Introduction to Red Hat OpenShift Service on AWS (ROSA)
This course is now legacy content
This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on Jun 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 4.12, which is the latest version currently available.
Configure a managed cluster to authenticate self-service developers using GitHub Authentication and grant an external user with cluster administrator privileges.
Outcomes
You should be able to:
Configure GitHub as an identity provider for OpenShift.
Grant cluster and dedicated administrator rights to a user.
To perform this exercise, ensure that:
You have completed the section called “Guided Exercise: Access a ROSA Cluster as Administrator ”.
You have a GitHub account. If not, then navigate to https://github.com, click , and then follow the instructions.
Procedure 2.1. Instructions
Prepare a GitHub organization. In the following steps, you grant all the GitHub users in that organization developer access to your ROSA cluster.
Use your GitHub credentials to log in to GitHub at https://github.com.
If you already have administrative access to a GitHub organization, then you can use that organization for the exercise. Otherwise, follow the instructions in https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch to create an organization. Select the free plan for the new organization and then complete the form as follows:
Field value do120-yournameYour email address If the organization account name is unavailable because you already performed the exercise, then choose a different name and use it in the following steps.
Accept the terms of service and then click . Do not add members to your organization and then click . Provide your GitHub password to confirm the operation.
Verify that your ROSA CLI configuration is correct and that the ROSA cluster is ready.
Open a command-line terminal on your system and then run the
rosa whoamicommand to confirm that the AWS and the Red Hat OpenShift Cluster Manager configuration is correct. Verify that the command lists your AWS account, the correct AWS region, and your Red Hat customer portal account.$
rosa whoamiAWS ARN: arn:aws:iam::...:user/user1@example.com-fqppg-admin AWS Account ID: 452954386616 AWS Default Region: us-east-1 OCM API: https://api.openshift.com OCM Account Email: wlombardo@example.com OCM Account ID: 1VhrXTjpDWnt4rfZvdgLj2fEcso OCM Account Name: Wilhelm Lombardo OCM Account Username: wlombardo OCM Organization External ID: 15701801 OCM Organization ID: 1HMOv5QDUifj2g6Si1hyskyv2IP OCM Organization Name: Wilhelm LombardoThe credentials in the preceding output are different on your system. Your own credentials display.
Run the
rosa describe clustercommand to confirm that your ROSA cluster nameddo120-clusteris ready.$
rosa describe cluster -c do120-cluster...output omitted... State:ready...output omitted...
Configure GitHub as an identity provider for OpenShift.
Run the
rosa create idpcommand to configure GitHub as an identity provider. Usegithub-do120for the identity provider name. This name displays as an identity provider when you access the OpenShift web console.$
rosa create idp --cluster do120-cluster --interactiveI: Interactive mode enabled. Any optional fields can be left empty and a default will be selected. ? Type of identity provider:github? Identity provider name:github-do120? Restrict to members of:organizations? GitHub organizations:do120-? To use GitHub as an identity provider, you must first register the application: - Open the following URL:yournamehttps://github.com/organizations/do120-- Click on 'Register application' ? Client ID:yourname/settings/applications/new?oauth_application%5Bcallback_url%5D=https%3A%2F%2Foauth-openshift.apps.do120-cluster.jf96.p1.openshiftapps.com%2Foauth2callback%2FGitHub&oauth_application%5Bname%5D=do120-cluster&oauth_application%5Burl%5D=https%3A%2F%2Fconsole-openshift-console.apps.do120-cluster.jf96.p1.openshiftapps.comDo not cancel the command and do not close the terminal.
Open a web browser and then navigate to the URL that the preceding command output displays. This process registers your ROSA cluster and a new OAuth application in GitHub.
Click and then copy the client ID to the clipboard. Do not close the browser window.
Paste the client ID into the terminal.
...output omitted... ? Client ID:
67e202f06e0989e62bb8In the preceding output, the client ID is different on your system.
Do not cancel the command and do not close the terminal.
Switch to the web browser and then click . Copy the secret to the clipboard.
Paste the secret into the terminal and then accept the default values for the remaining parameters.
