mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
85 lines
3.2 KiB
Plaintext
85 lines
3.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="zero-trust-manager-create-route-oidc_{context}"]
|
|
= Configuring the external certificate for the managed OIDC discovery provider route
|
|
|
|
The managed route uses the External Route Certificate feature to set the `tls.externalCertificate` field to an externally managed Transfer Layer Security (TLS) secret's name.
|
|
|
|
.Prerequisites
|
|
|
|
* You have installed {zero-trust-full} 0.2.0 or later.
|
|
|
|
* You have deployed the SPIRE Server, SPIRE Agent, SPIFFEE CSI Driver, and the SPIRE OIDC Discovery Provider operands in the cluster.
|
|
|
|
* You have installed the {cert-manager-operator}. For more information, link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html-single/security_and_compliance/index#cert-manager-operator-install[Installing the cert-manager Operator for Red{nbsp}Hat OpenShift].
|
|
|
|
* You have created a `ClusterIssuer` or `Issuer` configured with a publicly trusted CA service. For example, an Automated Certificate Management Environment (ACME) type `Issuer` with the "Let's Encrypt ACME" service. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html-single/security_and_compliance/index#cert-manager-operator-issuer-acme[Configuring an ACME issuer]
|
|
|
|
.Procedure
|
|
|
|
. Create a `Role` to provide the router service account permissions to read the referenced secret by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create role secret-reader \
|
|
--verb=get,list,watch \
|
|
--resource=secrets \
|
|
--resource-name=$TLS_SECRET_NAME \
|
|
-n zero-trust-workload-identity-manager
|
|
----
|
|
|
|
. Create a `RoleBinding` resource to bind the router service account with the newly created Role resource by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create rolebinding secret-reader-binding \
|
|
--role=secret-reader \
|
|
--serviceaccount=openshift-ingress:router \
|
|
-n zero-trust-workload-identity-manager
|
|
----
|
|
|
|
. Configure the `SpireOIDCDIscoveryProvider` Custom Resource (CR) object to reference the Secret generated in the earlier step by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc patch SpireOIDCDiscoveryProvider cluster --type=merge -p='
|
|
spec:
|
|
externalSecretRef: ${TLS_SECRET_NAME}
|
|
'
|
|
----
|
|
|
|
.Verification
|
|
|
|
. In the `SpireOIDCDiscoveryProvider` CR, check if the `ManageRouteReady` condition is set to `True` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc wait --for=jsonpath='{.status.conditions[?(@.type=="ManagedRouteReady")].status}'=True SpireOIDCDiscoveryProvider/cluster --timeout=120s
|
|
----
|
|
|
|
. Verify that the OIDC endpoint can be accessed securely through HTTPS by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl https://$JWT_ISSUER_ENDPOINT/.well-known/openid-configuration
|
|
|
|
{
|
|
"issuer": "https://$JWT_ISSUER_ENDPOINT",
|
|
"jwks_uri": "https://$JWT_ISSUER_ENDPOINT/keys",
|
|
"authorization_endpoint": "",
|
|
"response_types_supported": [
|
|
"id_token"
|
|
],
|
|
"subject_types_supported": [],
|
|
"id_token_signing_alg_values_supported": [
|
|
"RS256",
|
|
"ES256",
|
|
"ES384"
|
|
]
|
|
}%
|
|
----
|
|
|