Hello David,I have some of questions about certificates OpenShift, for begin I have to modify the 'servingInfo.clientCA' parameter and specify this CA?: '/etc/origin/master/ca.crt'And there are several parameters clientCA. I have to use this?:---assetConfig:logoutURL: ""masterPublicURL: https://10.0.2.15:8443publicURL: https://10.0.2.15:8443/console/servingInfo:bindAddress: 0.0.0.0:8443certFile: master.server.crtclientCA: "ca.crt"---To create the client certificate. I have to use the tool oadm create-api-client-config isn't it?For example:oadm create-api-client-config --certificate-authority='/etc/origin/master/ca.crt' --master='https://master.domain.es:8443' --client-dir='/etc/origin/master/usertest' --signer-cert='/etc/origin/master/ca.crt' --signer-key='/etc/origin/master/ca.key' --signer-serial='/etc/origin/master/ca.serial.txt' --user='usertest'Once created, It is possible to test it with the oc client?If I do:oc config set-credentials usertest --client-certificate=/etc/origin/master/usertest/usertest.crtI do not know if it should already be logged into the system or if I have to login again with oc login.Thanks.2015-11-16 14:34 GMT+01:00 David Eads <deads redhat com>:It is possible, but you have to very careful what you sign. Client certificates operate directly against API server and provide a User, not an Identity (see https://docs.openshift.org/latest/architecture/additional_concepts/other_api_objects.html#user-objects for the distinction between them).If you take a look here: https://docs.openshift.org/latest/install_config/master_node_configuration.html, you can find the `servingInfo.clientCA` element. That controls which CA is trusted to sign client certificates that are presented to the API server. If you sign a cert containing `Organization`, that will be considered the effective groups for the User. You can add your client certificates to your ~/.kube/config file (equivalent of `oc login`) by running `oc config set-credentials`.Jordan can probably tell you if they work for the console.On Mon, Nov 16, 2015 at 6:20 AM, Fran Barrera <franbarrera6 gmail com> wrote:_______________________________________________Hello,We need to configure Openshift for allow authentication with client certificates. We are reading this doc (https://docs.openshift.org/latest/install_config/configuring_authentication.html) but we don't see anything.If it is possible, what are options that would work? CLI, Web Console, API?Best Regards,Fran.
users mailing list
users lists openshift redhat com