Create a host and get a keytab from the CLI

Since I have to do this a lot, figured I would write it down here. Follow on to Kerberizing a Service in OpenShift.

export HOST=krbocp-container-krbocp.apps.demo.redhatfsi.com
export PRINCIPAL=HTTP/$HOST@REDHATFSI.COM
ipa host-add $HOST --force
ipa service-add $PRINCIPAL -force
ipa-getkeytab -k keytabs/$PRINCIPAL.keytab -p $PRINCIPAL

With that keytab uploaded as a secret, the host krbocp-container-krbocp.apps.demo.redhatfsi.com also allows authentication via Kerberos. Note that I scped it to my local machine

$ scp idm.redhatfsi.com:keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab 
$ mkdir ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM
$ cp ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM/apache.keytab

The command to upload it is then:

oc create secret generic apache-container-keytab --from-file ~/keytabs/HTTP/krbocp-container-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM

Yes, this is screaming for Ansible.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.