Since I have to do this a lot, figured I would write it down here. Follow on to Kerberizing a Service in OpenShift.
export HOST=krbocp-container-krbocp.apps.demo.redhatfsi.com export PRINCIPAL=HTTP/$HOST@REDHATFSI.COM ipa host-add $HOST --force ipa service-add $PRINCIPAL -force ipa-getkeytab -k keytabs/$PRINCIPAL.keytab -p $PRINCIPAL |
With that keytab uploaded as a secret, the host krbocp-container-krbocp.apps.demo.redhatfsi.com also allows authentication via Kerberos. Note that I scped it to my local machine
$ scp idm.redhatfsi.com:keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab $ mkdir ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM $ cp ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM/apache.keytab |
The command to upload it is then:
oc create secret generic apache-container-keytab --from-file ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM |
Yes, this is screaming for Ansible.