48 lines
1.3 KiB
Text
48 lines
1.3 KiB
Text
= SOP Configure oauth Authentication via IPA/Noggin
|
|
|
|
|
|
== Resources
|
|
|
|
- [1] https://pagure.io/fedora-infra/ansible/blob/main/f/files/communishift/objects[Example Config from Communishift]
|
|
|
|
|
|
== OIDC Setup
|
|
The first step is to request that a secret be created for this environment, please open a ticket with Fedora Infra. Once the secret has been made available we can add it to an Openshift Secret in the cluster like so:
|
|
|
|
----
|
|
oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
|
|
----
|
|
|
|
Next we can update the oauth configuration on the cluster and add the config for ipa/noggin/ipsilon. See the following snippet for inspiration:
|
|
|
|
----
|
|
apiVersion: config.openshift.io/v1
|
|
kind: OAuth
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
identityProviders:
|
|
...
|
|
- name: fedoraidp
|
|
login: true
|
|
challenge: false
|
|
mappingMethod: claim
|
|
type: OpenID
|
|
openID:
|
|
clientID: ocp
|
|
clientSecret:
|
|
name: fedoraidp-clientsecret
|
|
extraScopes:
|
|
- email
|
|
- profile
|
|
claims:
|
|
preferredUsername:
|
|
- nickname
|
|
name:
|
|
- name
|
|
email:
|
|
- email
|
|
issuer: https://id.fedoraproject.org
|
|
----
|
|
|
|
This config already exists in the cluster so you need to edit or patch it, you can't just `oc apply -f template.yaml`.
|