main
1<!DOCTYPE html>
2<html lang="en">
3<head>
4<!-- Sep 03, 2024 -->
5<meta charset="utf-8" />
6<meta name="viewport" content="width=device-width, initial-scale=1" />
7<title>OpenShift</title>
8<meta name="author" content="Vincent Demeester" />
9<meta name="generator" content="Org Mode" />
10<link rel='icon' type='image/x-icon' href='/images/favicon.ico'/>
11<meta name='viewport' content='width=device-width, initial-scale=1'>
12<link rel='stylesheet' href='/css/new.css' type='text/css'/>
13<link rel='stylesheet' href='/css/syntax.css' type='text/css'/>
14<link href='/index.xml' rel='alternate' type='application/rss+xml' title='Vincent Demeester' />
15</head>
16<body>
17<main id="content" class="content">
18<header>
19<h1 class="title">OpenShift</h1>
20</header><p>
21It is primarily built by <a href="red_hat.html">Red Hat</a>.
22</p>
23<section id="outline-container-Projects%20around%20OpenShift" class="outline-2">
24<h2 id="Projects%20around%20OpenShift">Projects around OpenShift</h2>
25<div class="outline-text-2" id="text-Projects%20around%20OpenShift">
26<ul class="org-ul">
27<li><a href="openshift_pipeline.html">OpenShift Pipeline</a></li>
28</ul>
29</div>
30</section>
31<section id="outline-container-Provisioning" class="outline-2">
32<h2 id="Provisioning">Provisioning</h2>
33<div class="outline-text-2" id="text-Provisioning">
34<p>
35One of my goal is to have a local OpenShift cluster that I use daily — I really like the
36idea of <a href="dogfooding.html">dogfooding</a>. There is multiple ways to provision OpenShift, but as we are going to
37run it locally (because it costs less 🙃), we are going to try to using <code>libvirt</code> and the
38<a href="https://github.com/openshift/installer/">installer</a> <i>or</i> on bare metal. Note that we can use the <i>bare metal</i> setup on libvirt
39virtual machines that are managed outside of the OpenShift scope using the <a href="https://github.com/openshift/installer/blob/master/docs/user/metal/install_upi.md">User Provided
40Infrastructure</a>. Let’s try this : <a href="openshift_on_vm_bare_metal.html">OpenShift on VM Bare metal</a>.
41</p>
42
43<p>
44For OpenShift, I’ll stick with <a href="red_hat.html">Red Hat</a> usual setup, aka using CentOS or RHEL 😉.
45</p>
46</div>
47</section>
48<section id="outline-container-Identity%20providers" class="outline-2">
49<h2 id="Identity%20providers">Identity providers</h2>
50<div class="outline-text-2" id="text-Identity%20providers">
51<blockquote>
52<p>
53For users to interact with OpenShift Container Platform, they must first authenticate to
54the cluster. The authentication layer identifies the user associated with requests to the
55OpenShift Container Platform API. The authorization layer then uses information about the
56requesting user to determine if the request is allowed.
57</p>
58
59<p>
60[…]
61</p>
62
63<p>
64The OpenShift Container Platform master includes a built-in OAuth server. Developers and
65administrators obtain OAuth access tokens to authenticate themselves to the API.
66</p>
67</blockquote>
68
69<p>
70Identity providers are the way to create user in an OpenShift cluster. There is a bunch
71that exists, but we will only look at the following.
72</p>
73
74<div id="text-table-of-contents" role="doc-toc">
75<ul>
76<li><a href="#HTPasswd">HTPasswd</a></li>
77<li><a href="#GitHub">GitHub</a></li>
78<li><a href="#GitLab">GitLab</a></li>
79</ul>
80</div>
81</div>
82<div id="outline-container-HTPasswd" class="outline-3">
83<h3 id="HTPasswd">HTPasswd</h3>
84<div class="outline-text-3" id="text-HTPasswd">
85</div>
86<div id="outline-container-create" class="outline-4">
87<h4 id="create">create</h4>
88<div class="outline-text-4" id="text-create">
89<blockquote>
90<p>
91Configure the htpasswd identity provider to validate user names and passwords against a
92flat file generated using htpasswd.
