Configuring Entra ID (Azure AD) Authentication for ARO

This guide explains how to configure Azure Entra ID (formerly Azure Active Directory) authentication for an Azure Red Hat OpenShift (ARO) cluster.

Prerequisites

• Access to the ARO cluster with cluster-admin privileges
• Azure CLI installed and authenticated
• The oc CLI tool installed and configured
• Permissions to create Azure AD applications
• A client secret for the Azure AD application

Configure Entra ID Authentication

1. Set cluster variables

First, gather the necessary information about your ARO cluster:

Bash

resource_group="aro-prd-we-rg"
aro_cluster="aro-prd-we"

domain=$(az aro show -g $resource_group -n $aro_cluster --query clusterProfile.domain -o tsv)
location=$(az aro show -g $resource_group -n $aro_cluster --query location -o tsv)
apiServer=$(az aro show -g $resource_group -n $aro_cluster --query apiserverProfile.url -o tsv)
webConsole=$(az aro show -g $resource_group -n $aro_cluster --query consoleProfile.url -o tsv)

oauthCallbackURL="https://oauth-openshift.apps.$domain/oauth2callback/AAD"

PowerShell

$resource_group = "aro-prd-we-rg"
$aro_cluster = "aro-prd-we"

$domain = $(az aro show -g $resource_group -n $aro_cluster --query clusterProfile.domain -o tsv)
$location = $(az aro show -g $resource_group -n $aro_cluster --query location -o tsv)
$apiServer = $(az aro show -g $resource_group -n $aro_cluster --query apiserverProfile.url -o tsv)
$webConsole = $(az aro show -g $resource_group -n $aro_cluster --query consoleProfile.url -o tsv)

$oauthCallbackURL = "https://oauth-openshift.apps.$domain/oauth2callback/AAD"

2. Create Azure AD Application

Create an Azure AD application registration with the OAuth callback URL:

Bash

app_id=$(az ad app create --query appId -o tsv --display-name "aro-prd-we-auth" --reply-urls $oauthCallbackURL --password $client_secret)

PowerShell

$app_id = $(az ad app create --query appId -o tsv --display-name "aro-prd-we-auth" --reply-urls $oauthCallbackURL --password $client_secret)

Note: Replace aro-prd-we-auth with a descriptive name for your application.

3. Add API permissions

Add the required Microsoft Graph API permissions:

az ad app permission add --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope --id $app_id

This grants the "Sign in and read user profile" delegated permission.

4. Login to the ARO cluster

Retrieve the kubeadmin credentials and login:

Bash

kubeadmin_password=$(az aro list-credentials --name $aro_cluster --resource-group $resource_group --query kubeadminPassword --output tsv)
oc login $apiServer -u kubeadmin -p $kubeadmin_password

PowerShell

$kubeadmin_password = $(az aro list-credentials --name $aro_cluster --resource-group $resource_group --query kubeadminPassword --output tsv)
oc login $apiServer -u kubeadmin -p $kubeadmin_password

5. Create OpenID client secret

Create a secret in the openshift-config namespace containing the client secret:

oc create secret generic openid-client-secret-azuread \
  --namespace openshift-config \
  --from-literal=clientSecret=$client_secret

6. Create authentication secret

Create an additional secret in the openshift-authentication namespace:

oc create secret generic v4-0-config-user-idp-0-client-secret \
  --from-literal=clientSecret=$client_secret \
  -n openshift-authentication

7. Configure OAuth identity provider

Create and apply the OAuth configuration to integrate Azure AD. You can use the OpenShift web console or create a YAML manifest:

Example OAuth configuration:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: AAD
    mappingMethod: claim
    type: OpenID
    openID:
      clientID: <your-app-id>
      clientSecret:
        name: openid-client-secret-azuread
      claims:
        preferredUsername:
        - preferred_username
        name:
        - name
        email:
        - email
      issuer: https://login.microsoftonline.com/<your-tenant-id>

Apply the configuration:

oc apply -f oauth-config.yaml

Patching the OAuth Route (Optional)

If the OAuth route is not configured to use your custom certificate, you may need to update it to ensure that the OAuth server uses the correct certificate.

Get the current OAuth route

First, fetch the current configuration of the OAuth route:

oc get route -n openshift-authentication oauth-openshift -o yaml

Review the output to understand the current configuration.

Create a secret for the OAuth certificate

If you haven't already created a secret for your custom certificate, do so now:

oc create secret tls oauth-cert-secret \
  --cert=/path/to/custom-cert.pem \
  --key=/path/to/custom-key.pem \
  -n openshift-authentication

Patch the OAuth route to use the custom certificate

Patch the OAuth route to use your custom certificate:

Using base64-encoded files:

oc patch route oauth-openshift -n openshift-authentication --type=merge -p '{"spec":{"tls":{"termination":"reencrypt","key":"<base64-encoded-key>","certificate":"<base64-encoded-cert>","caCertificate":"<base64-encoded-ca-cert>"}}}'

Ensure that <base64-encoded-key>, <base64-encoded-cert>, and <base64-encoded-ca-cert> are replaced with the base64-encoded contents of your key, certificate, and CA certificate files. You can encode the files using:

base64 /path/to/custom-key.pem
base64 /path/to/custom-cert.pem
base64 /path/to/custom-ca-cert.pem

Using files directly (Linux/Mac):

oc patch route oauth-openshift -n openshift-authentication --type=merge -p "{\"spec\":{\"tls\":{\"termination\":\"reencrypt\",\"key\":\"$(cat /path/to/custom-key.pem | base64 -w 0)\",\"certificate\":\"$(cat /path/to/custom-cert.pem | base64 -w 0)\",\"caCertificate\":\"$(cat /path/to/custom-ca-cert.pem | base64 -w 0)\"}}}"

Note: The base64 -w 0 option ensures that the base64 output is in a single line, which is necessary for JSON compatibility.

Verify the patched route

After patching the route, verify that the changes have been applied:

oc get route -n openshift-authentication oauth-openshift -o yaml

Ensure that the spec.tls section reflects the new certificate configuration.

Restart the OAuth pods

To apply the changes, restart the OAuth pods:

oc delete pod -l app=oauth-openshift -n openshift-authentication

Verify the certificate

Check that the OAuth server is now serving the custom certificate:

openssl s_client -connect oauth-openshift.apps.aro-prd-we.example.com:443 -showcerts

Replace aro-prd-we.example.com with your actual domain.

Troubleshooting

Check authentication operator logs:

oc logs deployment.apps/authentication-operator -n openshift-authentication-operator

Test API authentication with bearer token:

curl -H "Authorization: Bearer <your-token>" "https://api.aro-prd-we.example.com:6443/apis/user.openshift.io/v1/users/~"

Check OAuth pods status:

oc get pods -n openshift-authentication

View OAuth configuration:

oc get oauth cluster -o yaml

Check identity provider status:

oc get authentication.config.openshift.io cluster -o yaml

Verification

After completing the configuration, verify that Azure AD authentication is working:

1. Navigate to the OpenShift web console
2. You should see "AAD" as a login option
3. Click on AAD and authenticate with your Azure AD credentials
4. Verify you can access the cluster with your Azure AD identity

Documentation

For further details, refer to the official documentation:

• Configuring Azure AD Authentication for ARO
• OpenShift Identity Providers