CentOS Stream 9
Sponsored Link

OKD 4 : Login to Cluster2022/08/02

 
Login to OKD 4 Cluster from a client computer with a user.
This example is base on the environment like follows.
--------------+----------------+-----------------+--------------
              |10.0.0.25       |                 |10.0.0.24
+-------------+-------------+  |  +--------------+-------------+
|   [mgr.okd4.srv.world]    |  |  | [bootstrap.okd4.srv.world] |
|        Manager Node       |  |  |       Bootstrap Node       |
|           DNS             |  |  |                            |
|          Nginx            |  |  |                            |
+---------------------------+  |  +----------------------------+
                               |
--------------+----------------+-----------------+--------------
              |10.0.0.40       |                 |10.0.0.41
+-------------+-------------+  |  +--------------+-------------+
| [master-0.okd4.srv.world] |  |  |  [master-1.okd4.srv.world] |
|      Control Plane#1      |  |  |      Control Plane#2       | 
|                           |  |  |                            |
|                           |  |  |                            |
+---------------------------+  |  +----------------------------+
                               |
--------------+----------------+
              |10.0.0.42
+-------------+-------------+
| [master-2.okd4.srv.world] |
|      Control Plane#3      |
|                           |
|                           |
+---------------------------+

[1]
For initial login to OKD 4 Cluster after adding new Identity Provider, it needs to specify API token.
So access to the URL below with web browser from any computer that can connect to Manager Node and get API token.
⇒ https://oauth-openshift.apps.(cluster name).(base domain name)/oauth/token/request
on this example ⇒ https://oauth-openshift.apps.okd4.srv.world/oauth/token/request
*note : to get token via API without GUI web browser, run like follows
$ curl -v --insecure --user serverworld:userpassword --header "X-CSRF-Token: xxx" --url "https://oauth-openshift.apps.okd4.srv.world/oauth/authorize?response_type=token&client_id=openshift-challenging-client" 2>&1 | grep Location | cut -d'#' -f2 | cut -d'&' -f1

After accessing to the URL, click Identity provider name.
(it's [HTPasswdIdentityProvider] on this example)
[2] Login as an user that you added in Identity provider.
[3] Click [Display Token].
[4] Take notes the contents.
[5] Perform initial login on a client computer.
For client computer, any computers are OK that can connect to Manager Node, requirements for client computers are OpenShift client installed and DNS setting.
# set DNS to refer to Manager Node
# * replace network device name to your own environment

[root@client ~]#
nmcli connection modify enp1s0 ipv4.dns 10.0.0.25

[root@client ~]#
nmcli connection modify enp1s0 ipv4.dns-search okd4.srv.world

[root@client ~]#
nmcli connection up enp1s0

# download OpenShift client

# make sure the latest version ⇒ https://github.com/openshift/okd/releases/

[root@client ~]#
wget https://github.com/openshift/okd/releases/download/4.11.0-0.okd-2022-07-29-154152/openshift-client-linux-4.11.0-0.okd-2022-07-29-154152.tar.gz

[root@client ~]#
tar zxvf openshift-client-linux-4.11.0-0.okd-2022-07-29-154152.tar.gz

[root@client ~]#
mv oc kubectl /usr/local/bin/

[root@client ~]#
chmod 755 /usr/local/bin/{oc,kubectl}

[root@client ~]#
oc version

Client Version: 4.11.0-0.okd-2022-07-29-154152
Kustomize Version: v4.5.4
# login with token

[root@client ~]#
oc login --token=sha256~ZsOcQn3W_gEWMsLW3v1zPjoqfgN6jPDFA0SkitMBinU --server=https://api.okd4.srv.world:6443

The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Logged into "https://api.okd4.srv.world:6443" as "serverworld" using the token provided.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

Welcome! See 'oc help' to get started.

[root@client ~]#
oc whoami

serverworld
[root@client ~]#
oc logout

Logged "serverworld" out on "https://api.okd4.srv.world:6443"
Matched Content