OpenShift Post Install Tasks
Our install is nearly complete. We just have a few more tasks.
-
Create an empty volume for the internal registry:
export KUBECONFIG="${OKD_LAB_PATH}/okd-install-dir/auth/kubeconfig" oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Managed","storage":{"emptyDir":{}}}}'
-
Create an Image Pruner:
oc patch imagepruners.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"schedule":"0 0 * * *","suspend":false,"keepTagRevisions":3,"keepYoungerThan":60,"resources":{},"affinity":{},"nodeSelector":{},"tolerations":[],"startingDeadlineSeconds":60,"successfulJobsHistoryLimit":3,"failedJobsHistoryLimit":3}}'
-
Delete all of the Completed pods:
oc delete pod --field-selector=status.phase==Succeeded --all-namespaces
-
Because our install is disconnected from the internet, we need to remove the cluster update channel, Samples Operator, and OperatorHub:
oc patch ClusterVersion version --type merge -p '{"spec":{"channel":""}}' oc patch configs.samples.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Removed"}}' oc patch OperatorHub cluster --type json -p '[{"op": "add", "path": "/spec/sources/0/disabled", "value": true}]'
-
Before we do anything else, let’s save the emergency keys to our cluster:
mkdir -p ${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN} cp ${OKD_LAB_PATH}/okd-install-dir/auth/kubeconfig ${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}/ chmod 400 ${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}/kubeconfig
If you ever forget the password for your cluster admin account, you can access your cluster with the
kubeadmin
token that we saved in the file:${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}/kubeconfig
export KUBECONFIG="${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}/kubeconfig"
Log into your new cluster console
-
Add the OKD Cluster cert to the trust store on your workstation:
-
Mac OS:
openssl s_client -showcerts -connect console-openshift-console.apps.okd4.${SUB_DOMAIN}.${LAB_DOMAIN}:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > /tmp/okd-console.${SUB_DOMAIN}.${LAB_DOMAIN}.crt sudo security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" /tmp/okd-console.${SUB_DOMAIN}.${LAB_DOMAIN}.crt
-
Linux:
openssl s_client -showcerts -connect console-openshift-console.apps.okd4.${SUB_DOMAIN}.${LAB_DOMAIN}:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > /etc/pki/ca-trust/source/anchors/okd-console.${SUB_DOMAIN}.${LAB_DOMAIN}.crt update-ca-trust
-
Create user accounts:
Let’s add some users to the cluster that we created. The temporary kubeadmin
account is not a useful long term strategy for access to your cluster. So, we’re going to add a couple of user accounts.
OpenShift supports multiple authentication methods, from enterprise SSO to very basic auth. We’re going to start with something a little basic, using htpasswd
.
-
If you don’t already have it available, install
htpasswd
on your workstation. -
Create an
htpasswd
file for a couple of users:mkdir -p ${OKD_LAB_PATH}/okd-creds htpasswd -B -c -b ${OKD_LAB_PATH}/okd-creds/htpasswd admin $(cat ${OKD_LAB_PATH}/okd-install-dir/auth/kubeadmin-password) htpasswd -b ${OKD_LAB_PATH}/okd-creds/htpasswd devuser devpwd
This creates an
htpasswd
file with two users. The admin user will have the same password that was created for the kubeadmin user. -
Create a Kubernetes Secret with the htpasswd file:
oc create -n openshift-config secret generic htpasswd-secret --from-file=htpasswd=${OKD_LAB_PATH}/okd-creds/htpasswd
We’ll associate this secret with a new htpasswd based OAuth provider. If you want to change passwords or add more users, recreate the file and replace the secret.
-
Create the OAuth provider, associated with the secret that we just added.
cat << EOF | oc apply -f - apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: okd4_htpasswd_idp mappingMethod: claim type: HTPasswd htpasswd: fileData: name: htpasswd-secret EOF
-
Assign the
admin
user to be a cluster administrator:oc adm policy add-cluster-role-to-user cluster-admin admin
-
Wait a couple of minutes for the Authentication pods to restart and stabalize.
-
Now you can verify that the new user account works:
oc login -u admin https://api.okd4.${SUB_DOMAIN}.${LAB_DOMAIN}:6443
-
After you verify that the new admin account works. you can delete the temporary kubeadmin account:
oc delete secrets kubeadmin -n kube-system
-
Now you can point your browser to the url listed at the completion of install: i.e.
https://console-openshift-console.apps.okd4.dev.my.awesome.lab
On Mac OS:
open -a Safari https://console-openshift-console.apps.okd4.${SUB_DOMAIN}.${LAB_DOMAIN}
Log in as
admin
with the password from the output at the completion of the install.
That’s it! You now have a three node OpenShift cluster.