Objective: Configure the existing self-managed Azure HCP with external OIDC authentication pointing at Azure AD (Entra ID) and verify the cluster remains Available.
Cluster: brcox-sm-dev-hc — Issuer: https://login.microsoftonline.com/520cf09d-...73b09/v2.0
| Step | Check | Result | Evidence |
|---|---|---|---|
| 1 | OIDC client secret created in HCP namespace | PASS | Secret oidc-client-secret in clusters-brcox-sm-dev-hc |
| 2 | HostedCluster patched with authentication.type: OIDC |
PASS | Patch accepted; initial attempt had wrong field name (url → issuerURL) |
| 3 | spec.configuration.authentication.type = OIDC |
PASS | OIDC |
| 4 | Hosted cluster remains Available | PASS | Available=True |
$ oc create secret generic oidc-client-secret \
--from-literal=clientSecret='AHs8Q~...8faI7' \
-n clusters
secret/oidc-client-secret created
$ oc patch hostedcluster brcox-sm-dev-hc -n clusters --type=merge -p '{
"spec": {
"configuration": {
"authentication": {
"type": "OIDC",
"oidcProviders": [{
"name": "azure-ad",
"issuer": {
"issuerURL": "https://login.microsoftonline.com/520cf09d-...73b09/v2.0",
"audiences": ["d638131c-...dbc1"]
},
"oidcClients": [{
"componentName": "console",
"componentNamespace": "openshift-console",
"clientID": "d638131c-...dbc1",
"clientSecret": {"name": "oidc-client-secret"},
"extraScopes": ["email", "profile"]
}],
"claimMappings": {
"username": {"claim": "preferred_username", "prefixPolicy": "NoPrefix"},
"groups": {"claim": "groups", "prefix": "aad:"},
"uid": {"claim": "oid"}
}
}]
}
}
}
}'
hostedcluster.hypershift.openshift.io/brcox-sm-dev-hc patched
$ oc get hostedcontrolplane brcox-sm-dev-hc -n clusters-brcox-sm-dev-hc \
-o jsonpath='{.spec.configuration.authentication.type}'
OIDC
$ oc get hostedcluster brcox-sm-dev-hc -n clusters \
-o jsonpath='{.spec.configuration.authentication.type}'
OIDC
$ oc get hostedcluster brcox-sm-dev-hc -n clusters \
-o jsonpath='{.status.conditions[?(@.type=="Available")].status}'
True