《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.7环境中验证
文章目录
通常我们是使用username/password登录OpenShift,不过还可以使用以下方法获得访问CA证书或Token,然后利用它们作为访问OpenShift的凭证。
- X.509 Certificates:Requires a HTTPS connection to the API server.
- OAuth Access Tokens:Sent as an Authorization: Bearer… header or an access_token=… query parameter
获得OpenShift Internal Registry的访问证书
准备环境
- 安装软件
$ yum install -f podman skopeo java-1.8.0-openjdk
- 开启OpenShift内部的registry的Route。
$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
$ REGISTRY=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
方法1
- 进入到操作系统的root用户,执行以下命令获得OpenShift的CA证书。说明:由于是自签名,所以提示错误,可以忽略。
$ openssl s_client -showcerts -connect ${REGISTRY}:443 < /dev/null | awk '/BEGIN/ {c=1; print >"openshift-ca.crt"; next} /END/ {print >"openshift-ca.crt"; exit}; c{print >"openshift-ca.crt"}'
depth=1 CN = ingress-operator@1620998392
verify error:num=19:self signed certificate in certificate chain
DONE
- 查看证书内容。
$ cat openshift-ca.crt
$ openssl x509 -noout -text -in openshift-ca.crt
- 将证书复制到podman的默认目录。说明:podman缺省从/etc/containers/certs.d存放CA证书。
$ mkdir -p /etc/containers/certs.d/${REGISTRY}
$ cp openshift-ca.crt /etc/containers/certs.d/${REGISTRY}
方法2
- 首先开启OpenShift内部的registry的Route。
$ POD=$(oc get pod -n openshift-authentication | grep oauth-openshift | head -n 1 | cut -d " " -f 1)
$ oc exec $POD -n openshift-authentication -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt > openshift_ca.crt
- 将证书复制到系统缺省存放目录。说明:使用系统缺省存放目录,需执行update-ca-trust通知系统。
$ cp openshift_ca.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust extract
方法3
$ keytool -printcert -sslserver $REGISTRY -rfc > /etc/pki/ca-trust/source/anchors/myregistry.crt
$ update-ca-trust
验证用CA证书访问
- 使用证书查看OpenShift中的openshift/nodejs镜像信息。
$ TOKEN=$(oc whoami -t)
$ skopeo inspect docker://${REGISTRY}/openshift/nodejs
{
"Name": "default-route-openshift-image-registry.apps.cluster-beijing-f5b3.beijing-f5b3.sandbox1120.opentlc.com/openshift/nodejs",
"Digest": "sha256:b77bb2f8d35ae3f30998135387c73a3943222dd0948ef9be3eb87207b3fba99a",
"RepoTags": [
"12",
"latest",
"10"
],
"Created": "2020-07-22T06:35:50.433115Z",
"DockerVersion": "1.13.1",
"Labels": {
"architecture": "x86_64",
"build-date": "2020-07-22T06:34:32.929721",
"com.redhat.build-host": "cpt-1006.osbs.prod.upshift.rdu2.redhat.com",
"com.redhat.component": "rh-nodejs12-container",
"com.redhat.deployments-dir": "/opt/app-root/src",
"com.redhat.dev-mode": "DEV_MODE:false",
"com.redhat.dev-mode.port": "DEBUG_PORT:5858",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "Node.js 12 available as container is a base platform for building and running various Node.js 12 applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.",
。。。
用Token访问Internal Registry
获取Token
OpenShift4 - 获取能访问API服务的用户认证Token
验证用Token访问
如果没有OpenShift认可的CA证书,访问OpenShift的内部资源的操作必须使用“–insecurity=true”或“–tls-verify=false”。如果有了合法证书,则可以通过TLS访问OpenShift。
- 使用证书查看OpenShift中的openshift/nodejs镜像信息。
$ TOKEN=$(oc whoami -t)
$ skopeo inspect --creds="-:${TOKEN}" --tls-verify=false docker://${REGISTRY}/openshift/nodejs
{
"Name": "default-route-openshift-image-registry.apps.cluster-beijing-f5b3.beijing-f5b3.sandbox1120.opentlc.com/openshift/nodejs",
"Digest": "sha256:b77bb2f8d35ae3f30998135387c73a3943222dd0948ef9be3eb87207b3fba99a",
"RepoTags": [
"12",
"latest",
"10"
],
"Created": "2020-07-22T06:35:50.433115Z",
"DockerVersion": "1.13.1",
"Labels": {
"architecture": "x86_64",
"build-date": "2020-07-22T06:34:32.929721",
"com.redhat.build-host": "cpt-1006.osbs.prod.upshift.rdu2.redhat.com",
"com.redhat.component": "rh-nodejs12-container",
"com.redhat.deployments-dir": "/opt/app-root/src",
"com.redhat.dev-mode": "DEV_MODE:false",
"com.redhat.dev-mode.port": "DEBUG_PORT:5858",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "Node.js 12 available as container is a base platform for building and running various Node.js 12 applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.",
。。。
其他还可参见:容器入门(4) - skopeo
参考
- https://www.ibm.com/support/knowledgecenter/SS8QRN_1.1.0/ocp-prepare-internal-registry.html
- https://github.com/liuxiaoyu-git/OpenShift-Examples-1/blob/master/Using-Skopeo/README.md
- https://blog.csdn.net/haohzhang/article/details/86580119