Do280openshift access control -- encryption and configmap

Personal profile ： Hello everyone , I am a Brother goldfish ,CSDN New star creator in operation and maintenance field , Hua Wei Yun · Cloud sharing experts , Alicloud community · Expert bloggers
Personal qualifications ：CCNA、HCNP、CSNA（ Network Analyst ）, Soft test primary 、 Intermediate network engineer 、RHCSA、RHCE、RHCA、RHCI、ITIL
Maxim ： Hard work doesn't necessarily succeed , But if you want to succeed, you must work hard

Stand by me ： I like it 、 Can collect ️、 Leave message

Manage encrypted information

secret characteristic

Secret Object types provide a mechanism to hold sensitive information , Such as password 、OCP Client configuration file 、Docker Configuration files and private repository credentials .Secrets Relate sensitive content to Pod decoupling . have access to Volume The plug-in will Secrets Mount to the container , Or the system can use Secrets representative pod Perform the operation .

Secrets The main features include :

• Secrets data It can be referenced independently of its definition .
• Secrets data Volume Supported by temporary file storage .
• Can be shared in a namespace Secrets data.

establish Secrets

Depending on the Secrets Of pod Create one before Secrets.

[[email protected] ~]$ oc create secret generic secret_name \
--from-literal=key1=secret1 \
--from-literal=key2=secret2	# use secret data establish secret object 
[[email protected] ~]$ oc secrets add --for=mount serviceaccount/serviceaccount-name \
secret/secret_name		# to update pod Service account for , It is allowed to refer to the secrets.

for example , Allow a... To run under a specified service account pod Mount one secrets

Create a pod, The pod Use this as a file using environment variables or data volumes secret, It's usually done with templates .

Use secret expose Pod

secrets Can be mounted as a data volume , It can also be used as an environment variable for pod Use the container in .

for example , Want to pod Open a secrets, First create a secrets And will username and password With k/v Form configuration , Then assign the key name to pod Of YAML file env Definition .

Example ： Create a demo-secret Of secrets, It defines the user name and password as username/demo-user.

[[email protected] ~]$ oc create secret generic demo-secret \
--from-literal=username=demo-user

Use the front secret As MySQL database pod Database administrator password for , Please define the environment variable , And reference secret Name and password .

env:
  - name: MYSQL_ROOT_PASSWORD
    valueFrom:
      secretKeyRef:
       key: username
       name: demo-secret

web End management secret

from web Console management secret:

1. Log in to as an authorized user web Console .

2. Create or select a project to host secret.

3. Navigate to resource——>secrets.

Secret Use scenarios

• password and user names

Sensitive information ( Such as password and user name) Can be stored in a secret in , The secret Mounted as a data volume in a container . The data is displayed as the contents of files located in the container's data volume Directory . then , Applications ( Such as a database ) You can use these secret Authenticate users .

• Transport layer security (TLS) And key pair

By having the cluster generate the signing certificate and key pair into the project namespace secret in , It can protect the communication of service . Certificate and key pair use PEM Stored in a format similar to tls.crt and tls.key The format of is stored in secret Of pod in .

ConfigMap object

ConfigMap summary

ConfigMaps Object similar to secret, But it is designed to support processing strings that do not contain sensitive information .ConfigMap Object holds key value pairs of configuration data , These configuration data can be found in pods Use in , Or for storage system components ( Such as controller ) Configuration data of .

ConfigMap Object provides a mechanism to inject configuration data into a container .ConfigMap Store fine granularity information , For example, a single attribute , Or details , Like the entire configuration file or JSON aggregate .

CLI establish ConfigMap

have access to –from-literal Options from CLI establish ConfigMap object .

Example ： Create a ConfigMap object , The object will IP Address 172.20.30.40 Assigned to serverAddress Of ConfigMap secret key .

[[email protected] ~]$ oc create configmap special-config \
--from-literal=serverAddress=172.20.30.40
[[email protected] ~]$ oc get configmaps special-config -o yaml		# see configMap
apiVersion: v1
data:
  key1: serverAddress=172.20.30.40
kind: ConfigMap
metadata:
  creationTimestamp: 2017-07-10T17:13:31Z
  name: special-config
……

In the configuration mapping pod The definition is filled with environment variables APISERVER.

env:
  - name: APISERVER
      valueFrom:	
        configMapKeyRef:
          name: special-config
          key: serverAddress

web management ConfigMap

from web Console management ConfigMap object :

1. Log in to as an authorized user web Console .

2. Create or select a project to host ConfigMap.

3. Navigate to resources → Configuration mapping .

Textbook exercises

Environmental preparation

[[email protected] ~]$ lab install-prepare setup
[[email protected] ~]$ cd /home/student/do280-ansible
[[email protected] do280-ansible]$ ./install.sh

Tips ： If you already have a complete environment , Don't execute .

