OKD 4 : Configure Identity Provider : HTPasswd2022/04/21 |
|
After building OKD 4 Cluster, only [kubeadmin] exists by default.
Configure Identity Provider for general users to use Cluster.
On this example, it shows to configure HTPasswd as an Identity Provider.
OKD 4 Cluster is based on the environment like follows.
--------------+----------------+-----------------+--------------
|10.0.0.25 | |10.0.0.24
+-------------+-------------+ | +--------------+-------------+
| [mgr.okd4.srv.world] | | | [bootstrap.okd4.srv.world] |
| Manager Node | | | Bootstrap Node |
| DNS | | | |
| Nginx | | | |
+---------------------------+ | +----------------------------+
|
--------------+----------------+-----------------+--------------
|10.0.0.40 | |10.0.0.41
+-------------+-------------+ | +--------------+-------------+
| [master-0.okd4.srv.world] | | | [master-1.okd4.srv.world] |
| Control Plane#1 | | | Control Plane#2 |
| | | | |
| | | | |
+---------------------------+ | +----------------------------+
|
--------------+----------------+
|10.0.0.42
+-------------+-------------+
| [master-2.okd4.srv.world] |
| Control Plane#3 |
| |
| |
+---------------------------+
|
| [1] | On Manager Node, add Identity Provider setting. |
|
[root@mgr ~]#
dnf -y install httpd-tools # add [serverworld] user to htpasswd file [root@mgr ~]# htpasswd -Bbc ~/okd4/auth/users.htpasswd serverworld userpassword Adding password for user serverworld # generate HTPasswd secret [root@mgr ~]# oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd -n openshift-config secret/htpass-secret created # create new
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: HTPasswdIdentityProvider
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret
oc apply -f ~/okd4/auth/oauth.yaml Warning: resource oauths/cluster is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically. oauth.config.openshift.io/cluster configured |
| [2] | To add new users, set like follows. |
|
# output current HTPasswd secret to a file [root@mgr ~]# oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > ~/okd4/auth/users.htpasswd
# add new users to htpasswd file [root@mgr ~]# htpasswd -bB ~/okd4/auth/users.htpasswd centos userpassword Adding password for user centos [root@mgr ~]# htpasswd -bB ~/okd4/auth/users.htpasswd redhat userpassword Adding password for user redhat # update HTPasswd secret [root@mgr ~]# oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f - secret/htpass-secret replaced |
| [3] | To remove users, set like follows. |
|
# output current HTPasswd secret to a file [root@mgr ~]# oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > ~/okd4/auth/users.htpasswd
# remove users from htpasswd file [root@mgr ~]# htpasswd -D ~/okd4/auth/users.htpasswd centos Deleting password for user centos # update HTPasswd secret [root@mgr ~]# oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f - secret/htpass-secret replaced # remove target user resource [root@mgr ~]# oc delete user centos user.user.openshift.io "centos" deleted |
| Sponsored Link |