Working with OpenShift

Create a new deployment with name ‘ronald’ based on a public git repo

oc new-app --name ronald https://github.com/sclorg/cakephp-ex

Creating secrets

Source: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/nodes/working-with-pods#nodes-pods-secrets

oc create secret generic ronald-secret --from-literal=username=ronald --from-literal=password=topsecretpass

Viewing secrets

oc get secret ronald-secret -ojsonpath='{.data.password}' | base64 -d
oc get secret ronald-secret -ojsonpath='{.data.username}' | base64 -d

Using secrets as an environment variable

containers:
- env:
  - name: PASSWORD
    valueFrom:
      secretKeyRef:
        key: password
        name: ronald-secret
  - name: USERNAME
    valueFrom:
      secretKeyRef:
        key: username
        name: ronald-secret

Using secrets as a volume mount

containers:
  volumeMounts:
  - mountPath: /etc/secret-volume
    name: secret-volume
    readOnly: true
volumes:
- emptyDir: {}
  name: secret-volume

Expose a service as a route

oc expose service/ronald

Creating a secured route (TLS)

Source: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/networking/configuring-routes

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

openssl x509 -in tls.crt -text -noout

oc create route edge --service=ronald --cert=tls.crt --key=tls.key

spec:
  tls:
    termination: edge
    certificate: |
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      -----END PRIVATE KEY-----

htpasswd

Source: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/authentication_and_authorization/configuring-identity-providers#configuring-htpasswd-identity-provider

sudo yum install httpd-tools

# create file
htpasswd -c -B -b users.htpasswd admin admin

# update file, add additional user
htpasswd -B -b users.htpasswd ronald ronald

oc create secret generic htpass-secret-new --from-file=htpasswd=users.htpasswd -n openshift-config

oc edit oauth cluster

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: my_htpasswd_provider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret-new

Modify / delete user (passwords)

oc get secret htpass-secret-new -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > users.htpasswd

# add new user
htpasswd -b -B users.htpasswd <username> <password>

# update password
htpasswd -B -b users.htpasswd <username> <password>

# delete user
htpasswd -D users.htpasswd <username>

# replace the secret
oc create secret generic htpass-secret-new --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -

# delete user inside openshift
oc delete user kubeadmin
oc delete identity my_htpasswd_provider:kubeadmin

RBAC (create cluster-admin)

oc adm policy add-cluster-role-to-user cluster-admin admin

RBAC (project access)

oc adm policy add-role-to-user admin ronald -n rvb-tst01

Create custom RBAC rules

Allow a user to get and list pods inside a project

oc create role getpods --verb=get,list --resource=pods -n rvb-tst02

oc adm policy add-role-to-user getpods ronald --role-namespace rvb-tst02 -n rvb-tst02

Quota

Source: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/applications/quotas

oc create quota ronald-quota --hard=cpu=1,memory=1G,pods=10,services=3,secrets=5

View the status, used vs available resources inside the resourcequota:

oc get resourcequota

Limit range

Set default cpu & memory request / limits on projects

Source: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/nodes/working-with-clusters#nodes-cluster-limit-ranges

oc describe limits resource-limits

Scaling

oc scale deploy ronald --replicas 3
oc autoscale deployment ronald --min=1 --max=5

Taints & tolerations

Source: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/nodes/controlling-pod-placement-onto-nodes-scheduling#nodes-scheduler-taints-tolerations-about_nodes-scheduler-taints-tolerations

oc adm taint nodes crc-scmfr-master-0 dedicated=special-user:NoSchedule

Will result in the following on the node:

- effect: NoSchedule
  key: dedicated
  value: special-user

Now create a toleration on a deployment

spec:
  tolerations:
  - effect: NoSchedule
    key: dedicated
    operator: Equal
    value: special-user

NodeSelector

oc label node crc-scmfr-master-0 zone1=east

spec:
  nodeSelector:
    zone1: east
  containers: