I happened to test out ARO 4 with Azure Active Directory integration. The Azure documentation is good, but I had to change a few while testing the steps. I am sharing my experience here and hope someone will find it useful.
Setting the requirements
Install or update Azure CLI
brew update && brew install azure-cli
Make sure you have permission to create resources in the resource group. I logged in as a global administrator when I am testing this.
Setup the environment variables
$ cat aro-env
LOCATION=centralus. # the location of your cluster
RESOURCEGROUP=aro-rg # the name of the resource group where you want to create your cluster
CLUSTER=poc #cluster-id of the ARO 4 cluster
$ source aro-env
Log in Azure
Create a Resource Group
az group create \
--name $RESOURCEGROUP \
Add DNS zone
If you don’t have a DNS zone already, you can use this step.
Login Azure Portal
Type: “DNS Zones” in the search box on the top and click on “DNS Zones”
Click “+Add” on the top
Select the newly created resource group
Enter your domain
Select the location
I am using a domain name outside of the Azure. You will need to add the NS records from the overview page of the DNS zone to your domain.
Request increase of quota from Azure portal. ARO requires a minimum of 40 cores.
Register Resource Provider
az account set --subscription
az provider register -n Microsoft.RedHatOpenShift --wait
az provider register -n Microsoft.Compute --wait
az provider register -n Microsoft.Storage --wait
The information from the JSON output of the above command can be useful if you are not familiar with OpenShift 4. You can find your API server IP, API URL, OpenShift console URL and ingress IP. You will need the API, and ingress IP for the next step.
The clientSecret is using the secret (openid-client-secret-azuread) that you created from the previous step.
Alternatively, you can obtain the clientID and tenant id from Azure Portal.
Login Azure Portal
Click Azure Active Directory
Click App registrations on the left menu
Click all applications tab
Type the application that you just created in the search area
Click onto the application (my application is poc-aro-auth)
Under Overview, the information is shown as “Application (client) ID” and Directory (tenant) ID” as in the image below.
Update OpenShift OAuth Configuration
oc apply -f openid.yaml
Login OpenShift console via AAD
It will redirect you to Azure login page
Tip #1: If you are getting error, you can login as kubeadmin and check the logs from oauth-openshift pods under openshift-authentication project.
Tip #2: if you are creating a new registered application to try, make sure you clean up the user and identity.