Skip to content

Add an OpenID identity provider to the cluster

Adding OIDC Authentication

In CentOS, we have an instance of Ipsilon[1] which we currently use to authenticate many of our services.

Steps

This SOP covers configuring ocp.ci/ocp.stg.ci with an OpenID identity provider which is used to communicate with our ACO Ipsilon instance and provide authentication to the cluster.

  • Authenticate with the ocp.ci/ocp.stg.ci cluster via the cli
  • Create an Openshift Secret containing the ACO/Ipsilon clientSecret
  • Create an Openshift Oauth object with the identityProvider configuration

See below for sample template which achieves this.

apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: openshift-oidc-config
objects:
- kind: Secret
  apiVersion: v1
  metadata:
    name: openid-client-secret-ocp-ci
    namespace: openshift-config
  data:
    clientSecret: <base64 encoded OIDC client secret>
  type: Opaque
- apiVersion: config.openshift.io/v1
  kind: OAuth
  metadata:
    name: cluster
  spec:
    identityProviders:
      - mappingMethod: claim
        name: accounts-centos-org
        openID:
          claims:
              email:
              - email
              - custom_email_claim
            name:
              - name
              - nickname
              - given_name
            preferredUsername:
              - email
          clientID: ocp.ci.centos
          clientSecret:
            name: openid-client-secret-ocp-ci
          extraScopes:
            - email
            - profile
          issuer: 'https://id.centos.org/idp/openidc'
        type: OpenID
Resources: