OpenShift 4 CheetSheet

gistfile1.txt

# Display currently installed operators and cluster version
oc adm release info
# List the current Operators Status
oc get clusteroperators
# Upgrade from command line 
oc adm upgrade

# Remotely connet to the cluster.
oc debug node/ip-10-216-29-190.ap-southeast-2.compute.internal --image=rhel-tools

# Access the ETCD Shell
id=$(sudo crictl ps --name etcd-member | awk 'FNR==2{ print $1}') && sudo crictl exec -it $id /bin/sh
# export the ETCD env vars
export ETCDCTL_API=3 ETCDCTL_CACERT=/etc/ssl/etcd/ca.crt \
ETCDCTL_CERT=$(find /etc/ssl/ -name *peer*crt) ETCDCTL_KEY=$(find /etc/ssl/ -name *peer*key)
# List cluster Members
etcdctl member list -w table

Bulletpoint n. 3 - Certificate Management (Rotation and Renewals)

One option is to install Cert Utils Operator, which provides ability to show info regarding the certificates, which can be acted upon and also to alert when a certificate is about to expire:

1. Have two YAML files:

apiVersion: operators.coreos.com/v1
kind: CatalogSourceConfig
metadata:
  name: cert-utils-operator
  namespace: openshift-marketplace
spec:
  targetNamespace: openshift-operators
  packages: cert-utils-operator

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: cert-utils-operator
  # Note that the namespace you pick must have an OperatorGroup that matches the installMode (either AllNamespaces or SingleNamespace modes)
  namespace: openshift-operators
spec:
  channel: alpha
  name: cert-utils-operator
  source: cert-utils-operator
  sourceNamespace: openshift-operators

2. Run oc apply

oc apply -f <FILE1.yml> -f <FILE2.yml>

Second option is to use ACME shell script, that uses "Let's Encrypt"

1. Clone the ACME Shell script:

git clone https://github.com/neilpang/acme.sh
cd acme.sh

2. If running from the bastion, create an InstanceProfile for EC2 to be able to modify to Route53, otherwise add AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY here:

vi acme.sh/dnsapi/dns_aws.sh

3. Run the ACME Shell script:

# LE_API=api.<BLUE/GREEN>.sbox.np.dmp.aws.hosting.transport.nsw.gov.au
export LE_API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')
# LE_WILDCARD=apps.<BLUE/GREEN>.sbox.np.dmp.aws.hosting.transport.nsw.gov.au
export LE_WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')
acme.sh/acme.sh --issue -d ${LE_API} -d *.${LE_WILDCARD} --dns dns_aws
# Move certs into the one directory:
export CERTDIR=$HOME/certificates
mkdir -p ${CERTDIR}
${HOME}/acme.sh/acme.sh --install-cert -d ${LE_API} -d *.${LE_WILDCARD} --cert-file ${CERTDIR}/cert.pem --key-file ${CERTDIR}/key.pem --fullchain-file ${CERTDIR}/fullchain.pem --ca-file ${CERTDIR}/ca.cer

Note: Unfortunately i am hitting the DNS labels size limit 63 octets and/or 10 labels "Error creating new order :: DNS name has too many labels". More information: https://tools.ietf.org/html/rfc1035#page-10

4. After you update the IngressController object the OpenShift ingress operator notices that the custom resource has changed and therefore re-deploys the router with the new cert from the secrets:

oc create secret tls router-certs --cert=${CERTDIR}/fullchain.pem --key=${CERTDIR}/key.pem -n openshift-ingress
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "router-certs" }}}'

Bulletpoint n. 4 - Information on How to sync multiple AD

LDAP authentication

1. Creating the LDAP Secret(s):

oc create secret generic ldap-secret1 --from-literal=bindPassword=<PASSWORD> -n openshift-config
oc create secret generic ldap-secret2 --from-literal=bindPassword=<PASSWORD> -n openshift-config

2. Creating a ConfigMap(s) with certificate authority bundle (if they are different for each AD):

oc create configmap ca-config-map1 --from-file=ca.crt=</PATH/TO/CA> -n openshift-config
oc create configmap ca-config-map2 --from-file=ca.crt=</PATH/TO/CA> -n openshift-config

3. Create LDAP Custom Resource - example:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  # This provider name is prefixed to the returned user ID to form an identity name:
  - name: ldapidp1
    # Controls how mappings are established between this provider’s identities and user objects:
    mappingMethod: claim
    type: LDAP
    ldap:
      attributes:
        id:
        - dn
        email:
        - mail
        name:
        - cn
        preferredUsername:
        - uid
      bindDN: "[email protected]"
      bindPassword:
        # From step 1. above:
        name: ldap-secret1
      ca:
        # From step 2. above:
        name: ca-config-map1
      # LDAP or LDAPS:
      insecure: false
      # An RFC 2255 URL which specifies the LDAP host and search parameters to use:
      url: "ldap://ad.p.dmp.aws.hosting.transport.nsw.gov.au:389/OU=Users,OU=ad,DC=ad,DC=p,DC=dmp,DC=aws,DC=hosting,DC=transport,DC=nsw,DC=gov,DC=au?sAMAccountName"

4. Add an identity provider(s) to your cluster - YAML from the previous step:

oc apply -f <FILE.yml>

Bulletpoint n. 8 - Image signing

Deploy the services needed for signing (and scanning)

git clone [email protected]:redhat-cop/image-scanning-signing-service.git
cd image-scanning-signing-service
# Older version has 'delegate_to' is not a valid attribute for a 'TaskInclude' bug
sed -i 's/v2.0.8/v2.1.1/g' requirements.yml
ansible-galaxy install -r requirements.yml -p galaxy
oc login -u <username> https://<openshift-server>
ansible-playbook -i inventory/ galaxy/openshift-applier/playbooks/openshift-cluster-seed.yml -e filter_tags=core
# Confirm the image-sign-scan pod is running
oc get pods -n image-management

Make use of a ImageSigningRequest CRD which allows users to declare their intent to have an image signed

oc new-project dotnet-example
oc new-app --template=dotnet-example
oc get builds
# To declare your intent to sign the previously built image, a new ImageSigningRequest can be created within the project:
cat <<EOF > ImageSingingRequest.yml
apiVersion: cop.redhat.com/v1alpha2
kind: ImageSigningRequest
metadata:
  # From the previous step
  name: dotnet-app
spec:
  imageStreamTag: dotnet-example:latest
EOF
# To create a new ImageSigningRequest with the name dotnet-example and the ImageStreamTag dotnet-example:latest
oc process -f examples/image-signing-request-template.yml -p IMAGE_SIGNING_REQUEST_NAME=dotnet-example IMAGE_STREAM_TAG=dotnet-example:latest | oc apply -f-

Note: Unfortunately i am hitting the bug in v4, where RHEL subscriptions are not availabe in Dockerfile builds (This system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions). Users used to be able to use the RHEL subscriptions from the nodes in 3.11 when running rpm and yum install commands inside Dockerfiles that built on the platform. In OCP 4 builds use Buildah and therefore the entitlements are not available by default during the Dockerfile builds.