From 2231a3fe249894786d34a1dd81ff96ea86fbf157 Mon Sep 17 00:00:00 2001 From: Sebastian Laskawiec Date: Tue, 29 Jun 2021 10:00:11 +0200 Subject: [PATCH] Custom certs for the oAuth server route --- .../configuring-internal-oauth.adoc | 2 ++ ...auth-customizing-the-oauth-server-URL.adoc | 36 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100755 modules/oauth-customizing-the-oauth-server-URL.adoc diff --git a/authentication/configuring-internal-oauth.adoc b/authentication/configuring-internal-oauth.adoc index 20aeaf32d9af..15dd1482aac0 100644 --- a/authentication/configuring-internal-oauth.adoc +++ b/authentication/configuring-internal-oauth.adoc @@ -17,4 +17,6 @@ include::modules/oauth-configuring-token-inactivity-timeout.adoc[leveloffset=+1] include::modules/oauth-server-metadata.adoc[leveloffset=+1] +include::modules/oauth-customizing-the-oauth-server-URL.adoc[leveloffset=+1] + include::modules/oauth-troubleshooting-api-events.adoc[leveloffset=+1] diff --git a/modules/oauth-customizing-the-oauth-server-URL.adoc b/modules/oauth-customizing-the-oauth-server-URL.adoc new file mode 100755 index 000000000000..ecc2287a6197 --- /dev/null +++ b/modules/oauth-customizing-the-oauth-server-URL.adoc @@ -0,0 +1,36 @@ +// Module included in the following assemblies: +// +// * authentication/configuring-internal-oauth.adoc + +[id="customizing-the-oauth-server-url_{context}"] += Customizing OAuth server URL + +The OAuth server route can be customized using the `ingress` config route configuration API. A custom hostname and a TLS certificate can be set using the `spec.componentRoutes` part of the configuration. + +[id="customizing-the-openshift-integrated-oauth-server-route_{context}"] +== Customising the OpenShift integrated OAuth server route + +.Prerequisites + +* Log in to the cluster as a user with administrative privileges. + +.Procedure + +* Set the custom hostname and optionally configure the serving certificate and key. ++ +[source,yaml] +---- +apiVersion: config.openshift.io/v1 +kind: Ingress +metadata: + name: cluster +spec: + componentRoutes: + - name: oauth-openshift + namespace: openshift-authentication + hostname: + servingCertKeyPairSecret: + name: +---- ++ +If the domain for the custom hostname suffix does not match the cluster domain suffix, then a secret that contains a TLS certificate and key must exist in the `openshift-config` namespace and must be referenced in the `ingress` config. If the domain for the custom hostname suffix matches the cluster domain suffix then the secret is optional. The secret must contain `tls.crt` and `tls.key` data keys, where the certificate and key are stored, and both must be in a valid format. The best way to ensure that is to use the TLS Secret.