Openshift Authentication with Google Identity Provider
Update 6/20/18: Added ansible inventory information.
I have been using HTPasswd as a authentication provider for Openshift for awhile. However, I decided today that I wanted to try and get Google Identity Provider to work. Well seeing how I am posting this the same day I looked into should tell you it was pretty darn easy for me. I have already used google cloud services so I am not sure if there are any extra steps that I will be missing in this guide so please be sure to comment if I did.
The documentation that I used is at https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#Google . Below is configuration information which I copied from the docs that needs to be added to your master-config.yaml file.
oauthConfig:
...
identityProviders:
- name: google
challenge: false
login: true
provider:
apiVersion: v1
kind: GoogleIdentityProvider
clientID: ...
clientSecret: ...
hostedDomain: ""
The clientID
, clientSecret
, and the hostedDomain
are the only things I set. This information is obtained after creating a new API google project by google to https://console.developers.google.com/.
The authorization redirect URI will need to be set to as decribed in the docs to “<master>/oauth2callback/<identityProviderName>” . This would be something like https://example.com:8443/oauth2callback/google .
As the direction indicate on the page above public IP addresses cannot be used but I have not tested local ip addresses. However, anyone can resolve hostnames by modifying their OS’s hostname file that they are using their web broswer to access Openshift server. Windows 10 and 8 would modify c:\Windows\System32\Drivers\etc\hosts for example. Window users can see additional information on how to do this at https://support.rackspace.com/how-to/modify-your-hosts-file/ . Linux would modify their /etc/hosts file.
After hitting the create button, the clientID and secret will pop to be copied.
If the popup goes away before copying you can get this information by clicking the oauth name which will show this information on a new page.
These clientID and secret will be used in the configuration example mention above that is put in the master-config.yaml file.
oauthConfig:
...
identityProviders:
- name: google
challenge: false
login: true
provider:
apiVersion: v1
kind: GoogleIdentityProvider
clientID: <...>apps.googleusercontent.com
clientSecret: <...>
hostedDomain: ""
Update 6/18/2018;
Ansible inventory file:
openshift_master_identity_providers=[{'name': 'google', 'login': 'true', 'challenge': 'false', 'kind':'GoogleIdentityProvider','clientID':'','clientSecret':'','hostedDomain':''}]
Now shutdown the cluster if running a startup again. This command may vary per your Openshift setup.
#Updated 5/21/2018 - Ansible Restart
#systemctl restart origin-master-api origin-master-controllers#Without Anisible
oc cluster down
oc cluster up
Now when you open your openshift master page you will see something like the following.
One thing you may notice is that my image at signin has @devcomb.com for the email domain. This is because I put in my master-config.yml configuration the domain option hostedDomain: “devcomb.com”
. I did this because I have a google domain already setup. This is a great way for an organization using google domain to provide authentication to it’s users. If you want to something similar you can create a google domain at https://domains.google.com/ but setting hostedDomain
is not required.
If you want to use command line, you can get the login command with token need from the web app admin page Help->Command Line Tools page.
Please clap this post if you found it useful and let me know if you have any issues :). Thanks.