openshift.html (7888B)
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <!-- Sep 03, 2024 --> 5 <meta charset="utf-8" /> 6 <meta name="viewport" content="width=device-width, initial-scale=1" /> 7 <title>OpenShift</title> 8 <meta name="author" content="Vincent Demeester" /> 9 <meta name="generator" content="Org Mode" /> 10 <link rel='icon' type='image/x-icon' href='/images/favicon.ico'/> 11 <meta name='viewport' content='width=device-width, initial-scale=1'> 12 <link rel='stylesheet' href='/css/new.css' type='text/css'/> 13 <link rel='stylesheet' href='/css/syntax.css' type='text/css'/> 14 <link href='/index.xml' rel='alternate' type='application/rss+xml' title='Vincent Demeester' /> 15 </head> 16 <body> 17 <main id="content" class="content"> 18 <header> 19 <h1 class="title">OpenShift</h1> 20 </header><p> 21 It is primarily built by <a href="red_hat.html">Red Hat</a>. 22 </p> 23 <section id="outline-container-Projects%20around%20OpenShift" class="outline-2"> 24 <h2 id="Projects%20around%20OpenShift">Projects around OpenShift</h2> 25 <div class="outline-text-2" id="text-Projects%20around%20OpenShift"> 26 <ul class="org-ul"> 27 <li><a href="openshift_pipeline.html">OpenShift Pipeline</a></li> 28 </ul> 29 </div> 30 </section> 31 <section id="outline-container-Provisioning" class="outline-2"> 32 <h2 id="Provisioning">Provisioning</h2> 33 <div class="outline-text-2" id="text-Provisioning"> 34 <p> 35 One of my goal is to have a local OpenShift cluster that I use daily — I really like the 36 idea of <a href="dogfooding.html">dogfooding</a>. There is multiple ways to provision OpenShift, but as we are going to 37 run it locally (because it costs less 🙃), we are going to try to using <code>libvirt</code> and the 38 <a href="https://github.com/openshift/installer/">installer</a> <i>or</i> on bare metal. Note that we can use the <i>bare metal</i> setup on libvirt 39 virtual machines that are managed outside of the OpenShift scope using the <a href="https://github.com/openshift/installer/blob/master/docs/user/metal/install_upi.md">User Provided 40 Infrastructure</a>. Let’s try this : <a href="openshift_on_vm_bare_metal.html">OpenShift on VM Bare metal</a>. 41 </p> 42 43 <p> 44 For OpenShift, I’ll stick with <a href="red_hat.html">Red Hat</a> usual setup, aka using CentOS or RHEL 😉. 45 </p> 46 </div> 47 </section> 48 <section id="outline-container-Identity%20providers" class="outline-2"> 49 <h2 id="Identity%20providers">Identity providers</h2> 50 <div class="outline-text-2" id="text-Identity%20providers"> 51 <blockquote> 52 <p> 53 For users to interact with OpenShift Container Platform, they must first authenticate to 54 the cluster. The authentication layer identifies the user associated with requests to the 55 OpenShift Container Platform API. The authorization layer then uses information about the 56 requesting user to determine if the request is allowed. 57 </p> 58 59 <p> 60 […] 61 </p> 62 63 <p> 64 The OpenShift Container Platform master includes a built-in OAuth server. Developers and 65 administrators obtain OAuth access tokens to authenticate themselves to the API. 66 </p> 67 </blockquote> 68 69 <p> 70 Identity providers are the way to create user in an OpenShift cluster. There is a bunch 71 that exists, but we will only look at the following. 72 </p> 73 74 <div id="text-table-of-contents" role="doc-toc"> 75 <ul> 76 <li><a href="#HTPasswd">HTPasswd</a></li> 77 <li><a href="#GitHub">GitHub</a></li> 78 <li><a href="#GitLab">GitLab</a></li> 79 </ul> 80 </div> 81 </div> 82 <div id="outline-container-HTPasswd" class="outline-3"> 83 <h3 id="HTPasswd">HTPasswd</h3> 84 <div class="outline-text-3" id="text-HTPasswd"> 85 </div> 86 <div id="outline-container-create" class="outline-4"> 87 <h4 id="create">create</h4> 88 <div class="outline-text-4" id="text-create"> 89 <blockquote> 90 <p> 91 Configure the htpasswd identity provider to validate user names and passwords against a 92 flat file generated using htpasswd. 