oc login -u kubeadmin -p zXqDV-wqxpa-YTV7N-hNpgV https://api.crc.testing:6443
oc get -n openshift-kube-apiserver cm -o json bound-sa-token-signing-certs | jq -r '.data["service-account-001.pub"]' > sa-signer-pkcs8.pub
bin/self-hosted-darwin -key "sa-signer-pkcs8.pub" | jq '.keys += [.keys[0]] | .keys[1].kid = ""' > "keys.json"
aws s3 mb s3://btofel-sts-test --profile redhat-openshift-dev
aws s3 cp keys.json s3://btofel-sts-test --profile redhat-openshift-dev --acl public-read
cp ~/hold_code/discovery.json .
vi discovery.json (verify it has bucket URL params to match above)
aws s3 cp discovery.json s3://btofel-sts-test/.well-known/openid-configuration --profile redhat-openshift-dev --acl public-read
HOST=$(curl https://btofel-sts-test.s3.amazonaws.com/.well-known/openid-configuration |
jq -r '.jwks_uri | split("/")[2]') &&
THUMBPRINT=$(echo | openssl s_client -servername $HOST -showcerts -connect $HOST:443 2>/dev/null |
sed -n -e '/BEGIN/h' -e '/BEGIN/,/END/H' -e '$x' -e '$p' | tail +2 |
openssl x509 -fingerprint -noout |
sed -e "s/.*=//" -e "s/://g" |
tr "ABCDEF" "abcdef") &&
aws iam create-open-id-connect-provider --url https://btofel-sts-test.s3.amazonaws.com/ \
--client-id-list sts.amazonaws.com --thumbprint-list "$THUMBPRINT" --profile redhat-openshift-dev
oc patch authentication.config.openshift.io cluster -p '{"spec":{"serviceAccountIssuer":"https://btofel-sts-test.s3.amazonaws.com/.well-known/openid-configuration"}}' --type=merge
maybe need to restart OCP Local (CRC) , maybe need to delete and restart) but on restart should see patched cluster item:
See below for oc get
of properly patched cluster auth.config
turn off PSA for default namepace with:
kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=privileged
Deploy modified aws-pod-id code with:
make deploy-config
approve any CSR present with:
oc get csr -o name | xargs oc adm certificate approve
get CA bundle for current cluster:
CA_BUNDLE=$(oc get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n')
use it in:
(
cat <<EOF
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: pod-identity-webhook
namespace: default
webhooks:
- name: pod-identity-webhook.amazonaws.com
admissionReviewVersions:
- v1beta1
failurePolicy: Ignore
sideEffects: None
clientConfig:
service:
name: pod-identity-webhook
namespace: default
path: "/mutate"
caBundle: ${CA_BUNDLE}
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
EOF
) | oc apply -f-
may need to kill webhook pod to get it to use OIDC, newly approved CSR and new config (above)
Edit the role’s Trust Relationship to allow the ServiceAccount created by code (make deploy-config) looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::269733383066:oidc-provider/btofel-sts-test.s3.amazonaws.com/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"btofel-sts-test.s3.amazonaws.com/:sub": "system:serviceaccount:default:pod-identity-webhook"
}
}
}
]
}
Properly patched cluster's auth.config, note: webhookTokenAuthenticator
added in the below
$ oc get -o json authentication.config.openshift.io
{
"apiVersion": "v1",
"items": [
{
"apiVersion": "config.openshift.io/v1",
"kind": "Authentication",
"metadata": {
"annotations": {
"include.release.openshift.io/ibm-cloud-managed": "true",
"include.release.openshift.io/self-managed-high-availability": "true",
"include.release.openshift.io/single-node-developer": "true",
"release.openshift.io/create-only": "true"
},
"creationTimestamp": "2023-01-15T08:02:43Z",
"generation": 3,
"managedFields": [
{
"apiVersion": "config.openshift.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:include.release.openshift.io/ibm-cloud-managed": {},
"f:include.release.openshift.io/self-managed-high-availability": {},
"f:include.release.openshift.io/single-node-developer": {},
"f:release.openshift.io/create-only": {}
},
"f:ownerReferences": {
".": {},
"k:{\"uid\":\"fd2be244-a663-4c6a-86b1-d97d3542cfc3\"}": {}
}
},
"f:spec": {}
},
"manager": "cluster-version-operator",
"operation": "Update",
"time": "2023-01-15T08:02:43Z"
},
{
"apiVersion": "config.openshift.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:spec": {
"f:oauthMetadata": {
".": {},
"f:name": {}
},
"f:type": {},
"f:webhookTokenAuthenticator": {
".": {},
"f:kubeConfig": {
".": {},
"f:name": {}
}
}
}
},
"manager": "authentication-operator",
"operation": "Update",
"time": "2023-01-15T08:07:00Z"
},
{
"apiVersion": "config.openshift.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:status": {
".": {},
"f:integratedOAuthMetadata": {
".": {},
"f:name": {}
}
}
},
"manager": "authentication-operator",
"operation": "Update",
"subresource": "status",
"time": "2023-01-15T08:16:37Z"
},
{
"apiVersion": "config.openshift.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:spec": {
"f:serviceAccountIssuer": {}
}
},
"manager": "kubectl-patch",
"operation": "Update",
"time": "2023-03-12T20:19:37Z"
}
],
"name": "cluster",
"ownerReferences": [
{
"apiVersion": "config.openshift.io/v1",
"kind": "ClusterVersion",
"name": "version",
"uid": "fd2be244-a663-4c6a-86b1-d97d3542cfc3"
}
],
"resourceVersion": "514466",
"uid": "c8f99dfb-cd78-42bb-84d6-e77e0c38b84f"
},
"spec": {
"oauthMetadata": {
"name": ""
},
"serviceAccountIssuer": "https://btofel-sts-test.s3.amazonaws.com/.well-known/openid-configuration",
"type": "",
"webhookTokenAuthenticator": {
"kubeConfig": {
"name": "webhook-authentication-integrated-oauth"
}
}
},
"status": {
"integratedOAuthMetadata": {
"name": "oauth-openshift"
}
}
}
],
"kind": "List",
"metadata": {
"resourceVersion": "",
"selfLink": ""
}
}