OCPBUGS979 Implementing BYOB OIDC Keys

_topic_maps/_topic_map.yml

@@ -1286,6 +1286,8 @@ Topics:
     File: configuring-google-identity-provider
   - Name: Configuring an OpenID Connect identity provider
     File: configuring-oidc-identity-provider
+  - Name: Implementing Bring Your Own OIDC Keys
+    File: implementing-byo-oidc-keys
 - Name: Using RBAC to define and apply permissions
   File: using-rbac
 - Name: Removing the kubeadmin user

authentication/identity_providers/implementing-byo-oidc-keys.adoc

@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+[id="implementing-byo-oidc-keys"]
+= Implementing Bring Your Own OIDC Keys
+:context: implementing-byo-oidc-keys
+
+toc::[]
+
+Integrating OpenShift with an external identity provider using OpenID Connect (OIDC) can significantly enhance your security and streamline user authentication across platforms. The "Bring Your Own OIDC Keys" feature in [{roduct-title}] allows you to inject your own service account signing key and specify the serviceAccountIssuer, enabling a seamless setup with any identity provider that supports the OIDC Discovery mechanism.
+
+include::modules/using-byo-oidc-keys.adoc[leveloffset=+1]

networking/networking_operators/aws_load_balancer_operator/using-byo-oidc-keys.adoc

@@ -0,0 +1,83 @@
+// Module included in the following assemblies:
+//
+// * networking/networking_operators/implementing-byo-oidc-keys.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="using-byo-oidc-keys_{context}"]
+= Implementing Bring Your Own OIDC Keys
+
+The following procedure describes how to implement the Bring Your Own OIDC Key feature in {product-title}. Ensure your environment meets the following prerequisites before starting the procedure.
+
+.Prerequisites
+
+* Access to the OpenShift cluster with necessary administrative privileges.
+* The `ccoctl` tool installed.
+* The AWS STS environment setup if using AWS for the installation.
+
+.Procedure
+
+. Generate Service Account Signing Key:
+
+Use the following command to generate a service account signing key:
+
+[source,terminal]
+----
+$ openssl genpkey -algorithm RSA -out service-account-signing-key.pem -pkeyopt rsa_keygen_bits:2048
+----
+
+. Create Secret for Signing Key:
+
+Create a secret in the OpenShift cluster to store the signing key:
+[source,terminal]
+----
+$ oc create secret generic service-account-signing-key-secret --from-file=service-account-signing-key.pem -n openshift-config
+----
+
+. Update Authentication Configuration:
+
+Modify the `Authentication` custom resource to reference the new service account issuer and signing key:
+[source,yaml]
+----
+   apiVersion: config.openshift.io/v1
+   kind: Authentication
+   metadata:
+     name: cluster
+   spec:
+     serviceAccountIssuer: "https://issuer.example.com"
+     serviceAccountPublicKeys:
+       - name: "service-account-signing-key.pem"
+         key: |
+           -----BEGIN PUBLIC KEY-----
+           YOUR_PUBLIC_KEY_HERE
+           -----END PUBLIC KEY-----
+----
+
+. Patch the Cluster Authentication Operator:
+
+Apply the patch to the cluster authentication operator to include the new configuration:
+
+[source,terminal]
+----
+$ oc patch authentication.operator.openshift.io/cluster --type=merge --patch '{
+     "spec": {
+       "serviceAccountIssuer": "https://issuer.example.com",
+       "serviceAccountPublicKeys": [{
+         "name": "service-account-signing-key.pem",
+         "key": "-----BEGIN PUBLIC KEY-----\nYOUR_PUBLIC_KEY_HERE\n-----END PUBLIC KEY-----"
+       }]
+     }
+   }'
+----
+
+. Validate the Configuration:
+
+Ensure the new configuration is applied successfully:
+
+[source,terminal]
+----
+$ oc get authentication.operator.openshift.io/cluster -o yaml
+----
+
+. Set Up OIDC Integration:
+
+Configure your identity provider to use the new OIDC setup. Follow your identity provider's documentation on integrating with OpenID Connect.