CentOS Stream 9
Sponsored Link

OKD 4 : Configure Identity Provider : HTPasswd
2022/08/02
 
After building OKD 4 Cluster, only [kubeadmin] exists by default.
Configure Identity Provider for general users to use Cluster.
On this example, it shows to configure HTPasswd as an Identity Provider.
OKD 4 Cluster is based on the environment like follows.
--------------+----------------+-----------------+--------------
              |10.0.0.25       |                 |10.0.0.24
+-------------+-------------+  |  +--------------+-------------+
|   [mgr.okd4.srv.world]    |  |  | [bootstrap.okd4.srv.world] |
|        Manager Node       |  |  |       Bootstrap Node       |
|           DNS             |  |  |                            |
|          Nginx            |  |  |                            |
+---------------------------+  |  +----------------------------+
                               |
--------------+----------------+-----------------+--------------
              |10.0.0.40       |                 |10.0.0.41
+-------------+-------------+  |  +--------------+-------------+
| [master-0.okd4.srv.world] |  |  |  [master-1.okd4.srv.world] |
|      Control Plane#1      |  |  |      Control Plane#2       | 
|                           |  |  |                            |
|                           |  |  |                            |
+---------------------------+  |  +----------------------------+
                               |
--------------+----------------+
              |10.0.0.42
+-------------+-------------+
| [master-2.okd4.srv.world] |
|      Control Plane#3      |
|                           |
|                           |
+---------------------------+

[1] On Manager Node, add Identity Provider setting.
[root@mgr ~]#
dnf -y install httpd-tools
# add [serverworld] user to htpasswd file

[root@mgr ~]#
htpasswd -Bbc ~/okd4/auth/users.htpasswd serverworld userpassword

Adding password for user serverworld
# generate HTPasswd secret

[root@mgr ~]#
oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd -n openshift-config

secret/htpass-secret created
# define and apply HTPasswd Custom Resource

[root@mgr ~]#
vi ~/okd4/auth/oauth.yaml
# create new

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: HTPasswdIdentityProvider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret

[root@mgr ~]#
oc apply -f ~/okd4/auth/oauth.yaml

Warning: resource oauths/cluster is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.
oauth.config.openshift.io/cluster configured
[2] To add new users, set like follows.
# output current HTPasswd secret to a file

[root@mgr ~]#
oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > ~/okd4/auth/users.htpasswd
# add new users to htpasswd file

[root@mgr ~]#
htpasswd -bB ~/okd4/auth/users.htpasswd centos userpassword

Adding password for user centos
[root@mgr ~]#
htpasswd -bB ~/okd4/auth/users.htpasswd redhat userpassword

Adding password for user redhat
# update HTPasswd secret

[root@mgr ~]#
oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -

secret/htpass-secret replaced
[3] To remove users, set like follows.
# output current HTPasswd secret to a file

[root@mgr ~]#
oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > ~/okd4/auth/users.htpasswd
# remove users from htpasswd file

[root@mgr ~]#
htpasswd -D ~/okd4/auth/users.htpasswd centos

Deleting password for user centos
# update HTPasswd secret

[root@mgr ~]#
oc create secret generic htpass-secret --from-file=htpasswd=/root/okd4/auth/users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -

secret/htpass-secret replaced
# remove target user resource

[root@mgr ~]#
oc delete user centos

user.user.openshift.io "centos" deleted
Matched Content