93</p>
94</blockquote>
95
96<ul class="org-ul">
97<li><p>
98Create or update your flat file with a user name and hashed password:
99</p>
100<div class="org-src-container">
101<pre class="src src-bash">$ htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>
102</pre>
103</div></li>
104
105<li><p>
106Create the htpasswd secret
107</p>
108<div class="org-src-container">
109<pre class="src src-bash">$ oc create secret generic htpass-secret --from-file=htpasswd=</path/to/users.htpasswd> -n openshift-config
110</pre>
111</div></li>
112
113<li><p>
114Create an HTPasswd CR
115</p>
116<div class="org-src-container">
117<pre class="src src-yaml">apiVersion: config.openshift.io/v1
118kind: OAuth
119metadata:
120 name: cluster
121spec:
122 identityProviders:
123 - name: my_htpasswd_provider
124 mappingMethod: claim
125 type: HTPasswd
126 htpasswd:
127 fileData:
128 name: htpass-secret
129</pre>
130</div></li>
131</ul>
132</div>
133</div>
134<div id="outline-container-update" class="outline-4">
135<h4 id="update">update</h4>
136<div class="outline-text-4" id="text-update">
137<p>
138In order to update the users of an htpasswd identity provider:
139</p>
140
141<ul class="org-ul">
142<li><p>
143Get the secret content
144</p>
145<div class="org-src-container">
146<pre class="src src-bash">$ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 -d > users.htpasswd
147</pre>
148</div></li>
149<li><p>
150Add or remove a user
151</p>
152<div class="org-src-container">
153<pre class="src src-bash"># Add
154$ htpasswd -bB users.htpasswd <username> <password>
155# Remove
156$ htpasswd -D users.htpasswd <username>
157</pre>
158</div></li>
159<li><p>
160Replace the <code>htpass-secret</code>
161</p>
162<div class="org-src-container">
163<pre class="src src-bash">$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run -o yaml -n openshift-config | oc replace -f -
164</pre>
165</div></li>
166<li><p>
167<i>note:</i> If you removed one or more users, you must additionally remove existing resources
168for each user.
169</p>
170<div class="org-src-container">
171<pre class="src src-bash"># Delete the user
172$ oc delete user <username>
173# Delete the user identity
174$ oc delete identity my_htpasswd_provider:<username>
175</pre>
176</div></li>
177</ul>
178</div>
179</div>
180</div>
181<div id="outline-container-GitHub" class="outline-3">
182<h3 id="GitHub">GitHub</h3>
183<div class="outline-text-3" id="text-GitHub">
184<blockquote>
185<p>
186Configure a github identity provider to validate user names and passwords against GitHub
187or GitHub Enterprise’s OAuth authentication server.
188</p>
189</blockquote>
190
191<p>
192See <a href="https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-github-identity-provider.html">Configuring a GitHub or GitHub Enterprise identity provider - Configuring identity providers | Authentication and authorization | OpenShift Container Platform 4.5</a>.
193</p>
194</div>
195</div>
196<div id="outline-container-GitLab" class="outline-3">
197<h3 id="GitLab">GitLab</h3>
198<div class="outline-text-3" id="text-GitLab">
199<blockquote>
200<p>
201Configure a gitlab identity provider to use GitLab.com or any other GitLab instance as an
202identity provider.
203</p>
204</blockquote>
205
206<p>
207See <a href="https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-gitlab-identity-provider.html#configuring-gitlab-identity-provider">Configuring a GitLab identity provider - Configuring identity providers | Authentication and authorization | OpenShift Container Platform 4.5</a>.
208</p>
209</div>
210</div>
211</section>
212</main>
213<footer id="postamble" class="status">
214<footer>
215 <small><a href="/" rel="history">Index</a> • <a href="/sitemap.html">Sitemap</a> • <a href="https://dl.sbr.pm/">Files</a></small><br/>
216 <small class='questions'>Questions, comments ? Please use my <a href="https://lists.sr.ht/~vdemeester/public-inbox">public inbox</a> by sending a plain-text email to <a href="mailto:~vdemeester/public-inbox@lists.sr.ht">~vdemeester/public-inbox@lists.sr.ht</a>.</small><br/>
217 <small class='copyright'>
218 Content and design by Vincent Demeester
219 (<a rel='licence' href='http://creativecommons.org/licenses/by-nc-sa/3.0/'>Some rights reserved</a>)
220 </small><br />
221</footer>
222</footer>
223</body>
224</html>