How to configure an HTPasswd identity provider in OpenShift 4?

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4

Issue

  • How to configure an HTPasswd identity provider in OpenShift Container Platform 4?

Resolution

Note: For OSD and ROSA clusters, please refer to How to use HTPasswd IdP on ROSA or OSD cluster.

Configuration for OpenShift Container Platform 4

  1. Create an HTPasswd file by installing the htpasswd utility by installing the httpd-tools package:

    # yum install httpd-tools
    
  2. Create or update an users.htpasswd file (note that the -c option will rewrite and truncate the file if already exists) with a user name and hashed password:

    $ htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>
    
  3. Create the HTPasswd Secret with the previously created users.htpasswd file:

    $ oc create secret generic htpass-secret --from-file=htpasswd=</path/to/users.htpasswd> -n openshift-config
    
  4. Create a custom resource for an HTPasswd identity provider:

    $ cat auth.cr
    apiVersion: config.openshift.io/v1
    kind: OAuth
    metadata:
      name: cluster
    spec:
      identityProviders:
      - name: my_htpasswd_provider
        challenge: true
        login: true
        mappingMethod: claim
        type: HTPasswd
        htpasswd:
          fileData:
            name: htpass-secret
    
  5. Apply the defined CR:

    $ oc apply -f </path/to/CR>
    
  6. Now login using newly created user:

    $ oc login -u <username>
    
  7. Confirm that the user logged in successfully, and display the user name:

    $ oc whoami
    

Updating users for an htpasswd identity provider

You can add or remove users from an existing htpasswd identity provider.

Prerequisites
  • You have created a Secret object that contains the htpasswd user file. This procedure assumes that it is named htpass-secret.
  • You have configured an HTPasswd identity provider. This procedure assumes that it is named my_htpasswd_provider.
  • You have access to the htpasswd utility. On Red Hat Enterprise Linux this is available by installing the httpd-tools package.

    $ sudo yum install httpd-tools
    
  • You have cluster administrator privileges.

Procedure
  1. Retrieve the htpasswd file from the htpass-secret Secret object and save the file to your file system:

    $ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > users.htpasswd
    
  2. Add or remove users from the users.htpasswd file.

  • To add a new user:

    $ htpasswd -bB users.htpasswd <username> <password>
    
  • To remove an existing user:

    $ htpasswd -D users.htpasswd <username>
    
  1. Replace the htpass-secret Secret object with the updated users in the users.htpasswd file:

    $ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -
    
  2. If you removed one or more users, you must additionally remove existing resources for each user.
    a. Delete the User object:

    $ oc delete user <username>
    

    Example output:

    user.user.openshift.io "<username>" deleted
    

    Be sure to remove the user, otherwise the user can continue using their token as long as it has not expired.

    b. Delete the Identity object for the user:

    $ oc delete identity my_htpasswd_provider:<username>
    

    Example output:

    identity.user.openshift.io "my_htpasswd_provider:<username>" deleted
    

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments