its working

This commit is contained in:
Tobias Brunner 2021-11-03 21:24:48 +01:00
parent 6ea0ea8dc6
commit 2bcdad2e6f
3 changed files with 55 additions and 29 deletions

View File

@ -1,31 +1,60 @@
# vcluster on OpenShift
= vcluster on OpenShift
See also https://github.com/loft-sh/vcluster/issues/171
See also https://www.vcluster.com/docs/[vcluster docs].
## Notes
== Notes
* Images do not run properly as non-root - workaround with multiple `emptyDir` mounts.
* Default K3s CoreDNS deployment doesn't work on OpenShift Host Cluster -> Custom deployment in `in-cluster/coredns.yaml`.
* Issues with vcluster on OpenShift
** Images do not run properly as non-root - workaround with multiple `emptyDir` mounts.
** Default K3s CoreDNS deployment doesn't work on OpenShift Host Cluster -> Custom deployment in `in-cluster/coredns.yaml`.
** See https://github.com/loft-sh/vcluster/issues/171[vcluster on OpenShift 4 #171]
* Re-encrypt route only works with OIDC auth, not with certificate auth
## Installation
== Installation
- Create OpenShift Project
- Create vcluster: `vcluster create vcluster-1 -n tobru-vcluster-poc -f values.yaml`
- Get kubeconfig: `oc get secret vc-vcluster-1 --template={{.data.config}} | base64 -d > kubeconfig.yaml`
- Get CA for re-encryption of Route: `kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config view -o jsonpath='{.clusters[].cluster.certificate-authority-data}' --flatten | base64 -d`
- Edit `host-cluster/route.yaml`, include the retrieved CA and install the route: `oc apply -f host-cluster/route.yaml`
- Remove CA (we're using Let's Encrypt): `kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config unset clusters.local.certificate-authority-data`
- Set kubeconfig: `export KUBECONFIG=$(pwd)/kubeconfig.yaml`
- Install custom CoreDNS in vcluster: `kubectl apply -f in-cluster/coredns.yaml`
- Configure OIDC: `kubectl config set-credentials ...` (see below)
. Create OpenShift Project
## OIDC Authentication
. Create and configure vcluster
+
----
vcluster create vcluster-1 -n tobru-vcluster-poc -f values.yaml
vcluster connect vcluster-1 --namespace tobru-vcluster-poc
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml apply -f in-cluster/
----
. Install Route
+
----
CA=$(kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config view -o jsonpath='{.clusters[].cluster.certificate-authority-data}' --flatten | base64 -d)
yq -i e ".spec.tls.destinationCACertificate = \"$CA\"" host-cluster/route.yaml
oc apply -f host-cluster/route.yaml
----
. Configure kubeconfig for vcluster access
+
----
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config unset clusters.local.certificate-authority-data
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set clusters.local.server https://vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set-credentials oidc \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \
--exec-arg=--oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev \
--exec-arg=--oidc-client-id=tobru-vcluster-test \
--exec-arg=--oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set-context Default --user=oidc
----
🚀
== Background information: OIDC Authentication
* Blog: https://aaron-pejakovic.medium.com/kubernetes-authenticating-to-your-cluster-using-keycloak-eba81710f49b
* K8s Docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
* kubectl plugin: https://github.com/int128/kubelogin
### vcluster config
=== vcluster config
```
vcluster:
@ -38,7 +67,7 @@ vcluster:
- --kube-apiserver-arg=oidc-username-claim=email
```
### kubectl plugin
=== kubectl plugin
```
# kubectl oidc-login setup --oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev --oidc-client-id=tobru-vcluster-test --oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0
@ -123,7 +152,7 @@ You can share the kubeconfig to your team members for on-boarding.
# kubectl --kubeconfig ./kubeconfig.yaml --user=oidc get po -A
```
## Keycloak client
== Keycloak client
* "Access Type" confidential
* Valid Redirect URIs:

View File

@ -11,13 +11,13 @@ spec:
destinationCACertificate: |-
-----BEGIN CERTIFICATE-----
MIIBdzCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
dmVyLWNhQDE2MzU5NDkzNDQwHhcNMjExMTAzMTQyMjI0WhcNMzExMTAxMTQyMjI0
WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzU5NDkzNDQwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASvwosJwebm6BfvLa5SmRljewWxmtxrEVqiLxxylpi0
HnRD9Mf+V51woXJnLD67ZudhtNi9Yo5aMUJRCCUmKgNTo0IwQDAOBgNVHQ8BAf8E
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQURg8+LoXFHvDbK4p7cA3m
6jhd0gAwCgYIKoZIzj0EAwIDSAAwRQIhAK51H0HiF+MmKDpHxZa4QsmaKhJmibZx
Y3ulMnr5JBnaAiBfVaJANaLLYex+HHncQf/O1BG8+ksezljAQYTyVCEFiw==
dmVyLWNhQDE2MzU5NzA2NTQwHhcNMjExMTAzMjAxNzM0WhcNMzExMTAxMjAxNzM0
WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzU5NzA2NTQwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQJf/T5/QpKMo4rbhcUno793nA5gIROsw46MxCKV5Tb
MqUQzKKTppV6b/AqK8x3UyLP/yB+1SYYT7RL0cANx8Nro0IwQDAOBgNVHQ8BAf8E
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUa1TQKu4lZaHvRiG9MrWZ
0V47IRAwCgYIKoZIzj0EAwIDSAAwRQIgOXRCBZjnSk6QzR1PbRbIfw2aINxkDYuR
jUaS4406W04CIQDFn4hAYDiS6s0Filf9XmpSkNNyUM/3adKFJPkTlndXLA==
-----END CERTIFICATE-----
insecureEdgeTerminationPolicy: None
termination: reencrypt

View File

@ -23,9 +23,6 @@ vcluster:
- mountPath: /.kube
name: kubeconfig
syncer:
extraArgs:
- --tls-san=vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud
- --out-kube-config-server=https://vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud
volumeMounts:
- mountPath: /data
name: data