OpenShift Post Install Tasks

Our install is nearly complete. We just have a few more tasks.

1. Create an empty volume for the internal registry:

   export KUBECONFIG="${OKD_LAB_PATH}/okd-install-dir/auth/kubeconfig"
   oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Managed","storage":{"emptyDir":{}}}}'
   

2. Create an Image Pruner:

   oc patch imagepruners.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"schedule":"0 0 * * *","suspend":false,"keepTagRevisions":3,"keepYoungerThan":60,"resources":{},"affinity":{},"nodeSelector":{},"tolerations":[],"startingDeadlineSeconds":60,"successfulJobsHistoryLimit":3,"failedJobsHistoryLimit":3}}'
   

3. Delete all of the Completed pods:

   oc delete pod --field-selector=status.phase==Succeeded --all-namespaces
   

4. Because our install is disconnected from the internet, we need to remove the cluster update channel, Samples Operator, and OperatorHub:

   oc patch ClusterVersion version --type merge -p '{"spec":{"channel":""}}'
   oc patch configs.samples.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Removed"}}'
   oc patch OperatorHub cluster --type json -p '[{"op": "add", "path": "/spec/sources/0/disabled", "value": true}]'
   

5. Before we do anything else, let’s save the emergency keys to our cluster:

   mkdir -p ${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}
   cp ${OKD_LAB_PATH}/okd-install-dir/auth/kubeconfig ${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}/
   chmod 400 ${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}/kubeconfig
   

   If you ever forget the password for your cluster admin account, you can access your cluster with the kubeadmin token that we saved in the file: ${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}/kubeconfig

   export KUBECONFIG="${OKD_LAB_PATH}/lab-config/okd4.${SUB_DOMAIN}.${LAB_DOMAIN}/kubeconfig"
   

Log into your new cluster console

1. Add the OKD Cluster cert to the trust store on your workstation:

   • Mac OS:

     openssl s_client -showcerts -connect  console-openshift-console.apps.okd4.${SUB_DOMAIN}.${LAB_DOMAIN}:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > /tmp/okd-console.${SUB_DOMAIN}.${LAB_DOMAIN}.crt
     sudo security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" /tmp/okd-console.${SUB_DOMAIN}.${LAB_DOMAIN}.crt
     

   • Linux:

     openssl s_client -showcerts -connect console-openshift-console.apps.okd4.${SUB_DOMAIN}.${LAB_DOMAIN}:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > /etc/pki/ca-trust/source/anchors/okd-console.${SUB_DOMAIN}.${LAB_DOMAIN}.crt
     update-ca-trust
     

Create user accounts:

Let’s add some users to the cluster that we created. The temporary kubeadmin account is not a useful long term strategy for access to your cluster. So, we’re going to add a couple of user accounts.

OpenShift supports multiple authentication methods, from enterprise SSO to very basic auth. We’re going to start with something a little basic, using htpasswd.

1. If you don’t already have it available, install htpasswd on your workstation.

2. Create an htpasswd file for a couple of users:

   mkdir -p ${OKD_LAB_PATH}/okd-creds
   htpasswd -B -c -b ${OKD_LAB_PATH}/okd-creds/htpasswd admin $(cat ${OKD_LAB_PATH}/okd-install-dir/auth/kubeadmin-password)
   htpasswd -b ${OKD_LAB_PATH}/okd-creds/htpasswd devuser devpwd
   

   This creates an htpasswd file with two users. The admin user will have the same password that was created for the kubeadmin user.

3. Create a Kubernetes Secret with the htpasswd file:

   oc create -n openshift-config secret generic htpasswd-secret --from-file=htpasswd=${OKD_LAB_PATH}/okd-creds/htpasswd
   

   We’ll associate this secret with a new htpasswd based OAuth provider. If you want to change passwords or add more users, recreate the file and replace the secret.

4. Create the OAuth provider, associated with the secret that we just added.

   cat << EOF | oc apply -f -
   apiVersion: config.openshift.io/v1
   kind: OAuth
   metadata:
     name: cluster
   spec:
     identityProviders:
     - name: okd4_htpasswd_idp
       mappingMethod: claim 
       type: HTPasswd
       htpasswd:
         fileData:
           name: htpasswd-secret
   EOF
   

5. Assign the admin user to be a cluster administrator:

   oc adm policy add-cluster-role-to-user cluster-admin admin
   

6. Wait a couple of minutes for the Authentication pods to restart and stabalize.

7. Now you can verify that the new user account works:

   oc login -u admin https://api.okd4.${SUB_DOMAIN}.${LAB_DOMAIN}:6443
   

8. After you verify that the new admin account works. you can delete the temporary kubeadmin account:

   oc delete secrets kubeadmin -n kube-system
   

9. Now you can point your browser to the url listed at the completion of install: i.e. https://console-openshift-console.apps.okd4.dev.my.awesome.lab

   On Mac OS:

   open -a Safari https://console-openshift-console.apps.okd4.${SUB_DOMAIN}.${LAB_DOMAIN}
   

   Log in as admin with the password from the output at the completion of the install.

That’s it! You now have a three node OpenShift cluster.