Support authenticating via client certificate for Openshift

[dustymabe]

You can authenticate to Openshift either with an OAuth token or client cert/key. Currently we only support the token method.

We should support client cert/key as well. See the following for an example of how to use the python-requests library to do the auth:

http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification

[sub-mod]

+1

[surajssd]

Can I work on this? If nobody is already doing so?

[cdrage]

@surajssd all yours!

[dustymabe]

@surajssd.. so @kadel and I had a discussion about this when I first opened the ticket, but the discussion didn't make it back into the ticket.

What we have right now is accesstoken and that is the way we do auth. We'd like to change this to providerauth, or something generic like that, and allow the user to pass in either an Oauth access token or a path to client cert/key via that one config item. The client cert/key would be two files separated by a ; or something similar.

The client may also have a single file with cert/key combined so we would need to support that as well. These are the 3 options:

• OAuth access token
• client cert/key in two separate files
• cert/key in combined file (single file)

[kadel]

There is also another thing we should support regarding providerconfig

There are two options how client cert/key can be specified in providerconfig

• client-key-data and client-certificate-data
• client-key and client-certificate

when first one (*-data) is used cert and key is embeded inside configfile as values of those keys when second one is used it points to file with key/cert

[dustymabe]

@surajssd - how's the progress on this coming?

[surajssd]

I am not clear on the concept of how to use certificates to authenticate user to OpenShift? From what I understand is for now we support in Atomic App as: $ oc login --token=XZ0UQoKHiMY411Hs4Q3uyfAunCBovRSpquberltvBiM (where this token is taken from ~/.kube/config and this works fine, I get logged in as the specific user)

Now for using certificates we are gonne use this method authentication: $ oc login --certificate-authority='path-to-crt' So the doubt is where do I get these certificates from? How to generate them? I have looked already into the documentation of OpenShift and it is not helpful, I followed this doc and it does not lead anywhere https://docs.openshift.org/latest/architecture/additional_concepts/authentication.html#api-authentication

[dustymabe]

@surajssd thanks for taking a look at this.. The following documentation isn't the cleanest but take a look at: https://docs.openshift.org/latest/install_config/configuring_authentication.html#RequestHeaderIdentityProvider

On the ADB you can configure oc to use certs for an "admin" user like so:

rm ~/.kube/config
oc config set-cluster local --server=https://localhost:8443 --insecure-skip-tls-verify=true
oc config set-context local --cluster local --namespace default --user cluster-admin
oc config set current-context local
oc config set-credentials cluster-admin --client-certificate='/var/lib/openshift/openshift.local.config/master/openshift-master.crt' --client-key='/var/lib/openshift/openshift.local.config/master/openshift-master.key'

Now look at ~/.kube/config and you can see it is using the certs and you can run oc get pods, etc.. You might get a permission denied error so you might have to open up permissions on the files.

[surajssd]

@dustymabe I tried your findings and they work, fine thanks for the pointers.

In [24]: url = 'https://10.1.2.2:8443/oapi/v1/namespaces/samp/buildconfigs'
In [25]: requests.get(url, cert=('/var/lib/openshift/openshift.local.config/master/openshift-master.crt', '/var/lib/openshift/openshift.local.config/master/openshift-master.key'), verify='/var/lib/openshift/openshift.local.config/master/ca.crt').content
Out[25]: '{"kind":"BuildConfigList","apiVersion":"v1","metadata":{"selfLink":"/oapi/v1/namespaces/samp/buildconfigs","resourceVersion":"10415"},"items":[{"metadata":{"name":"mlbparks","namespace":"samp","selfLink":"/oapi/v1/namespaces/samp/buildconfigs/mlbparks","uid":"f4df399c-0000-11e6-950c-525400c65436","resourceVersion":"7211","creationTimestamp":"2016-04-11T16:17:58Z","labels":{"app":"mlbparks","application":"mlbparks","template":"eap64-basic-s2i","xpaas":"1.1.0"},"annotations":{"openshift.io/generated-by":"OpenShiftNewApp"}},"spec":{"triggers":[{"type":"GitHub","github":{"secret":"t5253A3o"}},{"type":"Generic","generic":{"secret":"EiLbOmwk"}},{"type":"ImageChange","imageChange":{"lastTriggeredImageID":"registry.access.redhat.com/jboss-eap-6/eap64-openshift:1.1"}},{"type":"ConfigChange"}],"source":{"type":"Git","git":{"uri":"https://github.com/gshipley/openshift3mlbparks","ref":"master"}},"strategy":{"type":"Source","sourceStrategy":{"from":{"kind":"ImageStreamTag","namespace":"openshift","name":"jboss-eap64-openshift:1.1"},"forcePull":true}},"output":{"to":{"kind":"ImageStreamTag","name":"mlbparks:latest"}},"resources":{}},"status":{"lastVersion":1}}]}\n'

[concaf]

pingall, helppp!

What is the update on this? I see @surajssd and @kadel did most of the work in PR #696 under lib/kubeconfig.py, but it has now been replaced with lib/kubeshift.py, and looks like an alternate implementation.

• Was #696 complete at the time when kubeshift got in? If not, what was left to implement? CC: @surajssd @kadel
• Does #720 still affect this issue and is a blocker? CC: @rtnpro
• What remains to be implemented by kubeshift wrt this issue? CC: @cdrage

Some context around this would really help, TIA!

[cdrage]

Yeahhhh..... To be honest it's on my todo-list. I need to work on converting the openshift provider to kubeshift :)

[cdrage]

To answer your questions:

696 It was complete, but agreed that we use kubeshift.py for the implementation since it was very similar

720 Nope, doesn't block this. We can still continue with it without the config being a refactor

[concaf]

@cdrage, oh, so the openshift provider does not use kubeshift right now? Does kubeshift handle all the certificate authentication as required in this issue?

[cdrage]

@containscafeine in the code openshift is still a separate code-base. Kubeshift handles authentication for Kubernetes at the moment. But after we fix the base64 encoding issue (converting -data files to base64) then we can start converting OpenShift to use Kubeshift :)

[concaf]

@cdrage Oh, is there an issue about that bug? Are you already working on it?

[cdrage]

@containscafeine yup :) https://github.com/projectatomic/atomicapp/issues/743

no, haven't worked on it yet, but will be

[concaf]

@cdrage sweet, let me know if you need any help with that.