NSX ALB + Harbor + OpenShift 4.8 UPI安装配置实验笔记系列目录
目录
1). 创建一个包含admin用户名,密码指定为Vmware1!的users.htpasswd文件
- cd ~
- htpasswd -bBc /root/users.htpasswd admin VMware1!
2). 基于user.htpasswd文件创建openshift的secret和htpasswd_provider:
oc create secret generic htpass-secret --from-file=htpasswd=/root/users.htpasswd -n openshift-config
3). 创建OAuth资源对像yaml:
- cat << EOF > htpass.yaml
- apiVersion: config.openshift.io/v1
- kind: OAuth
- metadata:
- name: cluster
- spec:
- identityProviders:
- - name: htpasswd_provider
- mappingMethod: claim
- type: HTPasswd
- htpasswd:
- fileData:
- name: htpass-secret
- EOF
4). 将OAuth资源对像yaml应用到集群:
oc apply -f htpass.yaml
5). 授予admin用户cluster-admin权限
oc adm policy add-cluster-role-to-user cluster-admin admin --rolebinding-name=cluster-admin
6). 使用htpasswd_provider登录console页面:
在浏览器中输入:https://console-openshift-console.apps.ocp.corp.tanzu ,在页面上选择htpasswd_provider:
输入用户名admin,密码VMware1!登录:
1). 在users.htpasswd文件中增加新条目,用户名为 user01,密码指定为Vmware1!
- cd ~
- htpasswd -b /root/users.htpasswd user01 VMware1!
2). 更新Openshift中的secret认证库:
oc set data secret/htpass-secret --from-file htpasswd=/root/users.htpasswd -n openshift-config
3). 测试user01用户是否可以成功登录集群:
4). 将OAuth资源对像yaml应用到集群:
oc apply -f htpass.yaml
5). 授予admin用户cluster-admin权限
oc adm policy add-cluster-role-to-user cluster-admin admin --rolebinding-name=cluster-admin
在创建了cluter-admin角色的用户后,建议删除默认的kubeadmin用户:
oc delete secrets kubeadmin -n kube-system
1). 将user01从认证文件中删除
- cd ~
- htpasswd -D /root/users.htpasswd user01
2). 更新Openshift中的secret认证库:
oc set data secret/htpass-secret --from-file htpasswd=/root/users.htpasswd -n openshift-config
3). 删除用户相关资源
- oc delete user user01
- oc delete identity my_htpasswd_provider:user01
1). 确认secret的名称
oc get secret -n openshift-config
2). 将secret的内容提取至本地文件
oc extract secret/htpass-secret -n openshift-config –to /root/users.htpasswd-extract
在LAB的trueNAS上新增一块50G的虚拟磁盘,然后进入配置NFS。
- cat << EOF > storageclass.yaml
- ---
- apiVersion: storage.k8s.io/v1
- kind: StorageClass
- metadata:
- name: standard
- provisioner: truenas.corp.tanzu/external-nfs
- volumeBindingMode: WaitForFirstConsumer
- EOF
- oc apply -f storageclass.yaml
- cat << EOF > pv.yaml
- ---
- apiVersion: v1
- kind: PersistentVolume
- metadata:
- name: registry-pv
- spec:
- capacity:
- storage: 20Gi
- accessModes:
- - ReadWriteMany
- persistentVolumeReclaimPolicy: Retain
- storageClassName: standard
- nfs:
- path: /mnt/OCP
- server: 192.168.110.60
- readOnly: false
- EOF
- oc apply -f pv.yaml
- oc project openshift-image-registry
- cat << EOF > pvc.yaml
- ---
- apiVersion: v1
- kind: PersistentVolumeClaim
- metadata:
- name: registry-pvc
- spec:
- storageClassName: standard
- accessModes:
- - ReadWriteMany
- resources:
- requests:
- storage: 20Gi
- EOF
- oc apply -f pvc.yaml
- oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"pvc":{"claim":"registry-pvc"}}}}'
- oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState": "Managed"}}'
- oc get configs.imageregistry.operator.openshift.io -o json | jq -r '.items[].spec |.managementState,.storage'
- oc get pod -n openshift-image-registry
oc patch configs.imageregistry.operator.openshift.io cluster --type merge -p '{"spec":{defaultRoute":true}}'
检查Sample Operator状态:
oc get co openshift-samples -o yaml
获取Image Streams列表
for i in `oc get is -n openshift --no-headers | awk '{print $1}'`; do oc get is $i -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io | sed -e 's/"//g' | cut -d"/" -f2-; done | tee imagelist.txt
将Image Streams列表中的Image同步到本地Registry
for i in `cat imagelist.txt`; do oc image mirror -a ${LOCAL_SECRET_JSON} registry.redhat.io/$i map.corp.tanzu/openshift/$i;done
指定本地Registry(会触发同步)
- oc patch configs.samples.operator.openshift.io cluster --patch '{"spec":{"sampleRegistry": "map.corp.tanzu/openshift"}}' --type=merge
- oc patch configs.samples.operator.openshift.io cluster --patch '{"spec":{"managementState": "Removed"}}' --type merge
- oc patch configs.samples.operator.openshift.io cluster --patch '{"spec":{"managementState": "Managed"}}' --type merge