cluster-authentication-operator

The authentication operator is an OpenShift ClusterOperator.
It installs and maintains the Authentication Custom Resource in a cluster and can be viewed with:

oc get clusteroperator authentication -o yaml

The Custom Resource Definition authentications.operator.openshift.io
can be viewed in a cluster with:

$ oc get crd authentications.operator.openshift.io -o yaml

What This Operator Manages

The authentication operator manages the following operands:

• oauth-openshift — the OAuth server deployment in the openshift-authentication namespace. Handles user authentication flows, login templates, and token generation.
• oauth-apiserver — the OAuth API server deployment in the openshift-oauth-apiserver namespace. Serves the OAuth API resources (OAuthAccessTokens, OAuthAuthorizeTokens, OAuthClients).

For each operand, the operator manages the associated Deployments, Services, RBAC, NetworkPolicies, PodDisruptionBudgets, and monitoring resources (PrometheusRules, ServiceMonitor).

For a deeper look at the operator's architecture, see ARCHITECTURE.md.

Development

Many OpenShift ClusterOperators share common build, test, deployment, and update methods. For more information about how to build, deploy, test, update, and develop OpenShift ClusterOperators, see OpenShift ClusterOperator and Operand Developer Document.

To deploy OpenShift with your test cluster-authentication-operator image, see Testing a ClusterOperator/Operand image in a cluster.

For contribution guidelines, including pre-submit checks, dependency management, and testing expectations, see CONTRIBUTING.md.

Add a basic IdP to test your stuff

The most common identity provider for demoing and testing is the HTPasswd IdP.

To set it up, take the following steps:

1. Create a new htpasswd file

$ htpasswd -bBc /tmp/htpasswd testuser testpasswd

2. (optional) Add more users

$ htpasswd -bB /tmp/htpasswd testuser2 differentpassword

3. Create a secret from that htpasswd in the openshift-config namespace

oc create secret generic myhtpasswdidp-secret -n openshift-config --from-file=/tmp/htpasswd

4. Configure the OAuth server to use the HTPasswd IdP from the secret by editing the spec of the cluster-wide OAuth/cluster object so that it looks like the one in this example:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: htpassidp
    type: HTPasswd
    htpasswd:
      fileData:
        name: myhtpasswdidp-secret

5. The operator will now restart the OAuth server deployment and mount the new config
6. When the operator is available again (oc get clusteroperator authentication), you should be able to log in:

oc login -u testuser -p testpasswd

Tests

This repository is compatible with the OpenShift Tests Extension (OTE) framework.

Building the test binary

make build

Running test suites and tests

# Run a specific test suite
./cluster-authentication-operator-tests-ext run-suite openshift/cluster-authentication-operator/operator/parallel

# Run with parallel execution (4 workers)
./cluster-authentication-operator-tests-ext run-suite openshift/cluster-authentication-operator/operator/parallel -c 4

# Run with JUnit output
./cluster-authentication-operator-tests-ext run-suite openshift/cluster-authentication-operator/operator/parallel --junit-path "${ARTIFACT_DIR}/junit.xml"

# Run a specific test
./cluster-authentication-operator-tests-ext run-test "test-name"

Listing available tests and suites

# List all test suites
./cluster-authentication-operator-tests-ext list suites

# List tests in a suite
./cluster-authentication-operator-tests-ext list tests --suite=openshift/cluster-authentication-operator/operator/parallel

For more information about the OTE framework, see the openshift-tests-extension documentation.