Today was momentous - I moved our OpenShift cluster and workloads off of AWS and onto the OROCK Cloud that runs Red Hat Cloud Suite top to bottom. Most of the workloads were easy to migrate and while I was shuffling things around I figured I'd deploy Red Hat Identity Management to the OROCK Cloud as well and get it integrated with our new OpenShift cluster.
A few notes for those who may not know much about the Red Hat ecosystem:
- Red Hat Cloud Suite includes everything you need to run your own private cloud similar to AWS, Azure, GCP, etc
- Red Hat OpenShift Container Platform is the enterprise Kubernetes platform that makes everyone's lives easier.
- Red Hat Identity Management is the supported FreeIPA offering that wraps up a bunch of services such as DNS, LDAP, PKI, and more. I use it primarily for an LDAP store.
- LDAP is similar to Active Directory in that it provides a hierarchal tree-based directory and authentication system.
- Keystone is another enterprise authentication mechanism that is part of the OpenStack IaaS offering
Anywho, so since this OpenShift cluster is running in an OpenStack private cloud, it uses Keystone to authenticate my user. I use Red Hat IDM/LDAP for workshop user authentication because it's often easier to integrate into different solutions - and I don't want 100 student user accounts taking up space in Keystone next to my actual cluster-admin user.
So what I need are multiple authentication methods for OpenShift.
1. Pull in your IDM/LDAP CA
Odds are you're using a self-signed Certificate Authority certificate which means it's not in the normal keystores. We need a copy of that on our OpenShift Masters and we can pull it easily:
$ openssl s_client -connect idm.example.com -showcerts 2>/dev/null | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | csplit --prefix=outfile - "/-----END CERTIFICATE-----/+1" "{*}" --elide-empty-files --quiet
$ sudo cp outfile01 /etc/ssl/certs/idm-ca.pem
$ sudo chmod 600 /etc/ssl/certs/idm-ca.pem
That will create two files, the last of which will likely be your CA certificate. Then the following commands copy it into place.
2. Modify the /etc/origin/master/master-config.yaml file
If you're rolling multi-masters, it's probably easier to modify the Ansible host file and modify the openshift_master_identity_providers variable and run the deployment playbooks, but for this example we'll modify the /etc/origin/master/master-config.yaml directly.
...
oauthConfig:
identityProviders:
- name: keystone
challenge: true
login: true
mappingMethod: claim
provider:
apiVersion: v1
domainName: exampleDoamin
kind: KeystonePasswordIdentityProvider
url: https://api.us-east-1.dacloud.com:13000/v3/
- name: ldap
challenge: true
login: true
mappingMethod: claim
provider:
apiVersion: v1
kind: LDAPPasswordIdentityProvider
attributes:
id:
- dn
email:
- mail
name:
- cn
preferredUsername:
- uid
bindDN: "uid=binddn,cn=accounts,dc=example,dc=com"
bindPassword: "superSecretPass"
ca: /etc/ssl/certs/idm-ca.pem
insecure: false
url: "ldaps://idm.example.com/cn=accounts,dc=example,dc=com?uid"
...
3. Restart the OpenShift Masters
That configuration manifest now allows the OpenShift cluster to authenticate with either the keystone method or the ldap method. Before it will take, all the masters need to be restarted, so run the following commands on your OpenShift Masters:
$ sudo /usr/local/bin/master-restart api && sudo /usr/local/bin/master-restart controllers
Once the masters restart, you should be able to log in to OpenShift with either identity providers now!
Top comments (0)