Skip to content

Instantly share code, notes, and snippets.

@eslutsky

eslutsky/README.md

Forked from adelton/README.md
Created July 16, 2024 14:56
Show Gist options
  • Save eslutsky/70cffa2348a206d5ed54e9de0890d91d to your computer and use it in GitHub Desktop.
Save eslutsky/70cffa2348a206d5ed54e9de0890d91d to your computer and use it in GitHub Desktop.
Download ZIP
OpenShift Console on MicroShift
Raw
README.md

OpenShift Console on MicroShift

On MicroShift 4.13 installed on RHEL 9.2 using Installing and configuring MicroShift clusters product documentation, OpenShift Console can be enabled on port :9000 by fetching the files from this gist and then running

# oc create serviceaccount -n kube-system openshift-console
# bash openshift-console.eval | oc create -f -

If you don't like the idea of running bash on a random script downloaded from the web, run

# oc create token -n kube-system openshift-console
# hostname -f

and edit the openshift-console.yaml file and replace $( hostname -f ) and $( oc create token -n kube-system openshift-console ) with the outputs of commands above. Then run

# oc create -f openshift-console.yaml

You can also use --duration=... to specify longer than standard duration of the token created. If the token expires and the console URL stops serving the OpenShift console content, you can refresh the token with

oc set env -n kube-system deployment/openshift-console-deployment BRIDGE_K8S_AUTH_BEARER_TOKEN=$( oc create token -n kube-system openshift-console )

Beware: there is no authentication, so only use for test purposes on well-controlled network.

Raw
openshift-console.eval
IN="
read -d '' YAML <<EOF
$( cat openshift-console.yaml )
EOF
"
eval "$IN"
echo "$YAML"
Raw
openshift-console.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: openshift-console-cluster-role-binding
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: openshift-console
namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: openshift-console-deployment
namespace: kube-system
labels:
app: openshift-console
spec:
replicas: 1
selector:
matchLabels:
app: openshift-console
template:
metadata:
labels:
app: openshift-console
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: openshift-console-app
image: quay.io/openshift/origin-console:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
env:
- name: BRIDGE_USER_AUTH
value: disabled
- name: BRIDGE_K8S_MODE
value: off-cluster
- name: BRIDGE_K8S_MODE_OFF_CLUSTER_ENDPOINT
value: https://$( hostname -f ):6443
- name: BRIDGE_K8S_MODE_OFF_CLUSTER_SKIP_VERIFY_TLS
value: "true"
- name: BRIDGE_K8S_AUTH
value: bearer-token
- name: BRIDGE_K8S_AUTH_BEARER_TOKEN
value: "$( oc create token -n kube-system openshift-console )"
---
apiVersion: v1
kind: Service
metadata:
name: openshift-console-service
namespace: kube-system
spec:
selector:
app: openshift-console
ports:
- port: 9000
targetPort: 9000
type: LoadBalancer
@eslutsky
Copy link
Author

when set BRIDGE_K8S_AUTH_BEARER_TOKEN
the login will work only for lifetime of the issued token, after that it will fail

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment