Adding OIDC Authentication
In CentOS, we have an instance of Ipsilon[1] which we currently use to authenticate many of our services.
Steps
This SOP covers configuring ocp.ci/ocp.stg.ci with an OpenID identity provider which is used to communicate with our ACO Ipsilon instance and provide authentication to the cluster.
- Authenticate with the ocp.ci/ocp.stg.ci cluster via the cli
- Create an Openshift Secret containing the ACO/Ipsilon clientSecret
- Create an Openshift Oauth object with the identityProvider configuration
See below for sample template which achieves this.
apiVersion: template.openshift.io/v1
kind: Template
metadata:
name: openshift-oidc-config
objects:
- kind: Secret
apiVersion: v1
metadata:
name: openid-client-secret-ocp-ci
namespace: openshift-config
data:
clientSecret: <base64 encoded OIDC client secret>
type: Opaque
- apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- mappingMethod: claim
name: accounts-centos-org
openID:
claims:
email:
- email
- custom_email_claim
name:
- name
- nickname
- given_name
preferredUsername:
- email
clientID: ocp.ci.centos
clientSecret:
name: openid-client-secret-ocp-ci
extraScopes:
- email
- profile
issuer: 'https://id.centos.org/idp/openidc'
type: OpenID
Resources:
- [1] Ipsilon