93 </p> 94 </blockquote> 95 96 <ul class="org-ul"> 97 <li><p> 98 Create or update your flat file with a user name and hashed password: 99 </p> 100 <div class="org-src-container"> 101 <pre class="src src-bash">$ htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password> 102 </pre> 103 </div></li> 104 105 <li><p> 106 Create the htpasswd secret 107 </p> 108 <div class="org-src-container"> 109 <pre class="src src-bash">$ oc create secret generic htpass-secret --from-file=htpasswd=</path/to/users.htpasswd> -n openshift-config 110 </pre> 111 </div></li> 112 113 <li><p> 114 Create an HTPasswd CR 115 </p> 116 <div class="org-src-container"> 117 <pre class="src src-yaml">apiVersion: config.openshift.io/v1 118 kind: OAuth 119 metadata: 120 name: cluster 121 spec: 122 identityProviders: 123 - name: my_htpasswd_provider 124 mappingMethod: claim 125 type: HTPasswd 126 htpasswd: 127 fileData: 128 name: htpass-secret 129 </pre> 130 </div></li> 131 </ul> 132 </div> 133 </div> 134 <div id="outline-container-update" class="outline-4"> 135 <h4 id="update">update</h4> 136 <div class="outline-text-4" id="text-update"> 137 <p> 138 In order to update the users of an htpasswd identity provider: 139 </p> 140 141 <ul class="org-ul"> 142 <li><p> 143 Get the secret content 144 </p> 145 <div class="org-src-container"> 146 <pre class="src src-bash">$ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 -d > users.htpasswd 147 </pre> 148 </div></li> 149 <li><p> 150 Add or remove a user 151 </p> 152 <div class="org-src-container"> 153 <pre class="src src-bash"># Add 154 $ htpasswd -bB users.htpasswd <username> <password> 155 # Remove 156 $ htpasswd -D users.htpasswd <username> 157 </pre> 158 </div></li> 159 <li><p> 160 Replace the <code>htpass-secret</code> 161 </p> 162 <div class="org-src-container"> 163 <pre class="src src-bash">$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run -o yaml -n openshift-config | oc replace -f - 164 </pre> 165 </div></li> 166 <li><p> 167 <i>note:</i> If you removed one or more users, you must additionally remove existing resources 168 for each user. 169 </p> 170 <div class="org-src-container"> 171 <pre class="src src-bash"># Delete the user 172 $ oc delete user <username> 173 # Delete the user identity 174 $ oc delete identity my_htpasswd_provider:<username> 175 </pre> 176 </div></li> 177 </ul> 178 </div> 179 </div> 180 </div> 181 <div id="outline-container-GitHub" class="outline-3"> 182 <h3 id="GitHub">GitHub</h3> 183 <div class="outline-text-3" id="text-GitHub"> 184 <blockquote> 185 <p> 186 Configure a github identity provider to validate user names and passwords against GitHub 187 or GitHub Enterprise’s OAuth authentication server. 188 </p> 189 </blockquote> 190 191 <p> 192 See <a href="https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-github-identity-provider.html">Configuring a GitHub or GitHub Enterprise identity provider - Configuring identity providers | Authentication and authorization | OpenShift Container Platform 4.5</a>. 193 </p> 194 </div> 195 </div> 196 <div id="outline-container-GitLab" class="outline-3"> 197 <h3 id="GitLab">GitLab</h3> 198 <div class="outline-text-3" id="text-GitLab"> 199 <blockquote> 200 <p> 201 Configure a gitlab identity provider to use GitLab.com or any other GitLab instance as an 202 identity provider. 203 </p> 204 </blockquote> 205 206 <p> 207 See <a href="https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-gitlab-identity-provider.html#configuring-gitlab-identity-provider">Configuring a GitLab identity provider - Configuring identity providers | Authentication and authorization | OpenShift Container Platform 4.5</a>. 208 </p> 209 </div> 210 </div> 211 </section> 212 </main> 213 <footer id="postamble" class="status"> 214 <footer> 215 <small><a href="/" rel="history">Index</a> • <a href="/sitemap.html">Sitemap</a> • <a href="https://dl.sbr.pm/">Files</a></small><br/> 216 <small class='questions'>Questions, comments ? Please use my <a href="https://lists.sr.ht/~vdemeester/public-inbox">public inbox</a> by sending a plain-text email to <a href="mailto:~vdemeester/public-inbox@lists.sr.ht">~vdemeester/public-inbox@lists.sr.ht</a>.</small><br/> 217 <small class='copyright'> 218 Content and design by Vincent Demeester 219 (<a rel='licence' href='http://creativecommons.org/licenses/by-nc-sa/3.0/'>Some rights reserved</a>) 220 </small><br /> 221 </footer> 222 </footer> 223 </body> 224 </html>