Configuring OpenShift OAuth

For users to interact with OpenShift, they must first authenticate to the OpenShift cluster. OpenShift OAuth is a process in which users prove themselves to a cluster through an API with obtained OAuth access tokens.

Authentication with the OpenShift Connector overview is a possible way for Che users to authenticate with an OpenShift cluster.

The following section describes the OpenShift OAuth configuration options and its use with a Che.

Configuring OpenShift OAuth with initial user

Prerequisites
Procedure

  • Configure OpenShift identity providers on the cluster. See the Understanding identity provider configuration.

    When a user skips the Configuring step of OpenShift Identity Provider (Keycloak or RH-SSO), and the OpenShift cluster does not already contain a configured Keycloak, Che creates an initial OpenShift user for the HTPasswd identity provider. Credentials of this user are stored in the openshift-oauth-user-credentials secret, located in the openshift-config namespace.

    Obtain the credentials for logging in to an OpenShift cluster and Che instance:

    1. Obtain OpenShift user name:

      $ oc get secret openshift-oauth-user-credentials -n openshift-config -o json | jq -r '.data.user' | base64 -d

    2. Obtain OpenShift user password:

      $ oc get secret openshift-oauth-user-credentials -n openshift-config -o json | jq -r '.data.password' | base64 -d

  • Deploy Che using OperatorHub or the chectl, see the chectl server:deploy specification chapter. OpenShift OAuth will be enabled by default.

  • For Che deployed in single-user mode:

    1. Register Che OAuth client in OpenShift. See the Register an OAuth client in OpenShift chapter.

      $ oc create -f <(echo '
kind: OAuthClient
apiVersion: oauth.openshift.io/v1
metadata:
 name: che
secret: "<random set of symbols>"
redirectURIs:
 - "<Che api url>/oauth/callback"
grantMethod: prompt
')

    2. Add the OpenShift TLS certificate to the Che Java trust store.

    3. Update the OpenShift deployment configuration.

      CHE_OAUTH_OPENSHIFT_CLIENTID: <client-ID>
CHE_OAUTH_OPENSHIFT_CLIENTSECRET: <openshift-secret>
CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT: <oauth-endpoint>
CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL: <verify-token-url>

      • <client-ID> a name specified in the OpenShift OAuthClient.

      • <openshift-secret> a secret specified in the OpenShift OAuthClient.

      • <oauth-endpoint> the URL of the OpenShift OAuth service:

        • For OpenShift 3 specify the OpenShift master URL.

        • For OpenShift 4 specify the oauth-openshift route.

      • <verify-token-url> request URL that is used to verify the token. <OpenShift master url>/api can be used for OpenShift 3 and 4.

      • See Advanced configuration options for the Che server component.

Additional resources

Configuring OpenShift OAuth without provisioning OpenShift initial OAuth user

The following procedure describes how to configure OpenShift OAuth without provisioning OpenShift initial OAuth user.

Prerequisites
Procedure

  1. When OperatorHub is used to deploy Che then set the following values in eclipse-che Custom Resource (CR):

    spec:
  auth:
    openShiftoAuth: true
    initialOpenShiftOAuthUser: ''

  2. When chectl tool is used to deploy Che then use --che-operator-cr-patch-yaml flag:

    $ chectl server:deploy --che-operator-cr-patch-yaml=patch.yaml ...

    patch.yaml must contain the following:

    spec:
  auth:
    openShiftoAuth: true
    initialOpenShiftOAuthUser: ''

Removing OpenShift initial OAuth user

The following procedure describes how to remove OpenShift initial OAuth user provisioned by Eclipse Che.

Prerequisites

  • The oc tool installed.

  • An instance of Eclipse Che running on OpenShift.

  • Logged in to OpenShift cluster using the oc tool.

Procedure

  1. Update eclipse-che custom resource:

    $ oc patch checluster/eclipse-che -n eclipse-che --type=json -p \
'[{"op": "replace", "path": "/spec/auth/initialOpenShiftOAuthUser", "value": false}]'