Skip to content

Instantly share code, notes, and snippets.

@waynedovey

waynedovey/gist:11eb2985a82caef86714d4124b901153

Created September 23, 2019 04:01
Show Gist options
  • Save waynedovey/11eb2985a82caef86714d4124b901153 to your computer and use it in GitHub Desktop.
Save waynedovey/11eb2985a82caef86714d4124b901153 to your computer and use it in GitHub Desktop.
Download ZIP
OpenShift 4 CheetSheet
Raw
gistfile1.txt
# Display currently installed operators and cluster version
oc adm release info
# List the current Operators Status
oc get clusteroperators
# Upgrade from command line
oc adm upgrade
# Remotely connet to the cluster.
oc debug node/ip-10-216-29-190.ap-southeast-2.compute.internal --image=rhel-tools
# Access the ETCD Shell
id=$(sudo crictl ps --name etcd-member | awk 'FNR==2{ print $1}') && sudo crictl exec -it $id /bin/sh
# export the ETCD env vars
export ETCDCTL_API=3 ETCDCTL_CACERT=/etc/ssl/etcd/ca.crt \
ETCDCTL_CERT=$(find /etc/ssl/ -name *peer*crt) ETCDCTL_KEY=$(find /etc/ssl/ -name *peer*key)
# List cluster Members
etcdctl member list -w table
@luckylittle
Copy link

Bulletpoint n. 8 - Image signing

Deploy the services needed for signing (and scanning)

git clone [email protected]:redhat-cop/image-scanning-signing-service.git
cd image-scanning-signing-service
# Older version has 'delegate_to' is not a valid attribute for a 'TaskInclude' bug
sed -i 's/v2.0.8/v2.1.1/g' requirements.yml
ansible-galaxy install -r requirements.yml -p galaxy
oc login -u <username> https://<openshift-server>
ansible-playbook -i inventory/ galaxy/openshift-applier/playbooks/openshift-cluster-seed.yml -e filter_tags=core
# Confirm the image-sign-scan pod is running
oc get pods -n image-management

Make use of a ImageSigningRequest CRD which allows users to declare their intent to have an image signed

oc new-project dotnet-example
oc new-app --template=dotnet-example
oc get builds
# To declare your intent to sign the previously built image, a new ImageSigningRequest can be created within the project:
cat <<EOF > ImageSingingRequest.yml
apiVersion: cop.redhat.com/v1alpha2
kind: ImageSigningRequest
metadata:
  # From the previous step
  name: dotnet-app
spec:
  imageStreamTag: dotnet-example:latest
EOF
# To create a new ImageSigningRequest with the name dotnet-example and the ImageStreamTag dotnet-example:latest
oc process -f examples/image-signing-request-template.yml -p IMAGE_SIGNING_REQUEST_NAME=dotnet-example IMAGE_STREAM_TAG=dotnet-example:latest | oc apply -f-

Note: Unfortunately i am hitting the bug in v4, where RHEL subscriptions are not availabe in Dockerfile builds (This system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions). Users used to be able to use the RHEL subscriptions from the nodes in 3.11 when running rpm and yum install commands inside Dockerfiles that built on the platform. In OCP 4 builds use Buildah and therefore the entitlements are not available by default during the Dockerfile builds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment