OpenShift ROSA: Get the OIDC URL within the cluster

AWS Kubernetes OpenShift ROSA OIDC Identity provider

1 min read | by Jordi Prats

When running a ROSA cluster (OpenShift on AWS) we might need to get it's Identity provider (OIDC) for, for example, configure STS (IRSA). We can get it directly from the cluster reading the Authentication object

To do so we just need to use kubectl get on the Authentication object named **cluster as follows:

$ kubectl get authentication -o yaml
apiVersion: config.openshift.io/v1
kind: Authentication
metadata:
  name: cluster
  (...)
spec:
  oauthMetadata:
    name: ""
  serviceAccountIssuer: https://rh-oidc.s3.us-east-1.amazonaws.com/cdefb6lj4p4k1a01i561h9rb221cv53
  type: ""
  webhookTokenAuthenticator:
    kubeConfig:
      name: webhook-authentication-integrated-oauth
status:
  integratedOAuthMetadata:
    name: oauth-openshift

We can always use a jsonpath to directly retrieve the URL:

$ kubectl get authentication cluster -o jsonpath='{ .spec.serviceAccountIssuer }'
https://rh-oidc.s3.us-east-1.amazonaws.com/cdefb6lj4p4k1a01i561h9rb221cv53

Posted on 20/10/2022

OpenShift ROSA: Get the OIDC URL within the cluster

Categories