We have a tool that provisions the ci/cd workflow for all the teams in our company. As part of the tool chain provisioning we are also creating openshift project automatically.
I am trying to figure out a best automated athorization strategy for invidual team's deployment process
Here is what we are doing currently
Create a project (eg: testproject)
Create a service account(oc create sa testuser)
Add user to admin role for the project (oc policy add-role-to-user admin system:serviceaccount:testproject:testuser)
Now we retrieve the api token for sa account testuser
oc describe sa testuser (Get the predefined token of testuser)
oc describe secret testuser-token-gd9sl (Get the session token)
Through describe secret command, we can retrieve the api token. We give these api tokens to individual teams.
oc login https://192.219.152.34.nip.io –token=adfasdfsdaf23423
Teams Once logged in as using their token , they are able to peform any api oerations in the scope of testproject.
eg: oc create -f testproject-deploymentconfig.yml
oc create -f testproject-service.yml
Is this approach correct ? does it have any draw back ? is there a better approach to this? Can anyone suggest
Here is my suggestion which become better your automatic object processing (I hope it).
Above process (create project and sa) should be executed when new project is created, then you can use the task via project template - Modifying the Template for New Projects.
For instance, you can include your serviceaccount yaml definition in the template.
We do it mostly the same way.
Within a Jenkins pipeline we create a project via a template yaml file.
This includes project metadata and annotations, an named user (LDAP login of the requester) associated as admin and some predefined pull secrets.
Login to Openshift is secured by Keycloak with MFA. And afterwards the admin account himself can edit membership and add serviceaccounts as needed.
We also didn't modify the default project template.
Related
What I have:
default install of Openshift 4.6
3 master/worker nodes in the cluster
already configured OAuth
self-provisioner role from the system-auth group already been removed
Detail Question/Objective:
Assigning a self-provisioner role to a user allows the user to create a project and any resources inside the project, what I want to achieve is, a user who can create a project, but does not have any further rights/permission inside the project. Is this even possible?
Documentation of Openshift 4.6 tells, that any user creates a project, the user(requester) will become the admin of that project, this is because Openshift API will use a default template whenever it creates a project.
I'm confused about where do I do the changes to reflect my objective, is it the template or use any different RBAC role.
Thank You in Advance.
What you need is to customize the Project Template. Look here https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#modifying-template-for-new-projects_configuring-project-creation
First you need to backup a project project-template from openshift-config, to be honest I don't know how to do it. If anyone find a way please drop the comment under the answer. - Look at first answer bellow from #Stevencommy
To create a new Project Template
oc adm create-bootstrap-project-template -o yaml > template.yaml
In template.yml configure
kind: Project
...
name: ${PROJECT_NAME}
the default user for newly created project is configured in
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>
Then create the template
oc create -f template.yaml -n openshift-config
Update
oc edit project.config.openshift.io/cluster
there
spec:
projectRequestTemplate:
name: <template_name>
<template_name> default is project-request you could also list with oc get templates -n openshift-config | grep project-request
If everything goes well you could test it with oc new-project <your-project>. The user for project should be <YOUR_USER_WITHOUT_RIGHTS_TO_CREATE_PROJECT>
Try to create Node.js app in OpenShift in terminal, like this:
./oc new-app https://j4nos#bitbucket.org/j4nos/nodejs.git
Source code in BitBucket in a private account, how to set credentials? Once it asked for password, but not again. How can I set credentials?
Added annotated secret from GUI: repo-at-bitbucket
I have read Private Git Repositories: Part 2A tutorial, strange that for HTTPD app there is a Source Secret filed to select secret, but not when Node.js + MongoDB combo is selected. Why?
Ahh .. need to select pure Node.js app.
You need to authenticate to the private git repository. This can be done a few different ways. I would suggest taking a few a minutes and reading this blog series which outlines the different methods you can take.
https://blog.openshift.com/private-git-repositories-part-1-best-practices/
After reading first through initial few posts explaining concepts and doing it with GitHub, only then look at the BitBucket example.
https://blog.openshift.com/private-git-repositories-part-5-hosting-repositories-bitbucket/
Those GitHub examples have more explanation which will then make BitBucket example easier to understand.
The likely reason you were prompted for the password when running oc new-app is that you used:
oc new-app https://j4nos#bitbucket.org/j4nos/nodejs.git
Specifically, you didn't specify a S2I builder to use. As a result, oc new-app will try and checkout the repo locally to analyse it to try and work out what language it uses. This is why it would prompt for the password separately.
It is better to specify the builder name on the command as:
oc new-app nodejs~https://j4nos#bitbucket.org/j4nos/nodejs.git
This is an abbreviated form of the command and is the same as running:
oc new-app --strategy=source --image-stream nodejs --code https://j4nos#bitbucket.org/j4nos/nodejs.git
If you specify the builder, it already knows what to use and doesn't analyse the code so will not prompt for the password, plus you wouldn't need user in the URI.
