Open dustymabe opened 8 years ago
+1
Can I work on this? If nobody is already doing so?
@surajssd all yours!
@surajssd.. so @kadel and I had a discussion about this when I first opened the ticket, but the discussion didn't make it back into the ticket.
What we have right now is accesstoken
and that is the way we do auth. We'd like to change this to providerauth
, or something generic like that, and allow the user to pass in either an Oauth access token or a path to client cert/key via that one config item. The client cert/key would be two files separated by a ;
or something similar.
The client may also have a single file with cert/key combined so we would need to support that as well. These are the 3 options:
There is also another thing we should support regarding providerconfig
There are two options how client cert/key can be specified in providerconfig
client-key-data
and client-certificate-data
client-key
and client-certificate
when first one (*-data
) is used cert and key is embeded inside configfile as values of those keys
when second one is used it points to file with key/cert
@surajssd - how's the progress on this coming?
I am not clear on the concept of how to use certificates to authenticate user to OpenShift? From what I understand is for now we support in Atomic App as:
$ oc login --token=XZ0UQoKHiMY411Hs4Q3uyfAunCBovRSpquberltvBiM
(where this token is taken from ~/.kube/config
and this works fine, I get logged in as the specific user)
Now for using certificates we are gonne use this method authentication:
$ oc login --certificate-authority='path-to-crt'
So the doubt is where do I get these certificates from? How to generate them? I have looked already into the documentation of OpenShift and it is not helpful, I followed this doc and it does not lead anywhere https://docs.openshift.org/latest/architecture/additional_concepts/authentication.html#api-authentication
@surajssd thanks for taking a look at this.. The following documentation isn't the cleanest but take a look at: https://docs.openshift.org/latest/install_config/configuring_authentication.html#RequestHeaderIdentityProvider
On the ADB you can configure oc
to use certs for an "admin" user like so:
rm ~/.kube/config
oc config set-cluster local --server=https://localhost:8443 --insecure-skip-tls-verify=true
oc config set-context local --cluster local --namespace default --user cluster-admin
oc config set current-context local
oc config set-credentials cluster-admin --client-certificate='/var/lib/openshift/openshift.local.config/master/openshift-master.crt' --client-key='/var/lib/openshift/openshift.local.config/master/openshift-master.key'
Now look at ~/.kube/config
and you can see it is using the certs and you can run oc get pods
, etc.. You might get a permission denied error so you might have to open up permissions on the files.
@dustymabe I tried your findings and they work, fine thanks for the pointers.
In [24]: url = 'https://10.1.2.2:8443/oapi/v1/namespaces/samp/buildconfigs'
In [25]: requests.get(url, cert=('/var/lib/openshift/openshift.local.config/master/openshift-master.crt', '/var/lib/openshift/openshift.local.config/master/openshift-master.key'), verify='/var/lib/openshift/openshift.local.config/master/ca.crt').content
Out[25]: '{"kind":"BuildConfigList","apiVersion":"v1","metadata":{"selfLink":"/oapi/v1/namespaces/samp/buildconfigs","resourceVersion":"10415"},"items":[{"metadata":{"name":"mlbparks","namespace":"samp","selfLink":"/oapi/v1/namespaces/samp/buildconfigs/mlbparks","uid":"f4df399c-0000-11e6-950c-525400c65436","resourceVersion":"7211","creationTimestamp":"2016-04-11T16:17:58Z","labels":{"app":"mlbparks","application":"mlbparks","template":"eap64-basic-s2i","xpaas":"1.1.0"},"annotations":{"openshift.io/generated-by":"OpenShiftNewApp"}},"spec":{"triggers":[{"type":"GitHub","github":{"secret":"t5253A3o"}},{"type":"Generic","generic":{"secret":"EiLbOmwk"}},{"type":"ImageChange","imageChange":{"lastTriggeredImageID":"registry.access.redhat.com/jboss-eap-6/eap64-openshift:1.1"}},{"type":"ConfigChange"}],"source":{"type":"Git","git":{"uri":"https://github.com/gshipley/openshift3mlbparks","ref":"master"}},"strategy":{"type":"Source","sourceStrategy":{"from":{"kind":"ImageStreamTag","namespace":"openshift","name":"jboss-eap64-openshift:1.1"},"forcePull":true}},"output":{"to":{"kind":"ImageStreamTag","name":"mlbparks:latest"}},"resources":{}},"status":{"lastVersion":1}}]}\n'
pingall, helppp!
What is the update on this? I see @surajssd and @kadel did most of the work in PR #696 under lib/kubeconfig.py
, but it has now been replaced with lib/kubeshift.py
, and looks like an alternate implementation.
Some context around this would really help, TIA!
Yeahhhh..... To be honest it's on my todo-list. I need to work on converting the openshift provider to kubeshift :)
To answer your questions:
kubeshift.py
for the implementation since it was very similar@cdrage, oh, so the openshift provider does not use kubeshift right now? Does kubeshift handle all the certificate authentication as required in this issue?
@containscafeine in the code openshift is still a separate code-base. Kubeshift handles authentication for Kubernetes at the moment. But after we fix the base64 encoding issue (converting -data files to base64) then we can start converting OpenShift to use Kubeshift :)
@cdrage Oh, is there an issue about that bug? Are you already working on it?
@containscafeine yup :) https://github.com/projectatomic/atomicapp/issues/743
no, haven't worked on it yet, but will be
@cdrage sweet, let me know if you need any help with that.
You can authenticate to Openshift either with an OAuth token or client cert/key. Currently we only support the token method.
We should support client cert/key as well. See the following for an example of how to use the python-requests library to do the auth:
http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification