OpenShift

It is primarily built by Red Hat.

Projects around OpenShift

OpenShift Pipeline

Provisioning

One of my goal is to have a local OpenShift cluster that I use daily — I really like the idea of dogfooding. There is multiple ways to provision OpenShift, but as we are going to run it locally (because it costs less 🙃), we are going to try to using libvirt and the installer or on bare metal. Note that we can use the bare metal setup on libvirt virtual machines that are managed outside of the OpenShift scope using the User Provided Infrastructure. Let’s try this : OpenShift on VM Bare metal.

For OpenShift, I’ll stick with Red Hat usual setup, aka using CentOS or RHEL 😉.

Identity providers

For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed.

[…]

The OpenShift Container Platform master includes a built-in OAuth server. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API.

Identity providers are the way to create user in an OpenShift cluster. There is a bunch that exists, but we will only look at the following.

HTPasswd
GitHub
GitLab

HTPasswd

create

Configure the htpasswd identity provider to validate user names and passwords against a flat file generated using htpasswd.

Create or update your flat file with a user name and hashed password:

$ htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>

Create the htpasswd secret

$ oc create secret generic htpass-secret --from-file=htpasswd=</path/to/users.htpasswd> -n openshift-config

Create an HTPasswd CR

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: my_htpasswd_provider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret

update

In order to update the users of an htpasswd identity provider:

Get the secret content

$ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 -d > users.htpasswd

Add or remove a user

# Add
$ htpasswd -bB users.htpasswd <username> <password>
# Remove
$ htpasswd -D users.htpasswd <username>

Replace the htpass-secret

$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run -o yaml -n openshift-config | oc replace -f -

note: If you removed one or more users, you must additionally remove existing resources for each user.

# Delete the user
$ oc delete user <username>
# Delete the user identity
$ oc delete identity my_htpasswd_provider:<username>

GitHub

Configure a github identity provider to validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server.

See Configuring a GitHub or GitHub Enterprise identity provider - Configuring identity providers | Authentication and authorization | OpenShift Container Platform 4.5.

GitLab

Configure a gitlab identity provider to use GitLab.com or any other GitLab instance as an identity provider.

See Configuring a GitLab identity provider - Configuring identity providers | Authentication and authorization | OpenShift Container Platform 4.5.