Last active
March 22, 2019 18:25
-
-
Save jewzaam/6ade793e3271fbdc86d1d87fb0bae1f5 to your computer and use it in GitHub Desktop.
simple oauth for me with htpasswd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| CLUSTER_NAME=$1 | |
| PASSWORD=$2 | |
| if [ "$CLUSTER_NAME" == "" ] || [ "$PASSWORD" == "" ]; | |
| then | |
| echo "Usage: $0 <Cluster Name> <\$USER password>" | |
| exit 1 | |
| fi | |
| # check the config is against opshive | |
| COUNT=`oc project default | grep opshive | wc -l` | |
| if [ "$COUNT" == "0" ]; | |
| then | |
| echo "Update KUBECONFIG to opshive and make sure you are logged in" | |
| exit 3 | |
| fi | |
| # assume we need to be in uhc-production | |
| oc project uhc-production 2>&1 > /dev/null | |
| # if the secret for kubeconfig exists grab it | |
| KUBECONFIG_SECRET=`oc get secrets | grep $CLUSTER_NAME | grep kubeconfig | awk '{print $1}'` | |
| echo "DEBUG: KUBECONFIG_SECRET=$KUBECONFIG_SECRET" | |
| if [ "$KUBECONFIG_SECRET" == "" ]; | |
| then | |
| # nope, watch logs | |
| oc logs -c hive `oc get pods | grep $CLUSTER_NAME | awk '{print $1}'` -f | |
| KUBECONFIG_SECRET=`oc get secrets | grep $CLUSTER_NAME | grep kubeconfig` | |
| fi | |
| oc get secret $KUBECONFIG_SECRET -o json | jq -r .data.kubeconfig | base64 -d > ~/.kube/$CLUSTER_NAME | |
| if [ -s ~/.kube/$CLUSTER_NAME ]; | |
| then | |
| echo "SUCCESS: wrote kubeconfig to ~/.kube/$CLUSTER_NAME" | |
| else | |
| echo "FAILURE: unable to write ~/.kube/$CLUSTER_NAME" | |
| exit 2 | |
| fi | |
| KUBECONFIG=~/.kube/$CLUSTER_NAME | |
| echo "Applying OAuth and osd-sre-admin confg" | |
| echo "" | |
| cd `mktemp -d` | |
| echo "PWD: `pwd`" | |
| # secret for htpasswd | |
| htpasswd -c -b htpasswd $USER $PASSWORD | |
| oc delete secret htpass-secret -n openshift-config | |
| oc create secret generic htpass-secret --from-file=htpasswd=htpasswd -n openshift-config | |
| # osd-sre-admins Group | |
| echo "apiVersion: user.openshift.io/v1 | |
| kind: Group | |
| metadata: | |
| name: osd-sre-admins | |
| users: | |
| - $USER" > group.yaml | |
| oc apply -f group.yaml | |
| # oauth: htpasswd with branding (login and providers | |
| git clone [email protected]:openshift/online.git --depth=1 -b prod | |
| oc delete secret -n openshift-config oauth-templates | |
| oc create secret generic oauth-templates -n openshift-config \ | |
| --from-file=login.html=online/ansible/roles/oso_custom_templates/files/dedicated/login.html \ | |
| --from-file=providers.html=online/ansible/roles/oso_custom_templates/files/dedicated/provider-selection.html \ | |
| --from-file=errors.html=online/ansible/roles/oso_custom_templates/files/dedicated/oauth-error.html | |
| echo "apiVersion: config.openshift.io/v1 | |
| kind: OAuth | |
| metadata: | |
| name: cluster | |
| spec: | |
| identityProviders: | |
| - name: SRE Authentication Provider | |
| challenge: true | |
| login: true | |
| mappingMethod: claim | |
| type: HTPasswd | |
| htpasswd: | |
| fileData: | |
| name: htpass-secret | |
| templates: | |
| login: | |
| name: oauth-templates | |
| providerSelection: | |
| name: oauth-templates | |
| error: | |
| name: oauth-templates" > oauth.yaml | |
| oc apply -f oauth.yaml | |
| # other OSD bits | |
| git clone [email protected]:openshift/managed-cluster-config.git --depth=1 | |
| oc apply -R -f managed-cluster-config/deploy/ | |
| cd - | |
| echo "" | |
| echo "export KUBECONFIG=~/.kube/$CLUSTER_NAME" | |
| echo "`oc get console cluster -o json | jq -r .status.consoleURL`" | |
| echo "$(oc get --raw '/.well-known/oauth-authorization-server' | jq -r .token_endpoint)/request" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment