OpenShift OAuth templates

The upstream source for the login, errors, and providers HTML templates for OpenShift.

Development

1. Install Jekyll and run bundle install.
2. Install Yarn and run yarn install.
   • Note that certain dependencies require Node.js 20+. You can install n to switch between node versions.
3. Run yarn serve-jekyll
   • Note that yarn generate-styles will have to be run if there are new PatternFly classes added to the HTML.

Updating PatternFly

Github Pages only runs in safe mode, preventing the usage of symlinks, so PatternFly source must be manually copied to _includes.

1. Install Jekyll and run bundle install.
2. Install Yarn and run yarn install.
3. Run yarn upgrade @patternfly/patternfly.
4. Run yarn generate-styles.
5. Verify there are no regressions by running yarn serve-jekyll. Note that the CSS will not be automatically updated, so if you make changes to the HTML, you will need to run yarn generate-styles again.
6. Make manual changes to the generated CSS if needed.
7. Commit the changes.

Deployment

OKD

The default templates for OKD are built into the oauth server template.go files via the following method:

1. Copy the generated source in _site/okd/errors.html to the corresponding template at https://github.com/openshift/oauth-server/blob/master/pkg/server/errorpage/templates.go.
2. Copy the generated source in _site/okd/login.html to the corresponding template at https://github.com/openshift/oauth-server/blob/master/pkg/server/login/templates.go.
3. Copy the generated source in _site/okd/providers.html to the corresponding template at https://github.com/openshift/oauth-server/blob/master/pkg/server/selectprovider/templates.go.
4. Submit a pull request to https://github.com/openshift/oauth-server containing the copied changes.

To test the changes:

1. Create three key/value secrets in the openshift-config namespace with the following values:

   • Secret Name: error

     Key: errors.html

     Value: html from https://github.com/openshift/oauth-server/blob/<HASH>/pkg/server/errorpage/templates.go

   • Secret Name: login

     Key: login.html

     Value: html from https://github.com/openshift/oauth-server/blob/<HASH>/pkg/server/login/templates.go

   • Secret Name: provider

     Key: providers.html

     Value: html from https://github.com/openshift/oauth-server/blob/<HASH>/pkg/server/selectprovider/templates.go

2. Update spec in https://<HOSTNAME>/k8s/cluster/config.openshift.io~v1~OAuth/cluster/yaml with the following:

     templates:
       error:
           name: error
       login:
           name: login
       providerSelection:
           name: provider
   

3. Wait for new pods to be deployed at https://<HOSTNAME>/k8s/ns/openshift-authentication/pods

To undo the changes for testing:

1. Remove the changes from step 2 above at https://<HOSTNAME>/k8s/cluster/config.openshift.io~v1~OAuth/cluster/yaml.
2. Delete the secrets created in step 1 above.

Red Hat OpenShift

The RHO branded templates take advantage of the override mechanism by providing customized templates via secrets via the following method:

1. Copy the output from yarn generate-branding-secret to https://github.com/openshift/cluster-authentication-operator/blob/master/bindata/oauth-openshift/branding-secret.yaml.
2. Submit a pull request to https://github.com/openshift/cluster-authentication-operator containing the copied changes.

To test the changes:

1. Scale cluster-version-operator to zero pods in the web console by visiting https://<HOSTNAME>/k8s/ns/openshift-cluster-version/deployments/cluster-version-operator and using the pod donut controls to set pods to zero. Additionally, pause rollouts via Actions > Pause Rollouts.
2. Scale authentication-operator to zero pods in the web console by visiting https://<HOSTNAME>/k8s/ns/openshift-authentication-operator/deployments/authentication-operator and using the pod donut controls to set pods to zero.
3. Delete the existing branding secret:

   oc delete secret v4-0-config-system-ocp-branding-template -n openshift-authentication
   

4. Recreate the branding secret:

   oc create -f https://raw.githubusercontent.com/openshift/cluster-authentication-operator/<HASH>/bindata/oauth-openshift/branding-secret.yaml
   

5. Delete existing openshift-authentication pods so they are regenerated with the new branding secret:

   oc delete pods --all -n openshift-authentication
   

To undo the changes for testing:

1. Resume rollouts of cluster-version-operator in the web console by visiting https://<HOSTNAME>/k8s/ns/openshift-cluster-version/deployments/cluster-version-operator via Actions > Resume Rollouts and scale pods back to one using the pod donut controls.
2. Visit https://<HOSTNAME>/k8s/ns/openshift-authentication-operator/deployments/authentication-operator and use the pod donut controls to set pods to one.

Red Hat OpenShift Dedicated and Red Hat OpenShift Service on AWS (ROSA)

The OpenShift Dedicated and OpenShift Service on AWS branded templates also take advantage of the override mechanism. Note that the provider template has a special override for these brands: the kube:admin provider is hidden.

To update the templates used by OpenShift Dedicated and OpenShift Service on AWS, follow these steps:

1. Install Jekyll and run bundle install.
2. Install Yarn and run yarn install.
3. Run yarn build-jekyll to generate the HTML templates. The
4. You can find the templates for OpenShift Service on AWS and OpenShift Dedicated in the _site/rosa and _site/od directories respectively.
5. Follow the instructions on the managed-cluster-config repository for OpenShift Dedicated and OpenShift Service on AWS to update the templates.