mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
88 lines
6.9 KiB
Plaintext
88 lines
6.9 KiB
Plaintext
:_mod-docs-content-type: ASSEMBLY
|
|
[id="rosa-hcp-sts-creating-a-cluster-ext-auth"]
|
|
= Creating a {product-title} cluster that uses direct authentication with an external OIDC identity provider
|
|
include::_attributes/attributes-openshift-dedicated.adoc[]
|
|
:context: rosa-hcp-sts-creating-a-cluster-ext-auth
|
|
|
|
toc::[]
|
|
|
|
You can create {product-title} clusters that use an external OpenID Connect (OIDC) identity provider to issue tokens for authentication, replacing the built-in OpenShift OAuth server. While the built-in OpenShift OAuth server supports integration with a variety of identity providers, including external OIDC identity providers, it is limited to the capabilities of the OAuth server itself. You can directly integrate external OIDC identity providers with {product-title} clusters in order to facilitate machine-to-machine workflows, such as CLI, and provide additional capabilities which are not available when using the built-in OpenShift OAuth server.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
Since it is not possible to upgrade or convert existing {rosa-classic-title} clusters to a {hcp} architecture, you must create a new cluster to use {product-title} functionality. You also cannot convert a cluster that was created to use external authentication providers to use the internal OAuth2 server. You must also create a new cluster.
|
|
====
|
|
|
|
[NOTE]
|
|
====
|
|
{product-title} clusters only support {sts-first} authentication.
|
|
====
|
|
|
|
.Further reading
|
|
ifdef::openshift-rosa-hcp[]
|
|
* For a comparison between {product-title} and {rosa-classic-title}, see the xref:../rosa_architecture/rosa-architecture-models.adoc#rosa-hcp-classic-comparison_rosa-architecture-models[Comparing architecture models] documentation.
|
|
endif::openshift-rosa-hcp[]
|
|
* See the AWS documentation for information about link:https://docs.aws.amazon.com/rosa/latest/userguide/getting-started-hcp.html[Getting started with ROSA with HCP using the ROSA CLI in auto mode].
|
|
|
|
//.Additional resources
|
|
//
|
|
//For a full list of the supported certificates, see the xref:#../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red{nbsp}Hat OpenShift Service on AWS".
|
|
|
|
[id="rosa-hcp-external-auth-prereqs"]
|
|
== {product-title} Prerequisites
|
|
|
|
To create a {product-title} cluster, you must have completed the following steps:
|
|
|
|
ifndef::openshift-rosa-hcp[]
|
|
* Completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites]
|
|
endif::openshift-rosa-hcp[]
|
|
* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc[Configured virtual private cloud (VPC)]
|
|
* Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly[Account-wide roles]
|
|
* Created an xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-byo-oidc_rosa-hcp-sts-creating-a-cluster-quickly[OIDC configuration]
|
|
* Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-operator-config_rosa-hcp-sts-creating-a-cluster-quickly[Operator roles]
|
|
|
|
// Step 1 Prepare HCP cluster with --external-auth-providers-enabled
|
|
include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc[leveloffset=+1]
|
|
//Step 2 Create/list/delete external_provider to HCP cluster that external_auth_config is not enable
|
|
include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli.adoc[leveloffset=+1]
|
|
include::modules/rosa-hcp-sts-example-external-auth-provider.adoc[leveloffset=+2]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
* link:https://learn.microsoft.com/en-us/entra/fundamentals/whatis[What is Microsoft Entra ID?] (Microsoft documentation)
|
|
* xref:../cloud_experts_tutorials/cloud-experts-entra-id-idp.adoc#cloud-experts-entra-id-idp[Configuring Microsoft Entra ID (formerly Azure Active Directory) as an identity provider]
|
|
* link:https://www.keycloak.org/guides[Keycloak documentaton]
|
|
//* For information about the similar `idps` tool in the ROSA CLI, see xref:#../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-create-idp_rosa-managing-objects-cli[`create idp`].
|
|
//* For more information about options in the ROSA CLI, see xref:#../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-create-external-auth-provider_rosa-managing-objects-cli[`create external-auth-provider`], xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-list-external-auth-provider_rosa-managing-objects-cli[`list external-auth-provider`], and xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-delete-external-auth-provider_rosa-managing-objects-cli[`delete external-auth-provider`].
|
|
|
|
// Step 3: Create, list, and revoke a break glass credential
|
|
include::modules/rosa-hcp-sts-creating-a-break-glass-cred-cli.adoc[leveloffset=+1]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc#rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli_rosa-hcp-sts-creating-a-cluster-ext-auth[Creating a {product-title} cluster that uses direct authentication with an external OIDC identity provider]
|
|
//* For more information about CLI configurations, see xref:#../cli_reference/openshift_cli/managing-cli-profiles.adoc#managing-cli-profiles[Managing CLI profiles].
|
|
|
|
include::modules/rosa-hcp-sts-accessing-a-break-glass-cred-cli.adoc[leveloffset=+1]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
* For more information about cluster role binding, see xref:../authentication/using-rbac.adoc#rbac-overview[Using RBAC to define and apply permissions].
|
|
|
|
include::modules/rosa-hcp-sts-revoking-a-break-glass-cred-cli.adoc[leveloffset=+1]
|
|
|
|
//Step 4 delete external_provider to HCP cluster that external_auth_config is not enable
|
|
include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-cli.adoc[leveloffset=+1]
|
|
|
|
[role="_additional-resources"]
|
|
[id="additional-resources_rosa-sts-creating-a-cluster-ext-auth"]
|
|
== Additional resources
|
|
|
|
// * To learn more about the default CIDR ranges for {product-title}, see xref:#../networking/cidr-range-definitions.adoc#cidr-range-definitions[CIDR range definitions].
|
|
* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]
|
|
* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS]
|
|
* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
|
|
ifdef::openshift-rosa-hcp[]
|
|
* xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations]
|
|
endif::openshift-rosa-hcp[]
|
|
* xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS] |