIdentityProvider)(nil)}}: x509: certificate signed by unknown authority
I1125 15:31:28.369400       1 status_controller.go:165] clusteroperator/authentication diff {"status":{"conditions":[{"lastTransitionTime":"2019-11-20T10:17:18Z","message":"IdentityProviderConfigDegraded: failed to apply IDP sso config: x509: certificate signed by unknown authority","reason":"AsExpected","status":"False","type":"Degraded"},{"lastTransitionTime":"2019-11-22T11:41:09Z","reason":"AsExpected","status":"False","type":"Progressing"},{"lastTransitionTime":"2019-10-26T16:15:59Z","reason":"AsExpected","status":"True","type":"Available"},{"lastTransitionTime":"2019-10-26T13:30:53Z","reason":"AsExpected","status":"True","type":"Upgradeable"}]}}

nano oauth-config.yaml
---
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
    - mappingMethod: add
      name: sso.mydomain.intra
      openID:
        ca:
          name: sso-ca-config-map
...
---
apiVersion: v1
data:
  ca.crt: |+
    -----BEGIN CERTIFICATE-----
    MIIEFTCCAv2gAwIBAgIGSUEs...
    -----END CERTIFICATE-----    

kind: ConfigMap
metadata:
  name: sso-ca-config-map
  namespace: openshift-config

Parts of the Openshift 4 series

Create a Cluster Admin User

Enable Oauth On OKD Cluster

Fix: x509: certificate signed by unknown authority

Your support is our everlasting motivation, that cup of coffee is what keeps us going!

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!