Configuring OpenShift OAuth

For users to interact with OpenShift, they must first authenticate to the OpenShift cluster. OpenShift OAuth is a process in which users prove themselves to a cluster through an API with obtained OAuth access tokens.

Authentication with the OpenShift Connector overview is a possible way for Che users to authenticate with an OpenShift cluster.

The following section describes the OpenShift OAuth configuration options and its use with a Che.

Configuring OpenShift OAuth with initial user

Prerequisites

The oc tool is available.
chectl management tool is available. See Using the chectl management tool.

Procedure

Configure OpenShift identity providers on the cluster. See the Understanding identity provider configuration.
When a user skips the Configuring step of OpenShift Identity Provider (Keycloak or RH-SSO), and the OpenShift cluster does not already contain a configured Keycloak, Che creates an initial OpenShift user for the HTPasswd identity provider. Credentials of this user are stored in the openshift-oauth-user-credentials secret, located in the openshift-config namespace.

Obtain the credentials for logging in to an OpenShift cluster and Che instance:
1. Obtain OpenShift user name:
  
  $ oc get secret openshift-oauth-user-credentials -n openshift-config -o json | jq -r '.data.user' | base64 -d
2. Obtain OpenShift user password:
  
  $ oc get secret openshift-oauth-user-credentials -n openshift-config -o json | jq -r '.data.password' | base64 -d
Deploy Che using OperatorHub or the chectl, see the chectl server:deploy specification chapter. OpenShift OAuth will be enabled by default.

Configuring OpenShift OAuth without provisioning OpenShift initial OAuth user

The following procedure describes how to configure OpenShift OAuth without provisioning the initial OAuth user.

Prerequisites

chectl management tool is available. See Using the chectl management tool.

Procedure

If you have installed Che by using the Operator, configure the following values in the eclipse-che Custom Resource:
```
spec:
  auth:
    openShiftoAuth: true
    initialOpenShiftOAuthUser: ''
```

If you have installed Che by using the chectl tool, use the --che-operator-cr-patch-yaml flag:

$ chectl server:deploy --che-operator-cr-patch-yaml=patch.yaml ...

The patch.yaml file must contain the following:

spec:
  auth:
    openShiftoAuth: true
    initialOpenShiftOAuthUser: ''

Removing OpenShift initial OAuth user

The following procedure describes how to remove OpenShift initial OAuth user provisioned by Eclipse Che.

Prerequisites

The oc tool installed.
An instance of Eclipse Che running on OpenShift.
Logged in to OpenShift cluster using the oc tool.

Procedure

Update eclipse-che custom resource:

$ oc patch checluster/eclipse-che -n eclipse-che --type=json -p \
'[{"op": "replace", "path": "/spec/auth/initialOpenShiftOAuthUser", "value": false}]'