OpenShift Origin Default Auth

Once I got the Ansible playbook to run, I was able to poke at the openshift setup.

The install creates a default configuration in the Ansible users home directory on the master node.

I can use the openshift client:

ssh ansible@munchlax oc get pods
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-2-z91cq    1/1       Running   0          18h
registry-console-1-g4qml   1/1       Running   0          20h
router-5-4w3zt             1/1       Running   0          18h
ssh ansible@munchlax oc create user ayoung

Or even the kubectl executable:

$ ssh ansible@munchlax kubectl get pods
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-2-z91cq    1/1       Running   0          18h
registry-console-1-g4qml   1/1       Running   0          20h
router-5-4w3zt             1/1       Running   0          18h

If I want to pull this over to my home machine, I can use rsync:

rsync -a  ansible@munchlax:.kube ~/
[ayoung@ayoung541 kubevirt-ansible]$ ls ~/.kube/
cache  config  munchlax_8443  schema
[ayoung@ayoung541 kubevirt-ansible]$ kubectl get pods
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-2-z91cq    1/1       Running   0          18h
registry-console-1-g4qml   1/1       Running   0          20h
router-5-4w3zt             1/1       Running   0          18h

Although the advice I got from sdodson in IRC sounds solid:

ansible_user on the first master should have admin’s kubeconfig in ~/.kube/config The intention is that you use that to provision additional admins/users and grant them required permissions. Then they can use `oc` or the web console using whatever credentials you’ve created for them.

I can use the WebUI by requesting the following URL from the Browser.

https://munchlax:8443/console/

Assuming I bypass the Certificate warnings, I can see the login screen. Since the admin user is secured with a Client Cert, and the UI supports password login, I’ll create a user to mirror my account and log in that way, Following the instructions here:

[ayoung@ayoung541 kubevirt-ansible]$ oc create user ayoung
user "ayoung" created
[ayoung@ayoung541 kubevirt-ansible]$ oc get user ayoung
NAME      UID                                    FULL NAME   IDENTITIES
ayoung    cca08f74-3a53-11e7-9754-1c666d8b0614               
[ayoung@ayoung541 kubevirt-ansible]$ oc get identities
No resources found.
[ayoung@ayoung541 kubevirt-ansible]$ oc get identity
No resources found.

Hmmm, no Identity providers seem to be configured. I see I can override this via the Ansible inventory file if I rerun.

I can see the current configuration in

sudo cat /etc/origin/master/master-config.yaml

Which has this line in it…

      kind: AllowAllPasswordIdentityProvider

perhaps my new user will work?

From the login screen.  Using a password of ‘test’ which I have not set anywhere.

 

I get logged in and see the “new project” screen.

This works for development, but I need something more serious for a live deployment in the future.

2 thoughts on “OpenShift Origin Default Auth

  1. Awesome! LDAP really should be done via Federation support, and multi LDAP would fit in there. I wish we had done that in Keystone.

Leave a Reply

Your email address will not be published. Required fields are marked *