Identify yourself on minishift

With the latest version of minishift, I can make a single node OpenShift cluster deployable on any public cloud compute instances that you might have access to.

If you are yet to explore on how to deploy minishift on your could instance, please refer to my colleague @kumar_pravin video on how to get started with minishift on remote cloud instances and the documentation of the same is available here.

With you having deployed the minishift to your cloud instance will now see that its not secured at all, why because by default minishift is configured to have a very open authentication policy which allows the user developer or admin (if you have enabled admin add-on to login with any password.

You can find this setting via the command minishift openshift config view | yq r — oauthConfig (The yq tool is similar to jq which can be used to perform YAML operations from CLI), the command should show you a result like:

oauthConfig:
alwaysShowProviderSelection: false
assetPublicURL: https://192.168.64.96:8443/console/
grantConfig:
method: auto
serviceAccountMethod: prompt
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: anypassword
provider:
apiVersion: v1
kind: AllowAllPasswordIdentityProvider
masterCA: ca-bundle.crt
masterPublicURL: https://192.168.64.96:8443
masterURL: https://127.0.0.1:8443
sessionConfig:
sessionMaxAgeSeconds: 300
sessionName: ssn
sessionSecretsFile: ""
templates: null
tokenConfig:
accessTokenMaxAgeSeconds: 86400
authorizeTokenMaxAgeSeconds: 300
pauseControllers: false

The identityProvider in this case is AllowAllPasswordIdentityProvider which allows developer/admin to login with any password. More information on OpenShift IdentityProviders is available here.

Lets now modify the OpenShift master configuration to make it use HTPasswdPasswordIdentityProvider , which uses a simple file based user store that can then be used by OpenShift to look up for the user and their respective credentials. This file could be created/modified using the htpasswd utility that is installed via yum install httpd-tools.

Lets create a htpasswd based user store called users.htpasswd in the folder “/var/lib/minishift/openshift.local.config/master” with the needed usernames and passwords,

$ minishift ssh 
# required for the htpasswd command
$ sudo yum -y install httpd-tools
# creates new file with user developer and password provided.       $ sudo htpasswd -cb /var/lib/minishift/openshift.local.config/master/users.htpasswd developer <any-password-of-your-choice>
# adds new user admin and password provided
$ sudo htpasswd -b /var/lib/minishift/openshift.local.config/master/users.htpasswd admin <any-password-of-your-choice>

Its time now to configure OpenShift master’s oauthConfig to use the HTPasswdPasswordIdentityProvider as the IdentityProvider, which could be done using the following command:

minishift openshift config set --patch '{"oauthConfig": {"identityProviders": [ {"challenge": true,"login": true,"mappingMethod": "add","name": "htpasswd","provider": {"apiVersion": "v1","kind": "HTPasswdPasswordIdentityProvider","file": "users.htpasswd"}}]}}'

After the successful run of this command, which will eventually restart the OpenShift inside the minishift instance, running the command minishift openshift config view | yq r — oauthConfig again should result in the following output,

alwaysShowProviderSelection: false
assetPublicURL: https://192.168.64.96:8443/console/
grantConfig:
method: auto
serviceAccountMethod: prompt
identityProviders:
- challenge: true
login: true
mappingMethod: add
name: htpasswd
provider:
apiVersion: v1
file: users.htpasswd
kind: HTPasswdPasswordIdentityProvider
masterCA: ca-bundle.crt
masterPublicURL: https://192.168.64.96:8443
masterURL: https://127.0.0.1:8443
sessionConfig:
sessionMaxAgeSeconds: 300
sessionName: ssn
sessionSecretsFile: ""
templates: null
tokenConfig:
accessTokenMaxAgeSeconds: 86400
authorizeTokenMaxAgeSeconds: 300

With this your minishift is configured to use users.htpasswd based user store. This is better than default AllowAllPasswordIdentityProvider, but not the most secured or maintainable one. Please feel free to explore the other identity provider options available in the OpenShift documentation. I did see another nice story by James Drummond on configuring GoogleAuthenticationProvider as the Identity Provider OpenShift.

I hope you found this story useful and for more developer blogs, softwares and other resources , please register yourself with https://developers.redhat.com.