Configuring OpenShift OAuth
For users to interact with OpenShift, they must first authenticate to the OpenShift cluster. OpenShift OAuth is a process in which users prove themselves to a cluster through an API with obtained OAuth access tokens.
Authentication with the OpenShift Connector overview is a possible way for Che users to authenticate with an OpenShift cluster.
The following section describes the OpenShift OAuth configuration options and its use with a Che.
Configuring OpenShift OAuth with initial user
-
The
oc
tool is available. -
chectl
management tool is available. See Using the chectl management tool.
-
Configure OpenShift identity providers on the cluster. See the Understanding identity provider configuration.
When a user skips the Configuring step of OpenShift Identity Provider (Keycloak or RH-SSO), and the OpenShift cluster does not already contain a configured Keycloak, Che creates an initial OpenShift user for the
HTPasswd
identity provider. Credentials of this user are stored in theopenshift-oauth-user-credentials
secret, located in theopenshift-config
namespace.Obtain the credentials for logging in to an OpenShift cluster and Che instance:
-
Obtain OpenShift user name:
$ oc get secret openshift-oauth-user-credentials -n openshift-config -o json | jq -r '.data.user' | base64 -d
-
Obtain OpenShift user password:
$ oc get secret openshift-oauth-user-credentials -n openshift-config -o json | jq -r '.data.password' | base64 -d
-
-
Deploy Che using OperatorHub or the chectl, see the
chectl server:deploy
specification chapter. OpenShift OAuth will be enabled by default.
Configuring OpenShift OAuth without provisioning OpenShift initial OAuth user
The following procedure describes how to configure OpenShift OAuth without provisioning the initial OAuth user.
-
chectl
management tool is available. See Using the chectl management tool.
-
If you have installed Che by using the Operator, configure the following values in the eclipse-che Custom Resource:
spec: auth: openShiftoAuth: true initialOpenShiftOAuthUser: ''
-
If you have installed Che by using the
chectl
tool, use the--che-operator-cr-patch-yaml
flag:$ chectl server:deploy --che-operator-cr-patch-yaml=patch.yaml ...
The
patch.yaml
file must contain the following:spec: auth: openShiftoAuth: true initialOpenShiftOAuthUser: ''
Removing OpenShift initial OAuth user
The following procedure describes how to remove OpenShift initial OAuth user provisioned by Eclipse Che.
-
The
oc
tool installed. -
An instance of Eclipse Che running on OpenShift.
-
Logged in to OpenShift cluster using the
oc
tool.
-
Update eclipse-che custom resource:
$ oc patch checluster/eclipse-che -n eclipse-che --type=json -p \ '[{"op": "replace", "path": "/spec/auth/initialOpenShiftOAuthUser", "value": false}]'