《OpenShift / RHEL / DevSecOps / Ansible 汇总目录》
说明:本文已经在 OpenShift 4.11 环境中验证
说明:请先根据《OpenShift 4 - 利用 RHSSO 实现应用认证和访问授权》一文完成 kustomize 和 RHSSO 安装,并在 RHSSO 中完成创建用户和组的操作。
$ mkdir ~/kustomize && cd ~/kustomize
$ curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
$ PATH=$PATH:~/kustomize
$ oc new-project ipa
$ IMG=quay.io/freeipa/freeipa-openshift-container:latest
$ IMG_BASE=${IMG}
$ git clone https://github.com/freeipa/freeipa-openshift-container.git && cd freeipa-openshift-container/
$ kustomize build deploy/admin | oc create -f -
$ make template-create
$ make template-new-app
$ oc logs pod/freeipa -c init-container -f
...
[ ***] A start job is running for Configur… first start (6min 13s / no limit)
This program will set up IPA client.
Version 4.9.8
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.apps.cluster-72c7x.72c7x.sandbox2951.opentlc.com
Realm: APPS.CLUSTER-72C7X.72C7X.SANDBOX2951.OPENTLC.COM
DNS Domain: apps.cluster-72c7x.72c7x.sandbox2951.opentlc.com
IPA Server: ipa.apps.cluster-72c7x.72c7x.sandbox2951.opentlc.com
BaseDN: dc=apps,dc=cluster-72c7x,dc=72c7x,dc=sandbox2951,dc=opentlc,dc=com
...
$ oc get pod freeipa -n ipa
NAME READY STATUS RESTARTS AGE
freeipa 1/1 Running 0 6m36s
$ oc get route freeipa -o jsonpath='{.spec.host}' -n ipa
ipa.apps.cluster-72c7x.72c7x.sandbox2951.opentlc.com
$ oc get secret freeipa -n ipa -o go-template --template="{{.data.IPA_ADMIN_PASSWORD|base64decode}}"
Z6bzS-G1zrD-4UPqV-gfJ0m
$ oc get secret freeipa -n ipa -o go-template --template="{{.data.IPA_DM_PASSWORD|base64decode}}"
r2BVq-C8Bk6-qyiX5-Z_dzN
配置 | 值 |
---|---|
Connection URL | ldap://freeipa-ldap.ipa.svc.cluster.local:389 |
Users DN | cn=users,cn=accounts,dc=apps,dc=cluster-72c7x,dc=72c7x,dc=sandbox2951,dc=opentlc,dc=com |
Bind DN | cn=Directory Manager |
Bind Credential | r2BVq-C8Bk6-qyiX5-Z_dzN |
配置 | 值 |
---|---|
LDAP Groups DN | cn=groups,cn=accounts,dc=apps,dc=cluster-72c7x,dc=72c7x,dc=sandbox2951,dc=opentlc,dc=com |
LDAP Filter | (cn=special_staff) |
Mode | LDAP_ONLY |
User Groups Retrieve Strategy | GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE |
Groups Path | /staff |
https://olleb.com/rhsso-workshop/federation.html