Skip to content

Instantly share code, notes, and snippets.

@enj

enj/fix_auth.sh Secret

Last active March 25, 2019 19:39
Show Gist options
  • Save enj/4725980d063133d9bb3508b8ef83bdcb to your computer and use it in GitHub Desktop.
Save enj/4725980d063133d9bb3508b8ef83bdcb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
fix_auth.sh
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
### These initial steps are hacks to get around certificate issues ###
# extract the URL we need in the route's hostname
cluster_url="$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')"
# build the route's hostname
hostname="o.apps.${cluster_url}"
# check the length to make sure lets encrypt will let you use it
if [ "${#hostname}" -ge 63 ]; then
echo "cluster url ${cluster_url} is too long to use with lets encrypt"
exit 1
fi
# set up local lets encrypt to get valid certs
oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/letsencrypt-live/single-namespace/{role,serviceaccount,imagestream,deployment}.yaml -n openshift-authentication
oc create rolebinding openshift-acme --role=openshift-acme --serviceaccount=openshift-authentication:openshift-acme -n openshift-authentication --dry-run -o yaml | oc auth reconcile -f -
# update the oauth server's route to use lets encrypt certs
# set a short custom hostname to stay under lets encrypt's 63 characters limit
# this assumes your cluster has a short enough name
oc apply -f - <<EOF
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
kubernetes.io/tls-acme: "true"
name: openshift-authentication
namespace: openshift-authentication
spec:
host: ${hostname}
port:
targetPort: 6443
tls:
insecureEdgeTerminationPolicy: Redirect
termination: reencrypt
to:
kind: Service
name: openshift-authentication
weight: 100
wildcardPolicy: None
EOF
# use the real authentication operator (unpause)
oc patch authentication.operator cluster --type=merge -p "{\"spec\":{\"managementState\": \"Managed\"}}"
# wait until new oauth metadata is served
# require multiple success to account for rolling master restart
until
oc get --raw '/.well-known/oauth-authorization-server' | grep "${hostname}" && sleep 3 &&
oc get --raw '/.well-known/oauth-authorization-server' | grep "${hostname}" && sleep 3 &&
oc get --raw '/.well-known/oauth-authorization-server' | grep "${hostname}" && sleep 3 &&
oc get --raw '/.well-known/oauth-authorization-server' | grep "${hostname}" && sleep 3 &&
oc get --raw '/.well-known/oauth-authorization-server' | grep "${hostname}" && sleep 3 &&
oc get --raw '/.well-known/oauth-authorization-server' | grep "${hostname}" && sleep 3 &&
oc get --raw '/.well-known/oauth-authorization-server' | grep "${hostname}" && sleep 3
do
echo "waiting for well-known"
sleep 60
done
# kick the console pods because they cache oauth metadata
oc delete pods -n openshift-console --all --force --grace-period=0
# kick the monitoring pods because they cache oauth metadata
oc delete pods -n openshift-monitoring --all --force --grace-period=0
### The steps below are the 'real' steps you will need in 4.0 ###
# create a secret with htpasswd file data for user 'test' with password 'test'
oc apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: htpass-secret
namespace: openshift-config
data:
htpasswd: dGVzdDokYXByMSRxa0Zvb203dCRSWFIuNHhTV0lhL3h6dkRRUUFFUG8w
EOF
# configure HTPasswd IDP
oc apply -f - <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: htpassidp
challenge: true
login: true
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment