OKD 4 : Configure Identity Provider : HTPasswd2022/04/21 |
After building OKD 4 Cluster, only [kubeadmin] exists by default.
Configure Identity Provider for general users to use Cluster.
On this example, it shows to configure HTPasswd as an Identity Provider.
OKD 4 Cluster is based on the environment like follows. --------------+----------------+-----------------+-------------- |10.0.0.25 | |10.0.0.24 +-------------+-------------+ | +--------------+-------------+ | [mgr.okd4.srv.world] | | | [bootstrap.okd4.srv.world] | | Manager Node | | | Bootstrap Node | | DNS | | | | | Nginx | | | | +---------------------------+ | +----------------------------+ | --------------+----------------+-----------------+-------------- |10.0.0.40 | |10.0.0.41 +-------------+-------------+ | +--------------+-------------+ | [master-0.okd4.srv.world] | | | [master-1.okd4.srv.world] | | Control Plane#1 | | | Control Plane#2 | | | | | | | | | | | +---------------------------+ | +----------------------------+ | --------------+----------------+ |10.0.0.42 +-------------+-------------+ | [master-2.okd4.srv.world] | | Control Plane#3 | | | | | +---------------------------+ |
[1] | On Manager Node, add Identity Provider setting. |
[root@mgr ~]#
dnf -y install httpd-tools # add [serverworld] user to htpasswd file [root@mgr ~]# htpasswd -Bbc ~/okd4/auth/users.htpasswd serverworld userpassword Adding password for user serverworld # generate HTPasswd secret [root@mgr ~]# oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd -n openshift-config secret/htpass-secret created # create new apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: HTPasswdIdentityProvider mappingMethod: claim type: HTPasswd htpasswd: fileData: name: htpass-secret oc apply -f ~/okd4/auth/oauth.yaml Warning: resource oauths/cluster is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically. oauth.config.openshift.io/cluster configured |
[2] | To add new users, set like follows. |
# output current HTPasswd secret to a file [root@mgr ~]# oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > ~/okd4/auth/users.htpasswd
# add new users to htpasswd file [root@mgr ~]# htpasswd -bB ~/okd4/auth/users.htpasswd centos userpassword Adding password for user centos [root@mgr ~]# htpasswd -bB ~/okd4/auth/users.htpasswd redhat userpassword Adding password for user redhat # update HTPasswd secret [root@mgr ~]# oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f - secret/htpass-secret replaced |
[3] | To remove users, set like follows. |
# output current HTPasswd secret to a file [root@mgr ~]# oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > ~/okd4/auth/users.htpasswd
# remove users from htpasswd file [root@mgr ~]# htpasswd -D ~/okd4/auth/users.htpasswd centos Deleting password for user centos # update HTPasswd secret [root@mgr ~]# oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f - secret/htpass-secret replaced # remove target user resource [root@mgr ~]# oc delete user centos user.user.openshift.io "centos" deleted |
Sponsored Link |