Skip to content

antony@notes:~/openshift$ cat "How-to-Create-a-User-Using-Htpasswd-in-Openshift.md"

How to Create a User Using Htpasswd in Openshift

2025-12-31· openshift

How to Create a User Using Htpasswd in Openshift

  1. 安裝 htpasswd 套件

    yum install -y httpd-tools
  2. 建立 htpasswd 使用者檔案

    htpasswd -c -B -b users.htpasswd mgr-haha haha

    格式如下: htpasswd -c -B -b </path/to/users.htpasswd> <username> <password>

    密碼會以雜湊形式存儲在 users.htpasswd 檔案中。

  3. 創建 Htpasswd secret。定義一個包含 HTPasswd 使用者檔案的 secret。

    oc -n openshift-config create secret generic htpass-secret \
      --from-file=htpasswd=users.htpasswd 

    格式如下: oc create secret generic htpass-secret --from-file=htpasswd=</path/to/users.htpasswd> -n openshift-config

  4. 建立 HTPasswd identity CR

    nano htpasswd.yml

    檔案內容如下:

    apiVersion: config.openshift.io/v1
    kind: OAuth
    metadata:
      name: cluster
    spec:
      identityProviders:
      - name: mgr-haha_htpasswd_provider
        challenge: true
        login: true
        mappingMethod: claim
        type: HTPasswd
        htpasswd:
          fileData:
            name: htpass-secret
  5. 部署 HTPasswd identity CR

    oc apply -f htpasswd.yml
  6. 為新的使用者設定叢集管理員角色

    oc adm policy add-role-to-user cluster-admin mgr-haha
  7. 將叢集的 CA 內容存成 ca.crt 檔案

    oc -n openshift-config-managed get configmap kube-root-ca.crt \
      -o jsonpath='{.data.ca\.crt}' > ca.crt
  8. 測試新使用者登入 ocp

    oc login -u=mgr-haha -p haha --certificate-authority=ca.crt

    正確執行結果:

    Login successful.
    
    You have one project on this server: "default"
    
    Using project "default".
  9. 為 mgr-test 創建客戶端證書,使用內部 OpenShift CA

    openssl req -nodes -newkey rsa:4096 \
      -keyout /tmp/mgr-test.key -subj "/O=system:admin/CN=mgr-test" \
      -out /tmp/mgr-test.csr
  10. 將 CSR 提交給 OpenShift,以便稍後用內部 CA 簽署:

    cat << EOF | oc create -f -
    apiVersion: certificates.k8s.io/v1
    kind: CertificateSigningRequest
    metadata:
      name: mgr-test-access
    spec:
      signerName: kubernetes.io/kube-apiserver-client
      groups:
      - system:authenticated
      request: $(cat /tmp/mgr-test.csr | base64 -w0)
      usages:
      - client auth
    EOF
  11. 批准證書請求

    oc adm certificate approve mgr-test-access
  12. 證書已獲批准,我們現在可以從叢集中獲取它:

    oc get csr mgr-test-access -o jsonpath='{.status.certificate}' \
      | base64 -d > /tmp/mgr-test.crt
  13. 為 test-mgr 創建 kubeconfig 檔案

    export OPENSHIFT_API_SERVER_ENDPOINT=api.topgun.kubeantony.com:6443
    openssl s_client -showcerts -connect ${OPENSHIFT_API_SERVER_ENDPOINT} </dev/null 2>/dev/null|openssl x509 -outform PEM > /tmp/ocp-apiserver-cert.crt
    
    export USER=mgr-test
    
    # 1. 設定使用者憑證 (加入 config)
    oc config set-credentials ${USER} \
      --kubeconfig="/tmp/${USER}config" \
      --client-certificate="/tmp/${USER}.crt" \
      --client-key="/tmp/${USER}.key" \
      --embed-certs=true
    
    # 2. 設定叢集資訊 (加入 config)
    oc config set-cluster topgun-ocp-cluster \
      --kubeconfig="/tmp/${USER}config" \
      --certificate-authority="/tmp/ocp-apiserver-cert.crt" \
      --embed-certs=true \
      --server="https://${OPENSHIFT_API_SERVER_ENDPOINT}"
    
    # 3. 設定 Context (加入 config)
    oc config set-context topgun-ocp \
      --kubeconfig="/tmp/${USER}config" \
      --cluster=topgun-ocp-cluster \
      --namespace=default \
      --user=${USER}
    
    # 4. 切換 Context (加入 config)
    oc config use-context topgun-ocp \
      --kubeconfig="/tmp/${USER}config"
  14. 確認當前身份

    oc --kubeconfig=/tmp/mgr-testconfig auth whoami

    執行結果:

    ATTRIBUTE   VALUE
    Username    mgr-test
    Groups      [system:admin system:authenticated]

參考文件