How to use Microsoft Entra ID (formerly know as Azure AD) as Identity Provider and/or Auth for Red Hat OpenShift Container Platform (OCP)
Hay que valorar pros y cons de:
- LDAP: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/authentication_and_authorization/configuring-identity-providers#configuring-ldap-identity-provider
- OpenID: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/authentication_and_authorization/configuring-identity-providers#configuring-oidc-identity-provider, hay que ver qué se hace con los grupos Using OIDC Group Claims as an alternative to the Group Sync Operator in OpenShift:
- Usar OIDC groups claim
- Usar Group Sync Operator (not supported by Red Hat)
- External auth: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/authentication_and_authorization/external-auth
Crear un .env con el contenido necesario, en mi caso:
TENANT=<...>
CLIENT_ID=<...>
PASSWORD=<...>
SUBSCRIPTION=<...>
RESOURCE_GROUP=<...>
OPENSHIFT_ADMIN_USERNAME=<...>
OPENSHIFT_ADMIN_PASSWORD=<...>
OPENSHIFT_API_URL=<...>para poder hacer el login
source ./.env
az login --tenant $TENANT
oc login --username ${OPENSHIFT_ADMIN_USERNAME} --password ${OPENSHIFT_ADMIN_PASSWORD} ${OPENSHIFT_API_URL}Sincroniza los grupos sin tener que hacer nada. https://github.com/OpenShiftDemos/openshift-ops-workshops/blob/ocp4-prod/workshop/content/ldap-groupsync.adoc
Para que el "OIDC groups claim" funcione hay que configurarlo en el Entra ID según el procedimiento descrito en How to Enable Groups Claim on Azure Active Directory for OpenID Connect y algunas notas de Users are not pulling back groups from Microsoft Entra using OIDC groups claim.
Está en Tech Preview y solo se puede configurar un IdP.