Nate Revo therevoman

Configuring Active Directory authentication with OpenShift 4

Understand AD LDAP structure and naming. Read the docs on the components

Refer to the OpenShift docs for the LDAP identity provider and LDAP group syncing.

Create the OAuth config

# create a secret for the bindDN user password

How can I list all resources and custom resources in OpenShift

List all CRDs with CR name and Scope

oc get crd -o=custom-columns=NAME:.metadata.name,CR_NAME:.spec.names.singular,SCOPE:.spec.scope

List every single custom resources in the cluster

oc get $(oc get crd -o=custom-columns=CR_NAME:.spec.names.singular --no-headers | awk '{printf "%s%s",sep,$0; sep=","}') --ignore-not-found --all-namespaces -o=custom-columns=KIND:.kind,NAME:.metadata.name,NAMESPACE:.metadata.namespace

List every single resource in the cluster (custom and non-custom)

oc get $(oc api-resources --verbs=list -o name | awk '{printf "%s%s",sep,$0;sep=","}') --ignore-not-found --all-namespaces -o=custom-columns=KIND:.kind,NAME:.metadata.name,NAMESPACE:.metadata.namespace --sort-by='metadata.namespace'

Change apiVersion from:
```
- apiVersion: v1
```
(or apiVersion: apps.openshift.io/v1)

to:

Introduction

The objective of these instructions is to create a complete Arm64 OS (Userland and Kernel) using Debian Debootstrap and RPI-Update for use on the Raspberry Pi 3 and 4.

Prerequisites:

An existing Debian/Raspbian system (any architecture will do)
An empty SD card formatted as per a standard Raspbian installation mounted to /mnt/sd on the build system
- 1st Partition 0-256MB = FAT32 (Mount to /mnt/sd/boot)
- 2nd Partition 256MB+ = EXT4 (Mount to /mnt/sd)

Set-up basic Debian system

On systems with UEFI Secure Boot enabled, recent Linux kernels will only load signed modules, so it's about time DKMS grew the capability to sign modules it's building.

These scripts are extended and scriptified variants of https://computerlinguist.org/make-dkms-sign-kernel-modules-for-secure-boot-on-ubuntu-1604.html and https://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur/768310#768310 and add some error checking, a passphrase around your signing key, and support for compressed modules.

dkms-sign-module is a wrapper for the more generic sign-modules which can also be used outside of DKMS.

Installation

Create a directory under /root, say /root/module-signing, put the three scripts below in there and make them executable: chmod u+x one-time-setup sign-modules dkms-sign-module

	# virtctl is in your $PATH
	# You are logged into a cluster
	# Then the snippet below enables seamless ssh login.
	# Usage `ssh [<user>@]<vmname>.<namespace>.ocp`
	# "ocp" can be anything, for convenience replace with your cluster's base fqdn
	host *.ocp
	ProxyCommand virtctl port-forward --stdio=true %h %p

	podman login registry.redhat.io

	export domain=quay.ralvares.local
	export QUAY=/data/quay

	mkdir -p $QUAY/postgres-quay
	mkdir $QUAY/clair
	mkdir -p $QUAY/config/extra_ca_certs

	mkdir $QUAY/storage

	#!ipxe
	dhcp net0

	set release 4.7
	set zstream 0
	set arch x86_64

	set ignition-url https://metadata.platformequinix.com/userdata

	#set coreos-url https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/${release}/${release}.${zstream}

	$ modprobe bridge
	$ echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
	$ sysctl -p /etc/sysctl.conf

	sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

	# SOLUTION
	$ modprobe br_netfilter
	$ sysctl -p /etc/sysctl.conf

	ssh-keygen -C "openshift-source-builder/repo@github" -f repo-at-github -N ''
	oc secrets new-sshauth elvis-secret --ssh-privatekey=repo-at-github
	secrets add serviceaccount/builder secrets/elvis-secret
	oc set build-secret --source bc/serpro-ws elvis-secret
	oc new-build fis-java-openshift~ssh://[email protected]:2222/erocha/serpro-ws.git --build-secret elvis-secret
	oc new-app serpro-ws