Either way, when building in OpenShift you still need the basicauth secret and should annotate it so it knows to use the secret for that build.
I'm trying to migrate from OpenShift 2 to OpenShift 3.
I have created a new app on OpenShift 3 but I'm struggling to clone my BitBucket private git repository to it. (I had no problem with OpenShift 2).
I have tried setting secrets (SSH or Basic Authentication) in Build/Advanced Options but without luck.
Here is the error message :
Cloning "git#bitbucket.org:(myusername)/(myrepository).git" ... error:
build error: Host key verification failed. fatal: Could not read from
remote repository. Please make sure you have the correct access rights
and the repository exists.
The steps if working from the command line are as follows:
1) Create a new SSH key pair for use with the repository. This cannot have a passphrase.
ssh-keygen -C "openshift-source-builder/repo#bitbucket" -f repo-at-bitbucket -N ''
This will generate files:
repo-at-bitbucket
repo-at-bitbucket.pub
being the private and public key files.
2) Go to Settings->Access keys for the repository on BitBucket, select Add key and in the popup window enter the key name openshift-source-builder and paste in the contents of the public key file. In this case repo-at-bitbucket.pub. Confirm creation by clicking on Add key on the popup window.
3) Create a secret in OpenShift for the key by running:
oc secrets new-sshauth repo-at-bitbucket --ssh-privatekey=repo-at-bitbucket
4) Enable access to the secret from the builder service account.
oc secrets link builder repo-at-bitbucket
5) In order that OpenShift knows the secret is for this specific private Git repository and automatically uses it, annotate the secret with the SSH URI for the repository.
oc annotate secret/repo-at-bitbucket \
'build.openshift.io/source-secret-match-uri-1=ssh://bitbucket.org/yourusername/private-repo.git'
Very important here is the form of the URI. In the BitBucket web interface it will show it as:
git#bitbucket.org:yourusername/private-repo.git
Do not use that. You need to use the SSH form of the URI here.
6) We can then deploy the application from the private Git repository.
oc new-app httpd~git#bitbucket.org:yourusername/private-repo.git --name mysite
Okay to use git#bitbucket.org:yourusername/private-repo.git here, or could also use the SSH form of the URI.
You can also do all this from the web console instead. Important if creating the secret as a separate step in web console to link the builder service account when doing that. If create the source secret when deploying, then it will automatically link the builder service account.
Note that if the OpenShift instance has a firewall between it and BitBucket and SSH connections are blocked, this will not work. In that case you need to fall back to using a personal access token (app password) over a SSH connection using HTTP basic authentication.
These details are now much better explained by the blog post series starting with:
https://blog.openshift.com/private-git-repositories-part-1-best-practices/
We are trying to automate the build and deployment of containers to projects created in openshift v3.3. From the documentation I can see that we will need to leverage service accounts to do this but the documentation is hard to follow and the examples I have found in the blogs don't complete the task. My workflow is as follows with examples oc commands I use:
BUILDER_TOKEN='xxx'
DEPLOYER_TOKEN='xxx'
# build and push the image works as expected
docker build -t registry.xyz.com/want/want:latest .
docker login --username=<someuser> --password=${BUILDER_TOKEN} registry.xyz.com
docker push registry.xyz.com/<repo>/<image>:<tag>
# This fails with error
oc login https://api.xyz.com --token=${DEPLOYER_TOKEN}
oc project <someproject>
oc new-app registry.xyz.com/<repo>/<image>:<tag>
Notice I login into the rest api interface, select the project and create the app but this fails with the following errors:
error: User "system:serviceaccount:want:deployer" cannot create deploymentconfigs in project "default"
error: User "system:serviceaccount:want:deployer" cannot create services in project "default"
Any ideas?
Service accounts only have permission in their owning project by default. You would need to grant deployer access to deploy in other projects.
OK so it seems that using a service account to accomplish this is not the best way to go about things. This is not helped by the documentation. The use case above is very common and the correct approach is to simply evoke the new-app with the image name and corresponding tag:
oc new-app ${APP}:${TAG}
There is no need to mess around with service accounts.
I've got my own wirecloud instance running.
I've developed a set of specific widgets and operators, but as I register a new user I have to manually load each component.
It's possible to configure it so users can have a default workspace?
How?
Currently, it's not possible to set up a default workspace for new user. See this ticket for more details.
In the other hand, it's possible to install components for all the users of your WireCloud instance:
You can use the command line interface (doc) and upload the resources for all the users:
$ python manage.py addtocatalogue --public mycomponents/*.wgt
Or your can make use of the Django's admin panel:
Open it:
Go to the Catalogue Resources section:
Select a component:
And make it available to all the users of your WireCloud instance: