Enabling Azure Active Directory support in OpenShift (Origin)

Introduction

In today’s post we’ll go through the steps to get Azure Active Directory (AAD) integrated in RedHat’s OpenShift. So that we can use the AAD identity we all love in OpenShift too.

 

Prerequisites

For the next steps, I’m assuming you already have an OpenShift deployment up & running. If not, check out this repository!

Update

After having started the blog post, I was shown to the Microsoft documentation where the integration is also covered!

 

Step-by-Step

To configure OpenShift to use Azure AD as an authentication provider, the /etc/origin/master/master-config.yaml file must be edited on all master nodes. If you are unfamiliar how to access the master nodes, the ip/dns is the one of the “master” load balancer, where the NAT rules start at 2200 for each node. So node 1 has port 2200, node 2 has port 2201, node 3 has port 2202, etc

Now edit the master-config.yaml to match the following ;

I’ve used the “email”-claim for my “preferredUsername”, where “unique_name” might have even been a more suited option… If you are unaware of what endpoints to use? Be aware that you can find them in the .well-known/openid-configuration URI of your AAD tenant.

 

Here is an example of one for Microsoft’s tenant ;

Though if you want to go cross AAD-organizations (multi-tenant), then you can leverage the “organizations” one too.

 

In order to get the clientid & clientsecret, we’ll have to create an “Application Registration”…

And upon creation, the “Application ID” is the clientid you are looking for…

The “Client Secret” is the … clientsecret … you’ll be looking for. 😉

And don’t forget to set the appropriate permissions. Do add the following scopes (email, openid & profile) in your user delegated permissions so that you can match the following ;

Once done, as an admin, do the “Grant admin consent for …” to ensure nasty pop ups like seen here ;

One more thing… Update the redirect URI to match the url of your master nodes, and add “oauth2callback” to the URI, followed by a slash (“/”) and the name of your identity provider!

Now go to your OpenShift (web) console and you’ll see that you’ll be prompted to select your login option. Here you’ll see the name of your identity provider popping up…

Once logged in, you’ll notice that your preferredusername claim will be shown on the top right ;

Though you are missing any rights… Now execute the following CLI command to grant the user a role (like cluster-admin) ;

 

And the user will see the things (s)he’s been granted access to!

 

Closing Thoughts

• Do not go for an embedded identity directory. Users should have a single identity that you can centrally managed. AAD is a great fit for purpose in this area!
• OpenShift has a native openid-connect integration, and so does AAD. Which makes it a great combination!
• As a small pointer towards the end of this post… Do not forget to install OSBA! This is really kick ass to see in the container world! As shown below…

 

Let’s deploy the following manifest…

Like we would do with any other manifest file.

We’ll see that it’s being provisioned in Azure!

And it’s also showing quite nicely in OpenShift too.

The power of k8s and Azure combined!