Tag: openshift

OpenShift RequestHeader Identity Provider with a Test IdP: My GoLang Test

I built a demonstration using GoLang, JSON, bcrypt, http client, http server to model an actual IDP. This is a demonstration only; it really helped me setup/understand what’s happening in the RequestHeader.

OpenShift 4.10: Configuring a request header identity provider enables an external service to act as an identity provider where a X-Remote-User header to identify the user’s identity.

This document outlines the flow using the haproxy and Apache Httpd already installed on the Bastion server as part of the installation process and a local Go Test IdP to demonstrate the feature.

The rough flow between OpenShift, the User and the Test IdP is:

My Code is available at https://github.com/prb112/openshift-auth-request-header

2022-04-08
Using OpenShift Plugin for oc
For those managing OpenShift clusters, the oc tool manages all the OpenShift resources with handy commands for OpenShift and Kubernetes. The OpenShift Client CLI (oc) project is built on top of kubectl adding built-in features to simplify interactions with an OpenShift cluster.

Much like the kubectl, the oc cli tool provides a feature to Extend the OpenShift CLI with plug-ins. The oc plugins feature is a client-side feature to faciliate interactions with extensions commands; found in the current user’s path. There is an ecosystem of plugins through the community and the Krew Plugin List.

These plugins include:
1. cost accessess Kubernetes cost allocation metrics
2. outdated displays all out-of-date images running in a Kubernetes cluster
3. pod-lens shows pod-related resource information
4. k9s is a terminal based UI to interact with your Kubernetes clusters.
5. sample-cli-plugin which is a simple example to show how to switch namespaces in k8s. I’m not entirely certain that this works with OpenShift.
These plugins have a wide range of support and code. Some of the plugins are based on python, others are based on go and bash.

oc expands the plugin search path pkg/cli/kubectlwrappers/wrappers.go in plugin.ValidPluginFilenamePrefixes = []string{"oc", "kubectl"} so whole new OpenShift specific plugins are supported. The OpenShift team has also released a number of plugins:
1. oc-mirror manages OpenShift release, operator catalog, helm charts, and associated container images for mirror registries that support OpenShift environments
2. oc-compliance facilitates using the OpenShift Compliance operator.
Many of these extensions/plugins are installed using krew; krew is a plugin manager for kubectl. Some users create a directory .kube/plugins and install their plugins in that folder. The plugins folder is then added to the user’s path.

Creating your own Extension
1. Check to see if any plugins exist:
```
$ oc plugin list
The following compatible plugins are available:

/Users/user/.kube/plugins/oc-test
```
If none exist, it’ll prompt you that none are found in the path, and you can install from krew.
1. Create a new file oc-test
```
#! /usr/bin/env bash

echo "Execution Time: $(date)"

echo ""
ps -Sf
echo ""

echo "Arguments: $@"

echo "Environment Variables: "
env
echo ""

oc version --client
```
1. Add the file to the path.
```
export PATH=~/.kube/plugins:$PATH
```
1. Execute the oc plugin test (note the oc is stripped off)
```
Execution Time: Wed Mar 30 11:22:19 EDT 2022

  UID   PID  PPID   C STIME   TTY           TIME CMD
  501  3239  3232   0 15Mar22 ttys000    0:01.39 -zsh
  501 80267  3239   0 17Mar22 ttys000    0:00.03 tmux
  501 54273 11494   0 Tue10AM ttys001    0:00.90 /bin/zsh -l
  501 80319 80269   0 17Mar22 ttys002    0:00.30 -zsh
  501  2430  2429   0 15Mar22 ttys003    0:03.17 -zsh
  501 78925  2430   0 11:22AM ttys003    0:00.09 bash /Users/user/.kube/plugins/oc-test test
  501 80353 80269   0 17Mar22 ttys004    0:02.07 -zsh
  501 91444 11494   0 18Mar22 ttys005    0:01.55 /bin/zsh -l

Arguments: test
Environment Variables: 
SHELL=/bin/zsh
TERM=xterm-256color
ZSH=/Users/user/.oh-my-zsh
USER=user
PATH=/Users/user/.kube/plugins:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin
PWD=/Users/user/Downloads
LANG=en_US.UTF-8
HOME=/Users/user
LESS=-R
LOGNAME=user
SECURITYSESSIONID=user
_=/usr/bin/env

Client Version: 4.10.6
```
For the above, a simple plugin demonstration is shown.

