Introduction to Red Hat OpenShift Service on AWS (ROSA)
Configure a managed cluster to authenticate self-service developers using GitHub Authentication and grant an external user with cluster administrator privileges.
Outcomes
Configure GitHub as an identity provider for OpenShift.
Grant cluster and dedicated administrator rights to a user.
To perform this exercise, ensure that:
You have completed the section called “Guided Exercise: Access a ROSA Cluster as an Administrator ”.
You have a GitHub account. If not, then navigate to https://github.com, click , and then follow the instructions.
Procedure 2.1. Instructions
Prepare a GitHub organization. In the following steps, you grant all the GitHub users in that organization developer access to your ROSA cluster.
Use your GitHub credentials to log in to GitHub at https://github.com.
If you already have administrative access to a GitHub organization, then you can use that organization for the exercise. Otherwise, follow the instructions in https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch to create an organization. Select the free plan for the new organization and then complete the form as follows:
Field value do120-yournameYour email address If the organization account name is unavailable because you already performed the exercise, then choose a different name and use it in the following steps.
Accept the terms of service and then click . Do not add members to your organization and then click . Provide your GitHub password to confirm the operation.
Verify that your ROSA CLI configuration is correct and that the ROSA cluster is ready.
Open a command-line terminal on your system and then run the
rosa whoamicommand to verify that the AWS and the Red Hat OpenShift Cluster Manager configuration is correct. Verify that the command lists your AWS account, the correct AWS Region, and your Red Hat customer portal account.$
rosa whoamiAWS ARN: arn:aws:iam::...:user/user1@example.com-fqppg-admin AWS Account ID: 452954386616 AWS Default Region: us-east-1 OCM API: https://api.openshift.com OCM Account Email: wlombardo@example.com OCM Account ID: 1VhrXTjpDWnt4rfZvdgLj2fEcso OCM Account Name: Wilhelm Lombardo OCM Account Username: wlombardo OCM Organization External ID: 15701801 OCM Organization ID: 1HMOv5QDUifj2g6Si1hyskyv2IP OCM Organization Name: Wilhelm LombardoThe credentials in the preceding output are different on your system. Your own credentials are displayed.
Run the
rosa describe clustercommand to verify that your ROSA cluster nameddo120-clusteris ready.$
rosa describe cluster --cluster do120-cluster...output omitted... State:ready...output omitted...
Configure GitHub as an identity provider for OpenShift.
Run the
rosa create idpcommand to configure GitHub as an identity provider. Usegithub-do120for the identity provider name. This name is displayed as an identity provider when you access the OpenShift web console.$
rosa create idp --cluster do120-cluster --interactiveI: Interactive mode enabled. Any optional fields can be left empty and a default will be selected. ? Type of identity provider:github? Identity provider name:github-do120? Restrict to members of:organizations? GitHub organizations:do120-? To use GitHub as an identity provider, you must first register the application: - Open the following URL:yournamehttps://github.com/organizations/do120-- Click on 'Register application' ? Client ID:yourname/settings/applications/new?oauth_application%5Bcallback_url%5D=https%3A%2F%2Foauth-openshift.apps.do120-cluster.jf96.p1.openshiftapps.com%2Foauth2callback%2FGitHub&oauth_application%5Bname%5D=do120-cluster&oauth_application%5Burl%5D=https%3A%2F%2Fconsole-openshift-console.apps.do120-cluster.jf96.p1.openshiftapps.comDo not cancel the command and do not close the terminal.
Open a web browser and then navigate to the URL that the preceding command output displays. This process registers your ROSA cluster and a new OAuth application in GitHub.
Click and then copy the client ID to the clipboard. Do not close the browser window.
Paste the client ID into the terminal.
...output omitted... ? Client ID:
67e202f06e0989e62bb8In the preceding output, the client ID is different on your system.
Do not cancel the command and do not close the terminal.
Switch to the web browser and then click . Copy the secret to the clipboard.
Paste the secret into the terminal and then accept the default values for the remaining parameters.
...output omitted... ? Client ID:
67e202f06e0989e62bb8? Client Secret: [? for help]****************************************? GitHub Enterprise Hostname (optional):<Enter>? Mapping method:claimI: Configuring IDP for cluster 'do120-cluster' I: Identity Provider 'github-do120' has been created. It may take several minutes for this access to become active. To add cluster administrators, see 'rosa grant user --help'. I: To log in to the console, open https://console-openshift-console.apps.do120-cluster.jf96.p1.openshiftapps.com and click on 'github-do120'.
