How To
Summary
When setting up an OpenShift Container Platform(OCP) test or demo environment, it might be tough to determine what you would like to do for the identity provider. The identity provider is needed so that you have some set of users to work with your OpenShift cluster and projects. While it might be common to set up OCP with an LDAP system, some users might want a simpler setup for a demo environment. You can use HTPassword.
Objective
These steps are useful for a fresh OCP installation and cover the following topics:
- Creating a flatfile identity provider for the OpenShift cluster
- Creating new cluster admin and non-admin users.
- Disabling the default user that comes with an installation.
Environment
These instructions assume you are using a Red Hat Enterprise Linux client machine that can connect to your OpenShift cluster with the oc CLI. Although they could be easily adapted to other clients. These instructions also assume you are using the default kubeadmin user and have yet to set up your identity provider or real admin users.
Steps
Follow these steps to set up your OpenShift users with a flat file identity provider.
- Move to a directory where you want to put the temp files.
cd /home - Install the htpasswd command.
yum install httpd-tools - Create some users and passwords. Note, the first command creates a password file and 2nd adds to it.
htpasswd -c -B -b users.htpasswd ocpadmin 123456
htpasswd -B -b users.htpasswd cpadmin 123456 - Optionally, you can verify users with these commands:
htpasswd -b -v users.htpasswd cpadmin 123456
htpasswd -b -v users.htpasswd ocpadmin 123456 -
Create a secret to contain the htpasswd file.
oc create secret generic htpass-secret --from-file=htpasswd=./users.htpasswd -n openshift-config -
Create a CR file for the config change as mentioned in Configuring an HTPasswd identity provider. In this example, we use htpasswdCR.yaml.
apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: admins_htpasswd_provider mappingMethod: claim type: HTPasswd htpasswd: fileData: name: htpass-secret
- Apply the yaml file with htpasswd identity provider settings.
oc apply -f htpasswdCR.yaml - Log in with kubeadmin by using the generated password.
oc login -u kubeadmin -p <token_from_install> - Give the ocpadmin user cluster admin permissions as mentioned in Using RBAC to define and apply permissions. This user is the new cluster admin.
oc adm policy add-cluster-role-to-user cluster-admin ocpadmin - Log out as kubeadmin.
oc logout - Log in and log out as cpadmin so the user object is created.
oc login -u cpadmin -p 123456
oc logout - Log in as the new cluster admin. ocpadmin in this example.
oc login -u ocpadmin -p 123456 - Optional: Once you have a real cluster admin user, you can remove the secret that allows the kubeadmin user to work as mentioned in Removing the kubeadmin user.
oc delete secrets kubeadmin -n kube-system
You now have 2 users who have access to your OpenShift cluster.
ocpadmin - OCP admin with cluster admin permissions.
cpadmin - non-admin OCP user who can be used to install the Cloud Pak.
cpadmin - non-admin OCP user who can be used to install the Cloud Pak.
The users.htpasswd file created during this procedure can be discarded once the secret is created.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"ARM Category":[{"code":"a8m0z0000001gWWAAY","label":"CloudPak4Automation Platform"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
09 July 2021
UID
ibm16350289