You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/book/src/topics/rosa/external-auth.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,9 +32,9 @@ spec:
32
32
externalAuthProviders:
33
33
- name: my-oidc-provider
34
34
issuer:
35
-
issuerURL: https://login.microsoftonline.com/<tenant-id>/v2.0 # e.g. if using Micorsoft Entra ID
35
+
issuerURL: https://login.microsoftonline.com/<tenant-id>/v2.0 # e.g. if using Microsoft Entra ID
36
36
audiences: # audiences that will be trusted by the kube-apiserver
37
-
- "audience1"#usaully the client ID
37
+
- "audience1"#usually the client ID
38
38
claimMappings:
39
39
username:
40
40
claim: email
@@ -50,9 +50,9 @@ Note: `oidcProviders` only accepts one entry at the moment.
50
50
51
51
### Setting up RBAC
52
52
53
-
When `enableExternalAuthProviders` is set to `true`, ROSA provider will generate a temporarily admin kubeconfig secert in the same namespace named `<cluster-name>-bootstrap-kubeconfig`. This kubeonconfig can be used to access the cluster to setup RBAC for oidc users/groups.
53
+
When `enableExternalAuthProviders` is set to `true`, ROSA provider will generate a temporary admin kubeconfig secret in the same namespace named `<cluster-name>-bootstrap-kubeconfig`. This kubeconfig can be used to access the cluster to setup RBAC for OIDC users/groups.
54
54
55
-
For example, bind the `cluster-admin` to an oidc group, to give admin permissions to all users part of that group:
55
+
The following example binds the `cluster-admin`role to an OIDC group, giving all users in that group admin permissions.
56
56
```shell
57
57
kubectl get secret <cluster-name>-bootstrap-kubeconfig -o jsonpath='{.data.value}'| base64 -d > /tmp/capi-admin-kubeconfig
58
58
export KUBECONFIG=/tmp/capi-admin-kubeconfig
@@ -69,7 +69,7 @@ The [kubelogin kubectl plugin](https://github.com/int128/kubelogin/tree/master)
69
69
### Configuring OpenShift Console
70
70
71
71
The OpenShift Console needs to be configured before it can be used to authenticate and login to the cluster.
72
-
1. Setup a new client in your OIDC provider with the following Redirect URL `<console-url>/auth/callback`. You can find the console URL in the status field of the `ROSAControlPlane` once the cluster is ready:
72
+
1. Setup a new client in your OIDC provider with the following Redirect URL:`<console-url>/auth/callback`. You can find the console URL in the status field of the `ROSAControlPlane` once the cluster is ready:
73
73
```shell
74
74
kubectl get rosacontrolplane <control-plane-name> -o jsonpath='{.status.consoleURL}'
75
75
```
@@ -91,7 +91,7 @@ The OpenShift Console needs to be configured before it can be used to authentica
91
91
externalAuthProviders:
92
92
- name: my-oidc-provider
93
93
issuer:
94
-
issuerURL: https://login.microsoftonline.com/<tenant-id>/v2.0 # e.g. if using Micorsoft Entra ID
94
+
issuerURL: https://login.microsoftonline.com/<tenant-id>/v2.0 # e.g. if using Microsoft Entra ID
95
95
audiences: # audiences that will be trusted by the kube-apiserver
0 commit comments