Configuring GitHub authentication allows users to log in to OpenShift Container Platform with their GitHub credentials.
To prevent anyone with any GitHub user ID from logging in to your OpenShift Container Platform cluster, you can restrict access to only those in specific GitHub organizations.
- You created your account roles using Terraform.
- You created your cluster using Terraform. This cluster can either have a managed OIDC configuration or an unmanaged OIDC configuration.
- Optional: You have configured your Terraform.tfvars file.
To use GitHub or GitHub Enterprise as an identity provider, you must register an application to use.
-
Register an application on GitHub:
- For GitHub, click Settings → Developer settings → OAuth Apps → Register a new OAuth application.
- For GitHub Enterprise, go to your GitHub Enterprise home page and then click Settings → Developer settings → Register a new application.
-
Enter an application name, for example
My OpenShift Install. -
Enter a homepage URL, such as
https://oauth-openshift.apps.<cluster-name>.<cluster-domain>. -
Optional: Enter an application description.
-
Enter the authorization callback URL, where the end of the URL contains the identity provider
name:https://oauth-openshift.apps.<cluster-name>.<cluster-domain>/oauth2callback/<idp-provider-name>For example:
https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/Github.Note:
<idp-provider-name>is case-sensitive. Name is defined here. -
Click Register application. GitHub provides a client ID and a client secret. You need these values to complete the identity provider configuration.
-
You need to either create
terraform.tfvarsfile in this directory or add the following items to your existing*.tfvarsfile. You may also export these variables as environmental variables with the following commands:- This value is the generated GitHub client secret to validate your account. It can be found in the settings of your GitHub account.
export TF_VAR_github_client_secret=<github_client_secret> - This value is your GitHub client ID. It can be found in the settings of your GitHub account.
export TF_VAR_github_client_id=<client_id> - This value is your GitHub organization.
export TF_VAR_github_orgs='["<github_org>"]' - This variable is your full OpenShift Cluster Manager offline token that you generated in the prerequisites.
export TF_VAR_token=<ocm_offline_token> - This value should always point to
https://api.openshift.com.export TF_VAR_url=<ocm_url> - The ID of the cluster for which you are creating the identity provider. This ID can be found in the
rosacommand-line interface (CLI) with the commandrosa list cluster.export TF_VAR_cluster_id=<cluster_id>
- This value is the generated GitHub client secret to validate your account. It can be found in the settings of your GitHub account.
-
In your local copy of the
githubfolder, run the following command:terraform initRunning this command accesses all the necessary provider information to apply your Terraform plan.
-
Optional: Run the
plancommand to ensure that your Terraform files build correctly without errors. This is not required to apply your Terraform plans.terraform plan -out github.tfplan -
Run the apply command to create your GitHub identity provider.
Note: If you did not run the
plancommand, you can simply justapplywithout specifying a file.terraform apply <"github.tfplan"> -
The Terraform applies the plan and creates your identity provider using GitHub. You will see a prompt to confirm you want to create these resources. Enter
yes, then the process will complete with your resources.
After you are done with the resources you created, you should not delete them manually, but instead, use the destroy command. Run the following to delete all of your created resources:
terraform destroy
After the command is complete, your resources are deleted.
NOTE: If you manually delete a resource, you create unresolvable issues within your environment.