Reference
2022-03-30
Learning Resources for Operators – First Two Weeks Notes
To quote the Kubernetes website, “The Operator pattern captures how you can write code to automate a task beyond what Kubernetes itself provides.” The following is an compendium to use while Learning Operators.

The defacto SDK to use is the Operator SDK which provides HELM, Ansible and GO scaffolding to support your implementation of the Operator pattern.

The following are education classes on the OperatorSDK
- IBM: CO0201EN Kubernetes Operators Intermediate – introduces core operator concepts and reconciliation with Ansible, Helm and Golang
- IBM: CO0302EN Kubernetes Operators Advanced – covers golang-based operator reconciliation, OLM and Scorecard testing
When Running through the CO0201EN intermediate operators course, I did hit the case where I had to create a ClusterRole and ClusterRoleBinding for the ServiceAccount, here is a snippet that might helper others:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: memcached-operator-system
  name: service-reader-cr-mc
rules:
- apiGroups: ["cache.bastide.org"] # "" indicates the core API group
  resources: ["memcacheds"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  namespace: memcached-operator-system
  name: ext-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: service-reader-cr-mc
subjects:
- kind: ServiceAccount
  namespace: memcached-operator-system
  name: memcached-operator-controller-manager
```
The reason for the above, I missed adding a kubebuilder declaration:
```
//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch
```
Thanks to https://stackoverflow.com/a/60334649/1873438

The following are articles worth reviewing:
- Kube by Example: Operator Framework – A comprehensive code rich site with lots of examples. Kudos to the Authors.
- IBM Developer: Explanation of Memcached operator code – A flavor of the memcached in the CO0201EN course for IBM Cloud and OpenShift.
- Multi-architecture images with Docker – Particularly important if you are targeting multiple architectures.
- Red Hat: Write Kubernetes in Java with the Java Operator SDK
- Learning Path internal to IBM – Kubernetes Operators
- operator-sample-go
The following are good Go resources:
1. Go Code Comments – To write idiomatic Go, you should review the Code Review comments.
2. Getting to Go: The Journey of Go’s Garbage Collector – The reference for Go and Garbage Collection in go
3. An overview of memory management in Go – good overview of Go Memory Management
4. Golang: Cost of using the heap – net 1M allocation seems to stay in the stack, outside it seems to be on the heap
5. golangci-lint – The aggregated linters project is worthy of an installation and use. It’ll catch many issues and has a corresponding GitHub Action.
6. Go in 3 Weeks A comprehensive training for Go. Companion to GitHub Repo
7. Defensive Coding Guide: The Go Programming Language
The following are good OpenShift resources:
1. Create OpenShift Plugins – You must have a CLI plug-in file that begins with oc- or kubectl-. You create a file and put it in /usr/local/bin/
2. Details on running Code Ready Containers on Linux – The key hack I learned awas to ssh -i ~/.crc/machines/crc/id_ecdsa core@<any host in the /etc/hosts>
  1. I ran on VirtualBox Ubuntu 20.04 with Guest Additions Installed
  2. Virtual Box Settings for the Machine – 6 CPU, 18G
    System > Processor > Enable PAE/NX and Enable Nested VT-X/AMD-V (which is a must for it to work)
    Network > Change Adapter Type to virtio-net and Set Promiscuous Mode to Allow VMS
  3. Install openssh-server so you can login remotely
  4. It will not install without a windowing system, so I have the default windowing environment installed.
  5. Note, I still get a failure on startup complaining about a timeout. I waited about 15 minutes post this, and the command oc get nodes –context admin –cluster crc –kubeconfig .crc/cache/crc_libvirt_4.10.3_amd64/kubeconfig now works.
3. CRC virsh cheatsheet – If you are running Code Ready Containers and need to debug, you can use the virsh cheatsheet.
2022-03-25