This walkthrough provides the steps for integrating Red Hat Advanced Cluster Security (ACS) with OpenShift Authentication with dex
- OpenShift Cluster
- OpenShift CLI
- Helm CLI
- Existing Installation of Red Hat Advanced Cluster Security (ACS)
- Create a new Project for Dex
oc new-project dex- Create a new SA
oc create sa -n dex dex- Annotate the SA to enable it as an OAuth Client
oc annotate --overwrite -n dex sa dex "serviceaccounts.openshift.io/oauth-redirecturi.acs=https://dex.$(oc get ingresscontroller -n openshift-ingress-operator default -o jsonpath='{ .status.domain }')/callback"- Get the Token for the previously created Service Account
SA_TOKEN=$(oc serviceaccounts get-token -n dex dex)- Generate a UUID that will be used for the Client Secret in dex
export UUID=$(uuidgen)Note: If you do not have uuidgen installed, feel free to generate/provide one of your own manually
- Add the Dex Helm chart repository
helm repo add dex https://charts.dexidp.io
- Get the OIDC redirect URI's from the ACS OIDC Configuration Page
Login to ACS and select Platform Configuration -> Access Control.
Select Add Auth Provider -> OpenID Connect
Set the following two environment variables for the callback URI's
``shell export ACS_CALLBACK_1=<callback_uri_1> export ACS_CALLBACK_2=<callback_uri_2>
8. Install the chart
Save the values file below (`values-dex.yaml`) and execute the following command
```shell
helm upgrade -i dex dex/dex -f values-dex.yaml --set config.connectors[0].config.clientSecret=$(oc serviceaccounts get-token -n dex dex) --set config.issuer=https://dex.$(oc get ingresscontroller -n openshift-ingress-operator default -o jsonpath='{ .status.domain }') --set config.connectors[0].config.redirectURI=https://dex.$(oc get ingresscontroller -n openshift-ingress-operator default -o jsonpath='{ .status.domain }')/callback --set ingress.hosts[0].host=dex.$(oc get ingresscontroller -n openshift-ingress-operator default -o jsonpath='{ .status.domain }') --set config.staticClients[0].redirectURIs[0]="$ACS_CALLBACK_1" --set config.staticClients[0].redirectURIs[1]="$ACS_CALLBACK_2" --set config.staticClients[0].secret=$UUID
- Configure ACS OpenID Connect
Complete the following steps to configure the OIDC configuration
- Enter a name for the OIDC configuration
- Under Callback Mode, select Query
- Enter the result of the following command in the Issuer textbox
echo "https://$(oc get route -n dex -o jsonpath='{ .items[0].spec.host }')"- Enter acs as the client ID
- Enter the result of the following command as the Client Secret
echo $UUID- Specify the minimum access role for users and role mapping (optional)
- Click Save
- Logout and login using the new OIDC provider to verify configuration
- OpenShift Group Mapping
Due to the way ACS requests OIDC scopes, group mapping is not available. One approach is to use separate OIDC providers and multiple clients/connectors in Dex. The OpenShift dex connector allows you to limit access based on OpenShift groups. This is employed at the dex level and is not affected by these limitations