www

My personal website(s)
Log | Files | Refs

openshift.html (7888B)


      1 <!DOCTYPE html>
      2 <html lang="en">
      3 <head>
      4 <!-- Sep 03, 2024 -->
      5 <meta charset="utf-8" />
      6 <meta name="viewport" content="width=device-width, initial-scale=1" />
      7 <title>OpenShift</title>
      8 <meta name="author" content="Vincent Demeester" />
      9 <meta name="generator" content="Org Mode" />
     10 <link rel='icon' type='image/x-icon' href='/images/favicon.ico'/>
     11 <meta name='viewport' content='width=device-width, initial-scale=1'>
     12 <link rel='stylesheet' href='/css/new.css' type='text/css'/>
     13 <link rel='stylesheet' href='/css/syntax.css' type='text/css'/>
     14 <link href='/index.xml' rel='alternate' type='application/rss+xml' title='Vincent Demeester' />
     15 </head>
     16 <body>
     17 <main id="content" class="content">
     18 <header>
     19 <h1 class="title">OpenShift</h1>
     20 </header><p>
     21 It is primarily built by <a href="red_hat.html">Red Hat</a>.
     22 </p>
     23 <section id="outline-container-Projects%20around%20OpenShift" class="outline-2">
     24 <h2 id="Projects%20around%20OpenShift">Projects around OpenShift</h2>
     25 <div class="outline-text-2" id="text-Projects%20around%20OpenShift">
     26 <ul class="org-ul">
     27 <li><a href="openshift_pipeline.html">OpenShift Pipeline</a></li>
     28 </ul>
     29 </div>
     30 </section>
     31 <section id="outline-container-Provisioning" class="outline-2">
     32 <h2 id="Provisioning">Provisioning</h2>
     33 <div class="outline-text-2" id="text-Provisioning">
     34 <p>
     35 One of my goal is to have a local OpenShift cluster that I use daily — I really like the
     36 idea of <a href="dogfooding.html">dogfooding</a>. There is multiple ways to provision OpenShift, but as we are going to
     37 run it locally (because it costs less 🙃), we are going to try to using <code>libvirt</code> and the
     38 <a href="https://github.com/openshift/installer/">installer</a> <i>or</i> on bare metal. Note that we can use the <i>bare metal</i> setup on libvirt
     39 virtual machines that are managed outside of the OpenShift scope using the <a href="https://github.com/openshift/installer/blob/master/docs/user/metal/install_upi.md">User Provided
     40 Infrastructure</a>. Let&rsquo;s try this : <a href="openshift_on_vm_bare_metal.html">OpenShift on VM Bare metal</a>.
     41 </p>
     42 
     43 <p>
     44 For OpenShift, I&rsquo;ll stick with <a href="red_hat.html">Red Hat</a> usual setup, aka using CentOS or RHEL 😉.
     45 </p>
     46 </div>
     47 </section>
     48 <section id="outline-container-Identity%20providers" class="outline-2">
     49 <h2 id="Identity%20providers">Identity providers</h2>
     50 <div class="outline-text-2" id="text-Identity%20providers">
     51 <blockquote>
     52 <p>
     53 For users to interact with OpenShift Container Platform, they must first authenticate to
     54 the cluster. The authentication layer identifies the user associated with requests to the
     55 OpenShift Container Platform API. The authorization layer then uses information about the
     56 requesting user to determine if the request is allowed.
     57 </p>
     58 
     59 <p>
     60 […]
     61 </p>
     62 
     63 <p>
     64 The OpenShift Container Platform master includes a built-in OAuth server. Developers and
     65 administrators obtain OAuth access tokens to authenticate themselves to the API.
     66 </p>
     67 </blockquote>
     68 
     69 <p>
     70 Identity providers are the way to create user in an OpenShift cluster. There is a bunch
     71 that exists, but we will only look at the following.
     72 </p>
     73 
     74 <div id="text-table-of-contents" role="doc-toc">
     75 <ul>
     76 <li><a href="#HTPasswd">HTPasswd</a></li>
     77 <li><a href="#GitHub">GitHub</a></li>
     78 <li><a href="#GitLab">GitLab</a></li>
     79 </ul>
     80 </div>
     81 </div>
     82 <div id="outline-container-HTPasswd" class="outline-3">
     83 <h3 id="HTPasswd">HTPasswd</h3>
     84 <div class="outline-text-3" id="text-HTPasswd">
     85 </div>
     86 <div id="outline-container-create" class="outline-4">
     87 <h4 id="create">create</h4>
     88 <div class="outline-text-4" id="text-create">
     89 <blockquote>
     90 <p>
     91 Configure the htpasswd identity provider to validate user names and passwords against a
     92 flat file generated using htpasswd.
     93 </p>
     94 </blockquote>
     95 
     96 <ul class="org-ul">
     97 <li><p>
     98 Create or update your flat file with a user name and hashed password:
     99 </p>
    100 <div class="org-src-container">
    101 <pre class="src src-bash">$ htpasswd -c -B -b &lt;/path/to/users.htpasswd&gt; &lt;user_name&gt; &lt;password&gt;
