copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2024-09-09 |
openshift, {{site.data.keyword.openshiftlong_notm}}, kubernetes, oauth, console, access, vpe, pse, network |
openshift |
{{site.data.keyword.attribute-definition-list}}
{: #setting-oauth-access-type}
[Virtual Private Cloud]{: tag-vpc}
Review the following steps to set the exposure method for the OpenShift web console and OAuth. Note that these steps apply to {{site.data.keyword.openshiftlong_notm}} clusters on VPC infrastructure with only the private service endpoint enabled. {: shortdesc}
Choose between the following options when setting the OpenShift console and OAuth exposure method.
Virtual Private Endpoint Gateway (vpe-gateway
,vpegw
)
: This is default access type for version 4.13. For more information, see Accessing VPC clusters through the VPE gateway.
Private Service Endpoint URL (legacy
)
: This is default access type for cluster versions 4.12 and earlier and 4.14 and later. For more information, see Accessing clusters through the private cloud service endpoint.
Making the Virtual Private Endpoint Gateway for OAuth and console access the default behavior for all clusters is available on an allowlist basis. To request that your account be allowlisted, see Requesting access to allowlisted features. {: tip}
{: #oauth-access-set-cli} {: cli}
-
Run the
cluster master console-oauth-access set
command to set the access type for your cluster.ibmcloud oc cluster master console-oauth-access set --cluster CLUSTER --type vpe-gateway|legacy
{: pre}
-
Verify the access the type.
ibmcloud oc cluster master console-oauth-access get --cluster CLUSTER
{: pre}
-
Review the output and verify the OAuth access type.
- [4.13 clusters]{: tag-red}: If the value is empty, the
vpe-gateway
behavior is being used. - [4.14 clusters]{: tag-red} and later: If the value is empty, the
legacy
behavior is being used.
- [4.13 clusters]{: tag-red}: If the value is empty, the
{: #oauth-access-get-cli} {: cli}
-
To view the access type for your cluster, run the
cluster master console-oauth-access get
command.ibmcloud oc cluster master console-oauth-access get --cluster CLUSTER
{: pre}
-
Review the output and verify the OAuth access type.
- [4.13 clusters]{: tag-red}: If the value is empty, the
vpe-gateway
behavior is being used. - [4.14 clusters]{: tag-red} and later: If the value is empty, the
legacy
behavior is being used.
- [4.13 clusters]{: tag-red}: If the value is empty, the
{: #oauth-access-set-api} {: api}
You can use the POST /network/v2/oauth-access-type/{idOrName}/set
API to set the access type for your cluster.
-
Access your {{site.data.keyword.redhat_openshift_notm}} cluster.
-
Get the name or ID of your cluster. To list the clusters that you have access to, use the
GET /v1/clusters
API or runibmcloud ks cluster ls
. -
Run the following request. Replace
{idOrName}
with the name or ID of your cluster.curl -X POST "https://containers.cloud.ibm.com/network/v2/oauth-access-type/{idOrName}/set" -H "accept: application/json" -H "Authorization: TOKEN" -H "X-Auth-Resource-Group: RESOURCE-GROUP" -H "Content-Type: application/json" -d "{ \"oauth_access_type\": \"string\"}"
{: pre}
oauth-access-type
:vpegw
: Specifyvpegw
to expose the OpenShift console and OAuth using the Virtual Private Endpoint gateway. :legacy
: Specifylegacy
to expose the OpenShift console and OAuth using the Private Service Endpoint URL. -
Review the output and verify the OAuth access type is set.
-
After setting the access type, you must perform a cluster master refresh.
ibmcloud oc cluster master refresh --cluster CLUSTER
{: pre}
{: #oauth-access-get-api} {: api}
You can use the GET /network/v2/oauth-access-type/{idOrName}
API to get the access type details for your cluster.
-
Access your {{site.data.keyword.redhat_openshift_notm}} cluster.
-
Get the name or ID of your cluster. To list the clusters that you have access to, use the
GET /v1/clusters
API or runibmcloud ks cluster ls
. -
Run the following request.
curl -X GET "https://containers.cloud.ibm.com/global/network/v2/oauth-access-type/{idORName}" -H "accept: application/json" -H "Authorization: TOKEN" -H "X-Auth-Resource-Group: RESOURCE-GROUP" -H "Content-Type: application/json"
{: pre}
-
Review the output and verify the OAuth access type.
- [4.13 clusters]{: tag-red}: If the value is empty, the
vpegw
behavior is being used. - [4.14 clusters]{: tag-red} and later: If the value is empty, the
legacy
behavior is being used.
- [4.13 clusters]{: tag-red}: If the value is empty, the