its working
This commit is contained in:
parent
6ea0ea8dc6
commit
2bcdad2e6f
|
@ -1,31 +1,60 @@
|
|||
# vcluster on OpenShift
|
||||
= vcluster on OpenShift
|
||||
|
||||
See also https://github.com/loft-sh/vcluster/issues/171
|
||||
See also https://www.vcluster.com/docs/[vcluster docs].
|
||||
|
||||
## Notes
|
||||
== Notes
|
||||
|
||||
* Images do not run properly as non-root - workaround with multiple `emptyDir` mounts.
|
||||
* Default K3s CoreDNS deployment doesn't work on OpenShift Host Cluster -> Custom deployment in `in-cluster/coredns.yaml`.
|
||||
* Issues with vcluster on OpenShift
|
||||
** Images do not run properly as non-root - workaround with multiple `emptyDir` mounts.
|
||||
** Default K3s CoreDNS deployment doesn't work on OpenShift Host Cluster -> Custom deployment in `in-cluster/coredns.yaml`.
|
||||
** See https://github.com/loft-sh/vcluster/issues/171[vcluster on OpenShift 4 #171]
|
||||
* Re-encrypt route only works with OIDC auth, not with certificate auth
|
||||
|
||||
## Installation
|
||||
== Installation
|
||||
|
||||
- Create OpenShift Project
|
||||
- Create vcluster: `vcluster create vcluster-1 -n tobru-vcluster-poc -f values.yaml`
|
||||
- Get kubeconfig: `oc get secret vc-vcluster-1 --template={{.data.config}} | base64 -d > kubeconfig.yaml`
|
||||
- Get CA for re-encryption of Route: `kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config view -o jsonpath='{.clusters[].cluster.certificate-authority-data}' --flatten | base64 -d`
|
||||
- Edit `host-cluster/route.yaml`, include the retrieved CA and install the route: `oc apply -f host-cluster/route.yaml`
|
||||
- Remove CA (we're using Let's Encrypt): `kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config unset clusters.local.certificate-authority-data`
|
||||
- Set kubeconfig: `export KUBECONFIG=$(pwd)/kubeconfig.yaml`
|
||||
- Install custom CoreDNS in vcluster: `kubectl apply -f in-cluster/coredns.yaml`
|
||||
- Configure OIDC: `kubectl config set-credentials ...` (see below)
|
||||
. Create OpenShift Project
|
||||
|
||||
## OIDC Authentication
|
||||
. Create and configure vcluster
|
||||
+
|
||||
----
|
||||
vcluster create vcluster-1 -n tobru-vcluster-poc -f values.yaml
|
||||
vcluster connect vcluster-1 --namespace tobru-vcluster-poc
|
||||
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml apply -f in-cluster/
|
||||
----
|
||||
|
||||
. Install Route
|
||||
+
|
||||
----
|
||||
CA=$(kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config view -o jsonpath='{.clusters[].cluster.certificate-authority-data}' --flatten | base64 -d)
|
||||
yq -i e ".spec.tls.destinationCACertificate = \"$CA\"" host-cluster/route.yaml
|
||||
oc apply -f host-cluster/route.yaml
|
||||
----
|
||||
|
||||
. Configure kubeconfig for vcluster access
|
||||
+
|
||||
----
|
||||
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config unset clusters.local.certificate-authority-data
|
||||
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set clusters.local.server https://vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud
|
||||
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set-credentials oidc \
|
||||
--exec-api-version=client.authentication.k8s.io/v1beta1 \
|
||||
--exec-command=kubectl \
|
||||
--exec-arg=oidc-login \
|
||||
--exec-arg=get-token \
|
||||
--exec-arg=--oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev \
|
||||
--exec-arg=--oidc-client-id=tobru-vcluster-test \
|
||||
--exec-arg=--oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0
|
||||
kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set-context Default --user=oidc
|
||||
----
|
||||
|
||||
🚀
|
||||
|
||||
== Background information: OIDC Authentication
|
||||
|
||||
* Blog: https://aaron-pejakovic.medium.com/kubernetes-authenticating-to-your-cluster-using-keycloak-eba81710f49b
|
||||
* K8s Docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
|
||||
* kubectl plugin: https://github.com/int128/kubelogin
|
||||
|
||||
### vcluster config
|
||||
=== vcluster config
|
||||
|
||||
```
|
||||
vcluster:
|
||||
|
@ -38,7 +67,7 @@ vcluster:
|
|||
- --kube-apiserver-arg=oidc-username-claim=email
|
||||
```
|
||||
|
||||
### kubectl plugin
|
||||
=== kubectl plugin
|
||||
|
||||
```
|
||||
# kubectl oidc-login setup --oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev --oidc-client-id=tobru-vcluster-test --oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0
|
||||
|
@ -123,7 +152,7 @@ You can share the kubeconfig to your team members for on-boarding.
|
|||
# kubectl --kubeconfig ./kubeconfig.yaml --user=oidc get po -A
|
||||
```
|
||||
|
||||
## Keycloak client
|
||||
== Keycloak client
|
||||
|
||||
* "Access Type" confidential
|
||||
* Valid Redirect URIs:
|
|
@ -11,13 +11,13 @@ spec:
|
|||
destinationCACertificate: |-
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBdzCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
|
||||
dmVyLWNhQDE2MzU5NDkzNDQwHhcNMjExMTAzMTQyMjI0WhcNMzExMTAxMTQyMjI0
|
||||
WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzU5NDkzNDQwWTATBgcqhkjO
|
||||
PQIBBggqhkjOPQMBBwNCAASvwosJwebm6BfvLa5SmRljewWxmtxrEVqiLxxylpi0
|
||||
HnRD9Mf+V51woXJnLD67ZudhtNi9Yo5aMUJRCCUmKgNTo0IwQDAOBgNVHQ8BAf8E
|
||||
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQURg8+LoXFHvDbK4p7cA3m
|
||||
6jhd0gAwCgYIKoZIzj0EAwIDSAAwRQIhAK51H0HiF+MmKDpHxZa4QsmaKhJmibZx
|
||||
Y3ulMnr5JBnaAiBfVaJANaLLYex+HHncQf/O1BG8+ksezljAQYTyVCEFiw==
|
||||
dmVyLWNhQDE2MzU5NzA2NTQwHhcNMjExMTAzMjAxNzM0WhcNMzExMTAxMjAxNzM0
|
||||
WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzU5NzA2NTQwWTATBgcqhkjO
|
||||
PQIBBggqhkjOPQMBBwNCAAQJf/T5/QpKMo4rbhcUno793nA5gIROsw46MxCKV5Tb
|
||||
MqUQzKKTppV6b/AqK8x3UyLP/yB+1SYYT7RL0cANx8Nro0IwQDAOBgNVHQ8BAf8E
|
||||
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUa1TQKu4lZaHvRiG9MrWZ
|
||||
0V47IRAwCgYIKoZIzj0EAwIDSAAwRQIgOXRCBZjnSk6QzR1PbRbIfw2aINxkDYuR
|
||||
jUaS4406W04CIQDFn4hAYDiS6s0Filf9XmpSkNNyUM/3adKFJPkTlndXLA==
|
||||
-----END CERTIFICATE-----
|
||||
insecureEdgeTerminationPolicy: None
|
||||
termination: reencrypt
|
||||
|
|
|
@ -23,9 +23,6 @@ vcluster:
|
|||
- mountPath: /.kube
|
||||
name: kubeconfig
|
||||
syncer:
|
||||
extraArgs:
|
||||
- --tls-san=vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud
|
||||
- --out-kube-config-server=https://vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
|
|
Loading…
Reference in New Issue