Prepare for this exercise

[[email protected] ~]$ lab secure-secrets setup

Create project

[[email protected] ~]$ oc login -u developer -p redhat https://master.lab.example.com
[[email protected] ~]$ oc new-project secure-secrets
[[email protected] ~]$ cd /home/student/DO280/labs/secure-secrets/
[[email protected] secure-secrets]$ cat mysql-ephemeral.yml
…………
      spec:
        containers:
        - capabilities: {
    }
          env:
          - name: MYSQL_USER
            valueFrom:
              secretKeyRef:
                key: database-user
                name: ${
    DATABASE_SERVICE_NAME}
          - name: MYSQL_PASSWORD
            valueFrom:
              secretKeyRef:
                key: database-password
                name: ${
    DATABASE_SERVICE_NAME}
          - name: MYSQL_ROOT_PASSWORD
            valueFrom:
              secretKeyRef:
                key: database-root-password
                name: ${
    DATABASE_SERVICE_NAME}
          - name: MYSQL_DATABASE
            value: ${
    MYSQL_DATABASE}
…………
- description: The name of the OpenShift Service exposed for the database.
  displayName: Database Service Name
  name: DATABASE_SERVICE_NAME
  required: true
  value: mysql
…………

Template interpretation ：

The mysql-ephemeral.yml Template file , contain openshift In the project mysql Temporary template ,pod Other environment variables required are initialized by template parameters , And has a default value .

But there is no secret Definition , Subsequent operations will manually create the template required secret.

According to the requirements of the template , Create a containing MySQL Containers image Use the certificate of secret, Put this secret Name it mysql.

• The user name of the database accessed by the application is database-user Definition .
• The password of the database user is from database-password Definition .
• Database administrator password by database-root-password Definition

establish secret

[[email protected] secure-secrets]$ oc create secret generic mysql \
--from-literal='database-user'='mysql' \
--from-literal='database-password'='redhat' \
--from-literal='database-root-password'='do280-admin'
secret "mysql" created


[[email protected] secure-secrets]$ oc get secret mysql -o yaml	# confirm secret
apiVersion: v1
data:
  database-password: cmVkaGF0
  database-root-password: ZG8yODAtYWRtaW4=
  database-user: bXlzcWw=
kind: Secret
metadata:
  creationTimestamp: 2021-03-03T03:40:47Z
  name: mysql
  namespace: secure-secrets
  resourceVersion: "218611"
  selfLink: /api/v1/namespaces/secure-secrets/secrets/mysql
  uid: 3df1014e-7bd2-11eb-9656-52540000fa0a
type: Opaque

Create an

[[email protected] secure-secrets]$ oc new-app --file=mysql-ephemeral.yml
[[email protected] secure-secrets]$ oc get pods
NAME             READY     STATUS              RESTARTS   AGE
mysql-1-deploy   1/1       Running             0          11s
mysql-1-r5rgn    0/1       ContainerCreating   0          8s
[[email protected] secure-secrets]$ oc get pods
NAME            READY     STATUS    RESTARTS   AGE
mysql-1-r5rgn   1/1       Running   0          12s

Port forwarding

[[email protected] secure-secrets]$ cd
[[email protected] ~]$ oc port-forward mysql-1-r5rgn 3306:3306
Forwarding from 127.0.0.1:3306 -> 3306

Tips ： Before the validation is complete forward Do not shut down. .

Validation verification

[[email protected] ~]$ mysql -uroot -pdo280-admin -h127.0.0.1   # New terminal test MySQL
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 5.7.16 MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sampledb           |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

MySQL [(none)]>

Clear the experiment

[[email protected] ~]$ oc delete project secure-secrets

summary

RHCA Certification requires experience 5 Study and examination of the door , It still takes a lot of time to study and prepare for the exam , Come on , Can GA 🤪.

That's all 【 Brother goldfish 】 Yes The fifth chapter DO280OpenShift Access control – Encryption and ConfigMap Brief introduction and explanation of . I hope it can be helpful to the little friends who see this article .

Red hat Certification Column series ：
RHCSA special column ： entertain RHCSA authentication
RHCE special column ： entertain RHCE authentication
This article is included in RHCA special column ：RHCA memoir

If this article 【 article 】 It helps you , I hope I can give 【 Brother goldfish 】 Point a praise , It's not easy to create , Compared with the official statement , I prefer to use 【 Easy to understand 】 To explain every point of knowledge with your writing .

If there is a pair of 【 Operation and maintenance technology 】 Interested in , You are welcome to pay attention to ️️️ 【 Brother goldfish 】️️️, I will bring you great 【 Harvest and surprise 】！