How to configure an HTPasswd identity provider in OpenShift 4?

Resolution

Note: For OSD and ROSA clusters, please refer to How to use HTPasswd IdP on ROSA or OSD cluster.

Configuration for OpenShift Container Platform 4

1. Create an HTPasswd file by installing the htpasswd utility by installing the httpd-tools package:

   # yum install httpd-tools
   

2. Create or update an users.htpasswd file (note that the -c option will rewrite and truncate the file if already exists) with a user name and hashed password:

   $ htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>
   

3. Create the HTPasswd Secret with the previously created users.htpasswd file:

   $ oc create secret generic htpass-secret --from-file=htpasswd=</path/to/users.htpasswd> -n openshift-config
   

4. Create a custom resource for an HTPasswd identity provider:

   $ cat auth.cr
   apiVersion: config.openshift.io/v1
   kind: OAuth
   metadata:
     name: cluster
   spec:
     identityProviders:
     - name: my_htpasswd_provider
       challenge: true
       login: true
       mappingMethod: claim
       type: HTPasswd
       htpasswd:
         fileData:
           name: htpass-secret
   

5. Apply the defined CR:

   $ oc apply -f </path/to/CR>
   

6. Now login using newly created user:

   $ oc login -u <username>
   

7. Confirm that the user logged in successfully, and display the user name:

   $ oc whoami
   

Updating users for an htpasswd identity provider

You can add or remove users from an existing htpasswd identity provider.

Prerequisites

• You have created a Secret object that contains the htpasswd user file. This procedure assumes that it is named htpass-secret.
• You have configured an HTPasswd identity provider. This procedure assumes that it is named my_htpasswd_provider.

• You have access to the htpasswd utility. On Red Hat Enterprise Linux this is available by installing the httpd-tools package.

  $ sudo yum install httpd-tools
  

• You have cluster administrator privileges.

Procedure

1. Retrieve the htpasswd file from the htpass-secret Secret object and save the file to your file system:

   $ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > users.htpasswd
   

2. Add or remove users from the users.htpasswd file.

• To add a new user:

  $ htpasswd -bB users.htpasswd <username> <password>
  

• To remove an existing user:

  $ htpasswd -D users.htpasswd <username>
  

3. Replace the htpass-secret Secret object with the updated users in the users.htpasswd file:

   $ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -
   

4. If you removed one or more users, you must additionally remove existing resources for each user.
   a. Delete the User object:

   $ oc delete user <username>
   

   Example output:

   user.user.openshift.io "<username>" deleted
   

   Be sure to remove the user, otherwise the user can continue using their token as long as it has not expired.

   b. Delete the Identity object for the user:

   $ oc delete identity my_htpasswd_provider:<username>
   

   Example output:

   identity.user.openshift.io "my_htpasswd_provider:<username>" deleted