    102 </pre>
    103 </div></li>
    104 
    105 <li><p>
    106 Create the htpasswd secret
    107 </p>
    108 <div class="org-src-container">
    109 <pre class="src src-bash">$ oc create secret generic htpass-secret --from-file=htpasswd=&lt;/path/to/users.htpasswd&gt; -n openshift-config
    110 </pre>
    111 </div></li>
    112 
    113 <li><p>
    114 Create an HTPasswd CR
    115 </p>
    116 <div class="org-src-container">
    117 <pre class="src src-yaml">apiVersion: config.openshift.io/v1
    118 kind: OAuth
    119 metadata:
    120   name: cluster
    121 spec:
    122   identityProviders:
    123   - name: my_htpasswd_provider
    124     mappingMethod: claim
    125     type: HTPasswd
    126     htpasswd:
    127       fileData:
    128         name: htpass-secret
    129 </pre>
    130 </div></li>
    131 </ul>
    132 </div>
    133 </div>
    134 <div id="outline-container-update" class="outline-4">
    135 <h4 id="update">update</h4>
    136 <div class="outline-text-4" id="text-update">
    137 <p>
    138 In order to update the users of an htpasswd identity provider:
    139 </p>
    140 
    141 <ul class="org-ul">
    142 <li><p>
    143 Get the secret content
    144 </p>
    145 <div class="org-src-container">
    146 <pre class="src src-bash">$ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 -d &gt; users.htpasswd
    147 </pre>
    148 </div></li>
    149 <li><p>
    150 Add or remove a user
    151 </p>
    152 <div class="org-src-container">
    153 <pre class="src src-bash"># Add
    154 $ htpasswd -bB users.htpasswd &lt;username&gt; &lt;password&gt;
    155 # Remove
    156 $ htpasswd -D users.htpasswd &lt;username&gt;
    157 </pre>
    158 </div></li>
    159 <li><p>
    160 Replace the <code>htpass-secret</code>
    161 </p>
    162 <div class="org-src-container">
    163 <pre class="src src-bash">$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run -o yaml -n openshift-config | oc replace -f -
    164 </pre>
    165 </div></li>
    166 <li><p>
    167 <i>note:</i> If you removed one or more users, you must additionally remove existing resources
    168 for each user.
    169 </p>
    170 <div class="org-src-container">
    171 <pre class="src src-bash"># Delete the user
    172 $ oc delete user &lt;username&gt;
    173 # Delete the user identity
    174 $ oc delete identity my_htpasswd_provider:&lt;username&gt;
    175 </pre>
    176 </div></li>
    177 </ul>
    178 </div>
    179 </div>
    180 </div>
    181 <div id="outline-container-GitHub" class="outline-3">
    182 <h3 id="GitHub">GitHub</h3>
    183 <div class="outline-text-3" id="text-GitHub">
    184 <blockquote>
    185 <p>
    186 Configure a github identity provider to validate user names and passwords against GitHub
    187 or GitHub Enterprise’s OAuth authentication server.
    188 </p>
    189 </blockquote>
    190 
    191 <p>
    192 See <a href="https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-github-identity-provider.html">Configuring a GitHub or GitHub Enterprise identity provider - Configuring identity providers | Authentication and authorization | OpenShift Container Platform 4.5</a>.
    193 </p>
    194 </div>
    195 </div>
    196 <div id="outline-container-GitLab" class="outline-3">
    197 <h3 id="GitLab">GitLab</h3>
    198 <div class="outline-text-3" id="text-GitLab">
    199 <blockquote>
    200 <p>
    201 Configure a gitlab identity provider to use GitLab.com or any other GitLab instance as an
    202 identity provider.
    203 </p>
    204 </blockquote>
    205 
    206 <p>
    207 See <a href="https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-gitlab-identity-provider.html#configuring-gitlab-identity-provider">Configuring a GitLab identity provider - Configuring identity providers | Authentication and authorization | OpenShift Container Platform 4.5</a>.
    208 </p>
    209 </div>
    210 </div>
    211 </section>
    212 </main>
    213 <footer id="postamble" class="status">
    214 <footer>
    215      <small><a href="/" rel="history">Index</a> • <a href="/sitemap.html">Sitemap</a> • <a href="https://dl.sbr.pm/">Files</a></small><br/>
    216      <small class='questions'>Questions, comments ? Please use my <a href="https://lists.sr.ht/~vdemeester/public-inbox">public inbox</a> by sending a plain-text email to <a href="mailto:~vdemeester/public-inbox@lists.sr.ht">~vdemeester/public-inbox@lists.sr.ht</a>.</small><br/>
    217      <small class='copyright'>
    218       Content and design by Vincent Demeester
    219       (<a rel='licence' href='http://creativecommons.org/licenses/by-nc-sa/3.0/'>Some rights reserved</a>)
    220     </small><br />
    221 </footer>
    222 </footer>
    223 </body>
    224 </html>