OpenShift 4 CheetSheet

gistfile1.txt

# Display currently installed operators and cluster version
oc adm release info
# List the current Operators Status
oc get clusteroperators
# Upgrade from command line 
oc adm upgrade

# Remotely connet to the cluster.
oc debug node/ip-10-216-29-190.ap-southeast-2.compute.internal --image=rhel-tools

# Access the ETCD Shell
id=$(sudo crictl ps --name etcd-member | awk 'FNR==2{ print $1}') && sudo crictl exec -it $id /bin/sh
# export the ETCD env vars
export ETCDCTL_API=3 ETCDCTL_CACERT=/etc/ssl/etcd/ca.crt \
ETCDCTL_CERT=$(find /etc/ssl/ -name *peer*crt) ETCDCTL_KEY=$(find /etc/ssl/ -name *peer*key)
# List cluster Members
etcdctl member list -w table

Bulletpoint n. 4 - Information on How to sync multiple AD

LDAP authentication

1. Creating the LDAP Secret(s):

oc create secret generic ldap-secret1 --from-literal=bindPassword=<PASSWORD> -n openshift-config
oc create secret generic ldap-secret2 --from-literal=bindPassword=<PASSWORD> -n openshift-config

2. Creating a ConfigMap(s) with certificate authority bundle (if they are different for each AD):

oc create configmap ca-config-map1 --from-file=ca.crt=</PATH/TO/CA> -n openshift-config
oc create configmap ca-config-map2 --from-file=ca.crt=</PATH/TO/CA> -n openshift-config

3. Create LDAP Custom Resource - example:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  # This provider name is prefixed to the returned user ID to form an identity name:
  - name: ldapidp1
    # Controls how mappings are established between this provider’s identities and user objects:
    mappingMethod: claim
    type: LDAP
    ldap:
      attributes:
        id:
        - dn
        email:
        - mail
        name:
        - cn
        preferredUsername:
        - uid
      bindDN: "[email protected]"
      bindPassword:
        # From step 1. above:
        name: ldap-secret1
      ca:
        # From step 2. above:
        name: ca-config-map1
      # LDAP or LDAPS:
      insecure: false
      # An RFC 2255 URL which specifies the LDAP host and search parameters to use:
      url: "ldap://ad.p.dmp.aws.hosting.transport.nsw.gov.au:389/OU=Users,OU=ad,DC=ad,DC=p,DC=dmp,DC=aws,DC=hosting,DC=transport,DC=nsw,DC=gov,DC=au?sAMAccountName"

4. Add an identity provider(s) to your cluster - YAML from the previous step:

oc apply -f <FILE.yml>

Bulletpoint n. 8 - Image signing

Deploy the services needed for signing (and scanning)

git clone [email protected]:redhat-cop/image-scanning-signing-service.git
cd image-scanning-signing-service
# Older version has 'delegate_to' is not a valid attribute for a 'TaskInclude' bug
sed -i 's/v2.0.8/v2.1.1/g' requirements.yml
ansible-galaxy install -r requirements.yml -p galaxy
oc login -u <username> https://<openshift-server>
ansible-playbook -i inventory/ galaxy/openshift-applier/playbooks/openshift-cluster-seed.yml -e filter_tags=core
# Confirm the image-sign-scan pod is running
oc get pods -n image-management

Make use of a ImageSigningRequest CRD which allows users to declare their intent to have an image signed

oc new-project dotnet-example
oc new-app --template=dotnet-example
oc get builds
# To declare your intent to sign the previously built image, a new ImageSigningRequest can be created within the project:
cat <<EOF > ImageSingingRequest.yml
apiVersion: cop.redhat.com/v1alpha2
kind: ImageSigningRequest
metadata:
  # From the previous step
  name: dotnet-app
spec:
  imageStreamTag: dotnet-example:latest
EOF
# To create a new ImageSigningRequest with the name dotnet-example and the ImageStreamTag dotnet-example:latest
oc process -f examples/image-signing-request-template.yml -p IMAGE_SIGNING_REQUEST_NAME=dotnet-example IMAGE_STREAM_TAG=dotnet-example:latest | oc apply -f-

Note: Unfortunately i am hitting the bug in v4, where RHEL subscriptions are not availabe in Dockerfile builds (This system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions). Users used to be able to use the RHEL subscriptions from the nodes in 3.11 when running rpm and yum install commands inside Dockerfiles that built on the platform. In OCP 4 builds use Buildah and therefore the entitlements are not available by default during the Dockerfile builds.