• EN

CR for OpenShift with OpenShift Auth and NodeSelector

B
Userlevel 3
  • banjo
  • Comes here often
  • 9 comments

Here’s the shorter version on how I’ve done it in 4.8 and 4.10 using CR since I like OLM to manage the Operator for me. Though, I haven’t dug deeper why I’m getting some SCC errors, so I just skip the creation by setting the route.enabled = False in the CR and create the edge route by hand. Though it would be nice if its fixed.
 



$ oc create sa k10-dex-sa
$ oc annotate sa k10-dex-sa serviceaccounts.openshift.io/oauth-redirecturi.dex=https://CHANGEME/k10/dex/callback
$ oc get secret router-ca -n openshift-ingress-operator -o jsonpath='{ .data.tls\.crt }' | base64 --decode > custom-ca-bundle.pem
$ oc create configmap custom-ca-bundle-store --from-file=custom-ca-bundle.pem -n kasten-io
$ oc sa get-token k10-dex-sa
$ oc create -f CR.yaml
$ oc create route edge --service=gateway --path /k10/ --hostname=kasten-io.apps.49.integrate.zone --insecure-policy=Redirect

Save the results from the above, you’ll have to edit the CR below. If you don’t want to select a node to pin K10, just remove the nodeSelector section. 

 

If you need to find your sc just run
$ oc get sc

 

CR.yml

kind: K10
apiVersion: apik10.kasten.io/v1alpha1
metadata:
  name: k10
  namespace: kasten-io
spec:
  scc:
    create: true
  auth:
    basicAuth:
      enabled: false
      htpasswd: ''
      secretName: ''
    tokenAuth:
      enabled: false
    openshift:
      enabled: true
      serviceAccount: k10-dex-sa
      clientSecret: CHANGEME
      dashboardURL: https://CHANGEME/k10/
      openshiftURL: https://api.CHANGEME:6443
      insecureCA: true
  global:
    persistence:
      catalog:
        size: 50Gi
      storageClass: CHANGEME
  metering:
    mode: ''
  route:
    enabled: false
    host: kasten-io.apps.49.integrate.zone
    tls:
      enabled: false
  cacertconfigmap:
    name: custom-ca-bundle-store      
  nodeSelector:
    choose.your.selector.io: ""

 

3 comments

B
Userlevel 3

Here’s how I fixed the CR so it would create a secure edge route for me, than do it by hand. The ServiceAccount k10-kasten-operator-term-rhmp-controller-manager for the Kasten Operator does not have the permissions to the route resources. So, I just added it

$ oc create -f fix-clusterrole.yaml
$ oc adm policy add-role-to-user k10-kasten-operator-term-rhmp-controller-manager-route -z k10-kasten-operator-term-rhmp-controller-manager -n kasten-io

Then at this point you can change the tls.enabled to true and route.enable to true

 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: k10-kasten-operator-term-rhmp-controller-manager-route
rules:
- apiGroups:
  - ""
  - route.openshift.io
  resources:
  - routes
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  - route.openshift.io
  resources:
  - routes/custom-host
  verbs:
  - create
- apiGroups:
  - ""
  - route.openshift.io
  resources:
  - routes/status
  verbs:
  - get
  - list
  - watch

 

jaiganeshjk
Userlevel 6
Badge +2

Hi @banjo , Thank you for posting this topic.

From the initial looks, The route fails to get created not because of SCC but it could be some admission controller that is stopping the custom hostname. I have not seen this behaviour while changing the route hostname with the K10 API

I have earlier heard that the openshift starter plan doesn’t support using custom hostname for route. Not sure if that is the case in your setup.


For updating the Openshift auth values in the K10 CR, there could be an easier way to patch the K10 resource with oc/kubectl command rather than manually editing the large k10 CR manifest.

we are drafting an article and will share it here once it is published.

Jaiganesh
B
Userlevel 3

@jaiganeshjkyeah, it is something to do with the AC will fill in host with the name-namespace, but a friend of mine from RH SME suggested too that  the SA of the Operator doesn’t have permission to set the hosts.

I’ve never heard of OpenShift starter plan? I don’t recall there is such a thing. Perhaps you’re referring to OpenShift Local (aka CodeReadyContainers). For transparancy, I am using the typical 9 node cluster (3 x masters, 3 x worker, 3 x infra).

Would love to see this work in the future! OLM is the way to go in the OpenShift world. :)

Comment


Terms & Conditions