...output omitted... ? Client ID:
67e202f06e0989e62bb8? Client Secret: [? for help]****************************************? GitHub Enterprise Hostname (optional):<Enter>? Mapping method:claimI: Configuring IDP for cluster 'do120-cluster' I: Identity Provider 'github-do120' has been created. It may take several minutes for this access to become active. To add cluster administrators, see 'rosa grant user --help'. To login into the console, open https://console-openshift-console.apps.do120-cluster.jf96.p1.openshiftapps.com and click on github-do120.
To validate your configuration, log in to the OpenShift web console by using your GitHub credentials.
To access the OpenShift web console, use the web browser to navigate to the URL from the output of the preceding
rosacommand. Notice that the newgithub-do120identity provider displays.Note
You might have to wait five minutes for the
github-do120identity provider to become active. Reload the login page until the button displays.Click . If you are not already logged in to GitHub, then provide your GitHub credentials. Click . The Developer view displays.
All the users in the
do120-GitHub organization can log in to your ROSA cluster as self-service developers. If you created the GitHub organization with your GitHub account, without adding more users, then you are the only member of that organization.yournameSwitch to the view and then expand the menu. Only two submenus display because as a self-service developer you do not have access to all the administration features.
Verify that you can also use the
occommand to log in to your cluster from the command line. You cannot log in by using a username and a password when using the GitHub identity provider. You can only log in by using a token.From the web browser, click your name on the top right corner of the web console, and then click .
If the log in page displays, then click and then use your GitHub credentials for authentication.
Click and then copy the
oc login --token=…command to the clipboard.Open a command-line terminal on your system, paste the command into the command-line terminal, and then run it.
$
oc login --token=sha256~1NofZkVCi3qCBcBJGc6XiOJTK5SDXF2ZYwhAARx5yJg--server=https://api.do120-cluster.Logged into "https://api.do120-cluster.jf96.p1.openshiftapps.com:6443" as "jf96.p1.openshiftapps.com:6443wlombardoghNotice that the command output displays you GitHub username. That username is different in your command output.
Log out from the cluster.
$
oc logoutLogged "wlombardogh" out on "https://api.do120-cluster.jf96.p1.openshiftapps.com:6443"Log out from the OpenShift web console. To do so, from the web browser, click your name on the top right corner of the web console and then click .
Add the
cluster-adminsrole to your GitHub user account.From the command-line terminal, grant cluster administrator rights to your GitHub user account. In the following command, use your GitHub username for the
--useroption.$
rosa grant user cluster-admin --userI: Granted role 'cluster-admins' to user 'wlombardogh--cluster do120-clusterwlombardogh' on cluster 'do120-cluster'Switch to the web browser and then log in again to the OpenShift web console by using your GitHub account.
Switch to the view and then navigate to → .
Select the group. Notice that your GitHub username displays under the section.
Expand the menu. Notice that you have access to more administration features than when you were connected as a self-service developer.
Navigate to → , select , and then select . Configuration options for the Alert Manager display, which means that you have rights to configure that tool.
Log out from the OpenShift web console. To do so, click your name on the top right corner of the web console and then click .
Add the
dedicated-adminsrole to your GitHub user account.From the command-line terminal, revoke the
cluster-adminsrole. A user account cannot have both thecluster-adminsand thededicated-adminsroles. In the following command, use your GitHub username for the--useroption.$
rosa revoke user cluster-admin --user? Are you sure you want to revoke role cluster-admins from userwlombardogh--cluster do120-clusterwlombardoghin cluster do120-cluster?YesI: Revoked role 'cluster-admins' from user 'wlombardogh' on cluster 'do120-cluster'Grant dedicated administrator rights to your GitHub user account. In the following command, use your GitHub username for the
--useroption.$
rosa grant user dedicated-admin --userI: Granted role 'dedicated-admins' to user 'wlombardogh--cluster do120-clusterwlombardogh' on cluster 'do120-cluster'Switch to the web browser and then log in again to the OpenShift web console by using your GitHub account.
Navigate to → and then select the group. Notice that your GitHub username displays under the section.
Navigate to → , select , and then select . The error message indicates that you are not allowed to modify the Alert Manager configuration. As a dedicated administrator, you have limited administration rights.
Log out from the OpenShift web console. To do so, click your name on the top right corner of the web console and then click .
This concludes the section.