OSDOCS#12643: Docs for BYO OIDC auth provider

Author: bergerhoffer

_topic_maps/_topic_map.yml

@@ -1324,6 +1324,8 @@ Topics:
     File: configuring-google-identity-provider
   - Name: Configuring an OpenID Connect identity provider
     File: configuring-oidc-identity-provider
+- Name: Enabling direct authentication with an OIDC identity provider 
+  File: external-auth
 - Name: Using RBAC to define and apply permissions
   File: using-rbac
 - Name: Removing the kubeadmin user

authentication/external-auth.adoc

@@ -0,0 +1,46 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="external-auth"]
+= Enabling direct authentication with an OIDC identity provider
+include::_attributes/common-attributes.adoc[]
+:context: external-auth
+
+toc::[]
+
+// TODO: Try to avoid back-to-back "You can"
+You can configure {product-title} to use an external OpenID Connect (OIDC) identity provider to issue tokens for authentication, replacing the built-in OpenShift OAuth server. While the built-in OpenShift OAuth server supports integration with a variety of identity providers, including external OIDC identity providers, it is limited to the capabilities of the OAuth server itself.
+
+You can directly integrate external OIDC identity providers with {product-title} to facilitate machine-to-machine workflows, such as CLI, and provide additional capabilities that are not available when using the built-in OpenShift OAuth server.
+
+:FeatureName: Direct authentication with an OIDC identity provider
+include::snippets/technology-preview.adoc[]
+
+
+
+// About direct authentication with an OIDC identity provider
+include::modules/external-auth-about.adoc[leveloffset=+1]
+
+// Direct authentication identity providers
+include::modules/external-auth-providers.adoc[leveloffset=+2]
+
+// TODO: These prereqs here or in the module prereqs? Prob worth keeping this one both places.
+// Before or after about content?
+[id="prerequisites_{context}"]
+== Prerequisites
+
+* Before replacing the built-in OAuth server with an external provider, ensure that you have access to a valid `kubeconfig` file.
++
+[IMPORTANT]
+====
+If there are any issues with the external identity provider, you can use the `kubeconfig` file to gain access to the {product-title} cluster in an emergency situation.
+====
+
+// Configuring an OIDC identity provider for direct authentication
+include::modules/external-auth-configuring.adoc[leveloffset=+1]
+
+// OIDC provider configuration parameters
+include::modules/external-auth-fields.adoc[leveloffset=+2]
+
+// TODO: Consider configs for keycloak and entra ID?
+
+// Disabling a direct authentication OIDC identity provider
+include::modules/external-auth-disabling.adoc[leveloffset=+1]

modules/external-auth-about.adoc

@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * authentication/external-auth.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="external-auth-about_{context}"]
+// = About direct authentication for {product-title}
+
+= About direct authentication with an OIDC identity provider
+
+// TODO: title
+
+TODO