To validate your configuration, log in to the OpenShift web console by using your GitHub credentials.
To access the OpenShift web console, use the web browser to navigate to the URL from the output of the preceding
rosacommand. Notice that the newgithub-do120identity provider is displayed.Note
You might have to wait five minutes for the
github-do120identity provider to become active. Do not use the reload function of your web browser to refresh the page. Instead, paste the OpenShift web console URL again until the button is displayed.Click . If you are not already logged in to GitHub, then provide your GitHub credentials. Click . The Developer view is displayed.
All the users in the
do120-GitHub organization can log in to your ROSA cluster as self-service developers. If you created the GitHub organization with your GitHub account, without adding more users, then you are the only member of that organization.yournameSwitch to the view and then expand the menu. Only two submenus are displayed because as a self-service developer you do not have access to all the administration features.
Verify that you can also use the
occommand to log in to your cluster from the command line. You cannot log in by using a username and a password when using the GitHub identity provider. You can only log in by using a token.From the web browser, click your name in the upper right corner of the web console, and then click .
If the login page is displayed, then click and then use your GitHub credentials for authentication.
Click and then copy the
oc login --tokencommand to the clipboard.Open a command-line terminal on your system, paste the command into the command-line terminal, and then run the command.
$
oc login --token=sha256~1NofZkVCi3qCBcBJGc6XiOJTK5SDXF2ZYwhAARx5yJg--server=https://api.do120-cluster.Logged into "https://api.do120-cluster.jf96.p1.openshiftapps.com:6443" as "jf96.p1.openshiftapps.com:6443wlombardoghNotice that the command output displays you GitHub username. That username is different in your command output.
Log out from the cluster.
$
oc logoutLogged "wlombardogh" out on "https://api.do120-cluster.jf96.p1.openshiftapps.com:6443"Log out from the OpenShift web console. To do so, from the web browser, click your name in the upper right corner of the web console and then click .
Add the
dedicated-adminsrole to your GitHub user account.From the command-line terminal, grant dedicated administrator rights to your GitHub user account. In the following command, use your GitHub username for the
--useroption.$
rosa grant user dedicated-admin --userI: Granted role 'dedicated-admins' to user 'wlombardogh' on cluster 'do120-cluster'wlombardogh--cluster do120-clusterSwitch to the web browser and then log in again to the OpenShift web console by using your GitHub account.
Switch to the view and then navigate to → .
Select the group. Notice that your GitHub username is displayed under the section.
Expand the menu. Notice that you have access to more administration features than when you were connected as a self-service developer.
Navigate to → , select , and then select .
The error message indicates that you are not allowed to modify the Alert Manager configuration. As a dedicated administrator, you have limited administration rights.
Log out from the OpenShift web console. To do so, click your name in the upper right corner of the web console and then click .
Add the
cluster-adminsrole to your GitHub user account.From the command-line terminal, revoke the
dedicated-adminsrole. A user account cannot have both thecluster-adminsand thededicated-adminsroles. In the following command, use your GitHub username for the--useroption.$
rosa revoke user dedicated-admin --user? Are you sure you want to revoke role dedicated-admins from user wlombardogh in cluster do120-cluster?wlombardogh--cluster do120-clusterYesI: Revoked role 'dedicated-admins' from user 'wlombardogh' on cluster 'do120-cluster'Grant cluster administrator rights to your GitHub user account. In the following command, use your GitHub username for the
--useroption.$
rosa grant user cluster-admin --userI: Granted role 'cluster-admins' to user 'wlombardogh' on cluster 'do120-cluster'wlombardogh--cluster do120-clusterSwitch to the web browser and then log in again to the OpenShift web console by using your GitHub account.
Navigate to → and then select the group. Notice that your GitHub username is displayed under the section.
Navigate to → , select , and then select . Configuration options for the Alert Manager are displayed, which means that you have rights to configure that tool.
Log out from the OpenShift web console. To do so, click your name in the upper right corner of the web console and then click .
Do not delete your work, because later activities depend on the completion of this exercise.
