diff --git a/modules/ocp4/pages/sop_configure_oauth_ipa.adoc b/modules/ocp4/pages/sop_configure_oauth_ipa.adoc new file mode 100644 index 0000000..12a989e --- /dev/null +++ b/modules/ocp4/pages/sop_configure_oauth_ipa.adoc @@ -0,0 +1,48 @@ +== SOP Configure oauth Authentication via IPA/Noggin + + +=== Resources + +- [1] https://pagure.io/fedora-infra/ansible/blob/main/f/files/communishift/objects[Example Config from Communishift] + + +=== OIDC Setup +The first step is to request that a secret be created for this environment, please open a ticket with Fedora Infra. Once the secret has been made available we can add it to an Openshift Secret in the cluster like so: + +---- +oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret= -n openshift-config +---- + +Next we can update the oauth configuration on the cluster and add the config for ipa/noggin/ipsilon. See the following snippet for inspiration: + +---- +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster +spec: + identityProviders: +... + - name: fedoraidp + login: true + challenge: false + mappingMethod: claim + type: OpenID + openID: + clientID: ocp + clientSecret: + name: fedoraidp-clientsecret + extraScopes: + - email + - profile + claims: + preferredUsername: + - nickname + name: + - name + email: + - email + issuer: https://id.fedoraproject.org +---- + +This config already exists in the cluster so you need to edit or patch it, you can't just `oc apply -f template.yaml`. diff --git a/modules/ocp4/pages/sops.adoc b/modules/ocp4/pages/sops.adoc index ee61b06..4c509ed 100644 --- a/modules/ocp4/pages/sops.adoc +++ b/modules/ocp4/pages/sops.adoc @@ -1,7 +1,8 @@ == SOPs - xref:sop_installation.adoc[SOP Openshift 4 Installation on Fedora Infra] -- xref:sop_configure_baremetal_pxe_uefi_boot.adoc[SOP Configure Baremetal PXE-UEFI Boot] - xref:sop_create_machineconfigs.adoc[SOP Create MachineConfigs to Configure RHCOS] +- xref:sop_configure_baremetal_pxe_uefi_boot.adoc[SOP Configure Baremetal PXE-UEFI Boot] - xref:sop_retrieve_ocp4_cacert.adoc[SOP Retrieve OCP4 CACERT] - xref:sop_configure_image_registry_operator.adoc[SOP Configure the Image Registry Operator] +- xref:sop_configure_oauth_ipa.adoc[SOP Configure oauth Authentication via IPA/Noggin]