modules/external-auth-configuring.adoc

@@ -0,0 +1,180 @@
+// Module included in the following assemblies:
+//
+// * authentication/external-auth.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-auth-configuring_{context}"]
+// = Configuring {product-title} to use an external authentication provider
+
+= Configuring an OIDC identity provider for direct authentication
+
+TODO: intro
+
+:FeatureName: Direct authentication with an OIDC identity provider
+include::snippets/technology-preview.adoc[]
+
+This example uses Keycloak as the identity provider, configured with a user named `user1`, who is a member of `group1`.
+
+Or provide this as bullets:
+
+* User called `user1` (does this matter?)
+* Group called `group1`, which `user1` as a member (does this matter?)
+* Clients for console and client
+* Creates a secret for console login / console client
+* Creates a config map to store the ca-bundle.crt
+
+// TODO: check other test cases for any other use cases / things we need to document too
+
+// TODO: Do we need to give any tips for configuring Keycloak?
+
+.Prerequisites
+
+* You have enabled the `TechnologyPreviewNoUpgrade` feature set.
+// TODO: Do we call this out? Do they have to do that whole thing, or can they do just the `ExternalOIDC` feature gate?
+* You have configured your external authentication provider. This procedure uses Keycloak as the identity provider.
+* You have access to a `kubeconfig` file for the cluster, to ensure that you still have access to the cluster in the case of an issue with the external authentication provider.
+* You have access to the cluster as a user with the `cluster-admin` role.
++
+// TODO actually, we need to say to be logged in using the kubeconfig...
+
+.Procedure
+
+. Log in w/ kubeconfig (TODO: detail why).
+
+. Create a secret (TODO: detail why) by running the following command:
++
+[source,terminal]
+----
+$ oc create secret generic console-secret \ <1>
+    --from-literal=clientSecret=<secret_value> \ <2>
+    -n openshift-config
+----
+<1> TODO
+<2> Replace `<secret_value>` with the value of the secret for the client in Keycloak.
++
+// TODO: Update callouts with comment syntax
+
+. Extract (TODO: detail why) by running the following command:
++
+[source,terminal]
+----
+$ oc extract cm/default-ingress-cert -n openshift-config-managed --to=router-ca
+----
++
+// TODO: update router-ca example directory
+
+. Create a config map (TODO: detail why) by running the following command:
++
+[source,terminal]
+----
+$ oc create configmap keycloak-oidc-ca --from-file=ca-bundle.crt=router-ca/ca-bundle.crt \ <1>
+    -n openshift-config
+----
++
+// TODO: Update callouts with comment syntax
+
+
+
+. Patch the authentication configuration:
++
+// TODO: Patch or manually edit? Patch the authentication config - oc patch authentication.config/cluster --type=merge -p="
++
+[source,yaml]
+----
+# ...
+spec:
+  oidcProviders: <1>
+  - claimMappings:
+      groups:
+        claim: groups <2>
+        prefix: 'oidc-groups-test:'
+      username:
+        claim: email <3>
+        prefixPolicy: Prefix
+        prefix:
+          prefixString: 'oidc-user-test:'
+    issuer:
+      audiences: <4>
+      - console-test
+      - oc-cli-test
+      issuerCertificateAuthority:
+        name: keycloak-oidc-ca <5>
+      issuerURL: https://keycloak-keycloak.apps.example.com/realms/master <6>
+    name: 'keycloak-oidc-server' <7>
+    oidcClients:
+    - clientID: oc-cli-test <8>
+      componentName: cli
+      componentNamespace: openshift-console
+    - clientID: console-test <9>
+      clientSecret:
+        name: console-secret <10>
+      componentName: console
+      componentNamespace: openshift-console
+  type: OIDC <11>
+  webhookTokenAuthenticator: null <12>
+----
+<1> The OIDC provider configuration.
+<2> The name of the claim to construct group names for the cluster identity.
+<3> The name of the claim to construct usernames for the cluster identity.
+<4> The list of audience IDs that this authentication provider issues tokens for.
+<5> The name of the config map that contains the `ca-bundle.crt` key. If unset, system trust is used instead.
+<6> The URL for the token issuer.
+<7> The name for external OIDC provider.
+<8> The client ID that your provider uses for the {oc-first}.
+<9> The client ID that your provider uses for the {product-title} web console.
+<10> The name of the secret that stores the secret value for the console client.
+<11> A value of `OIDC` indicates to use an external OIDC identity provider.
+<12> Must be set to `null` when `type` is set to `OIDC`.
++
+//TODO what does end of #5 mean? https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-79807 - don't see the difference in config for issuerCertificateAuthority being unset
++
+For the more details on all available parameters, see "OIDC provider configuration parameters".
+
+.Verification
+
+. Wait for the cluster to roll out new revisions to all nodes.
+
+.. Check the Kubernetes API server Operator status by running the following command:
++
+[source,terminal]
+----
+$ oc get co kube-apiserver
+----
++
+.Example output
+[source,terminal]
+----
+NAME             VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
+kube-apiserver   4.19.0    True        True          False      85m     NodeInstallerProgressing: 2 node are at revision 8; 1 node is at revision 10
+----
++
+The message in the above example shows that one node has progressed to the new revision and two nodes have not yet updated. It can take 30 minutes or more to roll out the new revision to all nodes, depending on the size of your cluster.
+
+..
+
+
+Auth Operator
+
+
+Check kube-apiserver pods
+oc get po -n openshift-kube-apiserver -L revision -l apiserver
+
+Can see the revisions there
+
+Check auth operator
+oc get co authentication
+
+Not sure what to check for here, but not sure if it’s necessary anyways
+
+Check console cluster operator
+oc get co console
+
+Not sure what to check for here, but not sure if it’s necessary anyways
+
+Check console pods
+oc get po -n openshift-console
+
+Assume looking for the pods age to be new
+
+
+TODO: I guess test logging in via CLI and console? Could take awhile for them to roll out though.

modules/external-auth-disabling.adoc

@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * authentication/external-auth.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-auth-disabling_{context}"]
+// = Disabling a direct authentication OIDC identity provider
+
+= Disabling direct authentication
+
+.Prerequisites
+
+// TODO: Sync these prereqs with the main one once that's complete
+* You have access to a `kubeconfig` file for the cluster, to ensure that you still have access to the cluster in the case of an issue with the external authentication provider.
+* You have access to the cluster as a user with the `cluster-admin` role.
++
+// TODO actually, we need to say to be logged in using the kubeconfig...
+
+.Procedure
+
+* TODO