[英]finding the web console URL and kubeadmin password in Openshift 4 UPI installation
當使用 UPI(User Provisonned Infra)基礎設施進行 OpenShift 4 安裝(在我們的精確情況下是 4.12)時,除了可能的“等待”跟蹤之外,沒有來自 openshift 安裝程序的“安裝日志”,因此沒有直接可用的線索web 控制台的路徑,與“root”登錄 ID 和密碼無關。
在發布此問題時, vSphere 上的用戶配置安裝等安裝說明沒有提供任何線索。 還有為用戶做准備:沒有線索。
Inte.net 搜索可能會引導您找到充滿希望的文章How to recover a lost kubeadmin password for an OpenShift 4 cluster但它確實適用於 IPI,而不適用於 UPI; 到底在哪兒?
我們(OC 新人)花了幾個小時才找到...讓我們節省時間和緊張。
首先,讓我們提醒一下,如果您仔細遵循 UPI 安裝步驟,有時您必須安裝“oc”CLI 工具並使用它通過以下方式“登錄”到您的集群:
$ export KUBECONFIG=<installation_directory>/auth/kubeconfig
# replace <installation_directory> by the directory where you created your
# installation artefacts with the openshift-install prog
$ oc whoami
這將確認您以“系統:管理員”身份進入
從那時起,找到 URL 到 web 控制台的路徑就很容易了,只需執行變體:
$ oc whoami --show-console
安裝程序在您的 <installation_directory> 中也有一個文件:
$ cat <installation_directory>/auth/kubeadmin-password
最后一個文件實際上被視為安全漏洞,可能會在未來的版本中消失(RedHat 建議您刪除該帳戶)。
因此,有一種替代方法可以從“oc”命令行定義一些額外的“admin”用戶帳戶,無論如何,這對於與同事共享 OC 集群管理任務要好得多,每個人都有自己的身份而不是共享 kubeadmin 密碼,而且使用不依賴於 IDP 可用性的登錄方法,以防后者因任何原因不可用(您可以組合多種身份驗證方式)。
路線路徑:
請查看上述鏈接文檔中的詳細步驟以了解您在做什么。 這是一個簡短的總結。
#ensure you are properly logged in for the next 'oc' CLI commands
$ export KUBECONFIG=<installation_directory>/auth/kubeconfig
$ oc whoami
system:admin
#ensure the authentication operator is up and running
$ oc get clusteroperators
NAME VERSION AVAILABLE etc...
authentication 4.12.0 True etc...
...
#ensure authentication API pods are deployed
$ oc get pods -n openshift-authentication
NAME READY STATUS etc...
oauth-openshift-84955b4d7c-4d2dc 1/1 Running
oauth-openshift-84955b4d7c-4wx8v 1/1 Running
oauth-openshift-84955b4d7c-7pnqj 1/1 Running
# create an initial htpasswd file (if you already have one, or want to update passwords, omit the 'c' arg)
$ htpasswd -cB users.htpasswd <myLoginNameHere>
# your are prompted for a password twice
# repeat the command for additional users' login names
# prepare the file for inclusion as a string attribute in YAML
$ base64 -w0 users.htpasswd >users.htpasswd.b64
# edit a inject-htpass-secret.yaml file with the following content
apiVersion: v1
kind: Secret
metadata:
name: htpass-secret
namespace: openshift-config
type: Opaque
data:
htpasswd: 'YmVybmFyZG... you paste here between quotes the B64 content of your users.htpasswd.b64 file ... ZtQ1MwaEdDCg=='
# create or update the secret 'htpass-secret' with the new htpasswd artefact
$ oc apply -f inject-htpass-secret.yaml
如果您只需要更新現有配置中的用戶/密碼,以上就足夠了。
#check you don't have yet a htpasswd identity provider configured
$ oc describe oauth.config.openshift.io/cluster
# or alternatively:
$ oc edit oauth.config.openshift.io cluster
# and you shall see that the Spec attribute is an empty object
#Then, add the provider. Edit an config-OAuth-id-provider.yaml file as below.
# you can only customize the name for your provider, here 'htpasswd_provider'
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: htpasswd_provider
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret
# and apply (or update the htpasswd_provider ! ...or add it!)
$ oc apply -f config-OAuth-id-provider.yaml
最后,為用戶添加 cluster-admin 角色
#each user must login once first,
# which is the way for the authentication operator to discover that a new user exists
#then, add the cluster role
$ oc adm policy add-cluster-role-to-user cluster-admin <userLoginNameHere>
#if you are already logged in, you may see your web console updating its display instantly
享受本地控制台登錄!
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.