From 2bcdad2e6f5ddadb2108c62ee2a55476d55cc99c Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 3 Nov 2021 21:24:48 +0100 Subject: [PATCH] its working --- README.md => README.adoc | 67 ++++++++++++++++++++++++++++------------ host-cluster/route.yaml | 14 ++++----- values.yaml | 3 -- 3 files changed, 55 insertions(+), 29 deletions(-) rename README.md => README.adoc (63%) diff --git a/README.md b/README.adoc similarity index 63% rename from README.md rename to README.adoc index 3058673..140bfd5 100644 --- a/README.md +++ b/README.adoc @@ -1,31 +1,60 @@ -# vcluster on OpenShift += vcluster on OpenShift -See also https://github.com/loft-sh/vcluster/issues/171 +See also https://www.vcluster.com/docs/[vcluster docs]. -## Notes +== Notes -* Images do not run properly as non-root - workaround with multiple `emptyDir` mounts. -* Default K3s CoreDNS deployment doesn't work on OpenShift Host Cluster -> Custom deployment in `in-cluster/coredns.yaml`. +* Issues with vcluster on OpenShift +** Images do not run properly as non-root - workaround with multiple `emptyDir` mounts. +** Default K3s CoreDNS deployment doesn't work on OpenShift Host Cluster -> Custom deployment in `in-cluster/coredns.yaml`. +** See https://github.com/loft-sh/vcluster/issues/171[vcluster on OpenShift 4 #171] +* Re-encrypt route only works with OIDC auth, not with certificate auth -## Installation +== Installation -- Create OpenShift Project -- Create vcluster: `vcluster create vcluster-1 -n tobru-vcluster-poc -f values.yaml` -- Get kubeconfig: `oc get secret vc-vcluster-1 --template={{.data.config}} | base64 -d > kubeconfig.yaml` -- Get CA for re-encryption of Route: `kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config view -o jsonpath='{.clusters[].cluster.certificate-authority-data}' --flatten | base64 -d` -- Edit `host-cluster/route.yaml`, include the retrieved CA and install the route: `oc apply -f host-cluster/route.yaml` -- Remove CA (we're using Let's Encrypt): `kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config unset clusters.local.certificate-authority-data` -- Set kubeconfig: `export KUBECONFIG=$(pwd)/kubeconfig.yaml` -- Install custom CoreDNS in vcluster: `kubectl apply -f in-cluster/coredns.yaml` -- Configure OIDC: `kubectl config set-credentials ...` (see below) +. Create OpenShift Project -## OIDC Authentication +. Create and configure vcluster ++ +---- +vcluster create vcluster-1 -n tobru-vcluster-poc -f values.yaml +vcluster connect vcluster-1 --namespace tobru-vcluster-poc +kubectl --kubeconfig=$(pwd)/kubeconfig.yaml apply -f in-cluster/ +---- + +. Install Route ++ +---- +CA=$(kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config view -o jsonpath='{.clusters[].cluster.certificate-authority-data}' --flatten | base64 -d) +yq -i e ".spec.tls.destinationCACertificate = \"$CA\"" host-cluster/route.yaml +oc apply -f host-cluster/route.yaml +---- + +. Configure kubeconfig for vcluster access ++ +---- +kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config unset clusters.local.certificate-authority-data +kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set clusters.local.server https://vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud +kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set-credentials oidc \ + --exec-api-version=client.authentication.k8s.io/v1beta1 \ + --exec-command=kubectl \ + --exec-arg=oidc-login \ + --exec-arg=get-token \ + --exec-arg=--oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev \ + --exec-arg=--oidc-client-id=tobru-vcluster-test \ + --exec-arg=--oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0 +kubectl --kubeconfig=$(pwd)/kubeconfig.yaml config set-context Default --user=oidc +---- + +🚀 + +== Background information: OIDC Authentication * Blog: https://aaron-pejakovic.medium.com/kubernetes-authenticating-to-your-cluster-using-keycloak-eba81710f49b * K8s Docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens * kubectl plugin: https://github.com/int128/kubelogin -### vcluster config +=== vcluster config ``` vcluster: @@ -38,7 +67,7 @@ vcluster: - --kube-apiserver-arg=oidc-username-claim=email ``` -### kubectl plugin +=== kubectl plugin ``` # kubectl oidc-login setup --oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev --oidc-client-id=tobru-vcluster-test --oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0 @@ -123,7 +152,7 @@ You can share the kubeconfig to your team members for on-boarding. # kubectl --kubeconfig ./kubeconfig.yaml --user=oidc get po -A ``` -## Keycloak client +== Keycloak client * "Access Type" confidential * Valid Redirect URIs: diff --git a/host-cluster/route.yaml b/host-cluster/route.yaml index c64c823..164f56c 100644 --- a/host-cluster/route.yaml +++ b/host-cluster/route.yaml @@ -11,13 +11,13 @@ spec: destinationCACertificate: |- -----BEGIN CERTIFICATE----- MIIBdzCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy - dmVyLWNhQDE2MzU5NDkzNDQwHhcNMjExMTAzMTQyMjI0WhcNMzExMTAxMTQyMjI0 - WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzU5NDkzNDQwWTATBgcqhkjO - PQIBBggqhkjOPQMBBwNCAASvwosJwebm6BfvLa5SmRljewWxmtxrEVqiLxxylpi0 - HnRD9Mf+V51woXJnLD67ZudhtNi9Yo5aMUJRCCUmKgNTo0IwQDAOBgNVHQ8BAf8E - BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQURg8+LoXFHvDbK4p7cA3m - 6jhd0gAwCgYIKoZIzj0EAwIDSAAwRQIhAK51H0HiF+MmKDpHxZa4QsmaKhJmibZx - Y3ulMnr5JBnaAiBfVaJANaLLYex+HHncQf/O1BG8+ksezljAQYTyVCEFiw== + dmVyLWNhQDE2MzU5NzA2NTQwHhcNMjExMTAzMjAxNzM0WhcNMzExMTAxMjAxNzM0 + WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzU5NzA2NTQwWTATBgcqhkjO + PQIBBggqhkjOPQMBBwNCAAQJf/T5/QpKMo4rbhcUno793nA5gIROsw46MxCKV5Tb + MqUQzKKTppV6b/AqK8x3UyLP/yB+1SYYT7RL0cANx8Nro0IwQDAOBgNVHQ8BAf8E + BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUa1TQKu4lZaHvRiG9MrWZ + 0V47IRAwCgYIKoZIzj0EAwIDSAAwRQIgOXRCBZjnSk6QzR1PbRbIfw2aINxkDYuR + jUaS4406W04CIQDFn4hAYDiS6s0Filf9XmpSkNNyUM/3adKFJPkTlndXLA== -----END CERTIFICATE----- insecureEdgeTerminationPolicy: None termination: reencrypt diff --git a/values.yaml b/values.yaml index d91c6fb..0180b45 100644 --- a/values.yaml +++ b/values.yaml @@ -23,9 +23,6 @@ vcluster: - mountPath: /.kube name: kubeconfig syncer: - extraArgs: - - --tls-san=vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud - - --out-kube-config-server=https://vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud volumeMounts: - mountPath: /data name: data