Securing OpenShift with Identity Providers (IDPs)
Identity provider (IDP): When working with OpenShift, authentication is critical. By default, password-based SSH is disabled, and secure alternatives like key-based SSH and Identity Providers (IDPs) are used. IDP means Source of Data, It can be LDAP, HTPasswd, Google, GitHub etc. We can use single source of provider and also we can use multiple provider.
We need to use OpenShift Client (oc) command to login the OpenShift from your workstation. OC command is available for all operating systems(Windows, Mac, Linux). For login the system we use the command below:
oc login -u <user name> -p < password of the user> ocp_url <https://example.com:6443>
in OpenShift one of the most popular identity provider is HTPasswd. For using the HTPasswd we need to install he httpd-tools.
For using the HTPassw we need to create a HTPasswd file on our workstation. This file is going to contain the user name: encrypted password (bcrypt). The size of the file can not cross the 1 MB. For Create HTPasswd file we use the command below:
htpasswd -c -B -b <file_name> <user_name> <password>
-c → create file (use only the first time).
-B → bcrypt hash (recommended).
-b → batch mode (provide password inline).
We create this file on our local machine and we need to provide the file to OpenShift for authentication. Whenever you provide the data OpenShift there are two methods.
- As config map: for non-sensitive data we can use config map. config map keeps data in plain text format.
- As secret: for sensitive data we can use secret. Secret keeps data in base64 encoding.
For convert file in OpenShift secret we use below command
oc create secret generic <secret name> –from-file htpasswd=<htpasswd file location and name> -n openshift-config
After generating the secret file we need to modify the OpenShift oauth config ymail file. Before modifying we can take a backup of config file.
Need to add the below lines after the identityProvider:
After adding the lines we need to apply the file using the command below:
oc apply -f oauth.yaml
Now your Identity Provider is ready to use. The user and password you mention in the HTPasswd file we can use this user and password for login the system now.
Using HTPasswd Identity Provider is one of the simplest ways to enable authentication in OpenShift. For production, you can integrate with LDAP, GitHub, or corporate SSO for more scalable identity management.
