Setting the OAuth access type for VPC clusters

Virtual Private Cloud

Review the following steps to set the exposure method for the OpenShift web console and OAuth. Note that these steps apply to Red Hat OpenShift on IBM Cloud clusters on VPC infrastructure with only the private service endpoint enabled.

Choose between the following options when setting the OpenShift console and OAuth exposure method.

Virtual Private Endpoint Gateway (vpe-gateway,vpegw): This is default access type for version 4.13. For more information, see Accessing VPC clusters through the VPE gateway.
Private Service Endpoint URL (legacy): This is default access type for cluster versions 4.12 and earlier and 4.14 and later. For more information, see Accessing clusters through the private cloud service endpoint.

Making the Virtual Private Endpoint Gateway for OAuth and console access the default behavior for all clusters is available on an allowlist basis. To request that your account be allowlisted, see Requesting access to allowlisted features.

Setting the OAuth access type for a cluster from the CLI

Run the cluster master console-oauth-access set command to set the access type for your cluster.

ibmcloud oc cluster master console-oauth-access set --cluster CLUSTER --type vpe-gateway|legacy

Verify the access the type.

ibmcloud oc cluster master console-oauth-access get --cluster CLUSTER

Review the output and verify the OAuth access type.
- 4.13 clusters: If the value is empty, the vpe-gateway behavior is being used.
- 4.14 clusters and later: If the value is empty, the legacy behavior is being used.

Getting the OAuth access type for a cluster from the CLI

To view the access type for your cluster, run the cluster master console-oauth-access get command.
```
ibmcloud oc cluster master console-oauth-access get --cluster CLUSTER
```
Review the output and verify the OAuth access type.
- 4.13 clusters: If the value is empty, the vpe-gateway behavior is being used.
- 4.14 clusters and later: If the value is empty, the legacy behavior is being used.

Setting the OAuth access type for a cluster from the API

You can use the POST /network/v2/oauth-access-type/{idOrName}/set API to set the access type for your cluster.

Access your Red Hat OpenShift cluster.
Get the name or ID of your cluster. To list the clusters that you have access to, use the GET /v1/clusters API or run ibmcloud ks cluster ls.
Generate an IAM token.
Run the following request. Replace {idOrName} with the name or ID of your cluster.
```
curl -X POST "https://containers.cloud.ibm.com/network/v2/oauth-access-type/{idOrName}/set" -H "accept: application/json" -H "Authorization: TOKEN" -H "X-Auth-Resource-Group: RESOURCE-GROUP" -H "Content-Type: application/json" -d "{ \"oauth_access_type\": \"string\"}"
```
oauth-access-type

vpegw: Specify vpegw to expose the OpenShift console and OAuth using the Virtual Private Endpoint gateway.

legacy: Specify legacy to expose the OpenShift console and OAuth using the Private Service Endpoint URL.
Review the output and verify the OAuth access type is set.
After setting the access type, you must perform a cluster master refresh.
```
ibmcloud oc cluster master refresh --cluster CLUSTER
```

Getting the OAuth access type for a cluster from the API

You can use the GET /network/v2/oauth-access-type/{idOrName} API to get the access type details for your cluster.

Access your Red Hat OpenShift cluster.
Get the name or ID of your cluster. To list the clusters that you have access to, use the GET /v1/clusters API or run ibmcloud ks cluster ls.

Run the following request.

curl -X GET "https://containers.cloud.ibm.com/global/network/v2/oauth-access-type/{idORName}" -H "accept: application/json" -H "Authorization: TOKEN" -H "X-Auth-Resource-Group: RESOURCE-GROUP" -H "Content-Type: application/json"

Review the output and verify the OAuth access type.
- 4.13 clusters: If the value is empty, the vpegw behavior is being used.
- 4.14 clusters and later: If the value is empty, the legacy behavior is being used.