Chapter 3. Configure OpenShift Container Platform

3.1. Overview

This guide introduces you to the basic concepts of OpenShift Container Platform, and helps you configure a basic application. This guide provides the configuration steps following the installation of a basic OpenShift Container Platform environment, and is not suitable for deploying or installing a production environment of OpenShift.

3.2. Change Log In Identity Provider

The default behavior of a freshly installed OpenShift Container Platform instance is to deny any user from logging in. To change the authentication method to HTPasswd:

  1. Open the /etc/origin/master/master-config.yaml file in edit mode.
  2. Find the identityProviders section.
  3. Change DenyAllPasswordIdentityProvider to HTPasswdPasswordIdentityProvider provider.

  4. Change the value of the name label to htpasswd_auth and add a new line file: /etc/origin/openshift-passwd in the provider section.

    An example identityProviders section with HTPasswdPasswordIdentityProvider would look like the following. 

    oauthConfig:
  ...
  identityProviders:
  - challenge: true
    login: true
    name: htpasswd_auth provider
    provider:
      apiVersion: v1
      kind: HTPasswdPasswordIdentityProvider
      file: /etc/origin/openshift-passwd
  5. Save the file.

3.3. Create User Accounts

Now that you are using the HTPasswdPasswordIdentityProvider provider, you need to generate these user accounts.

  1. You can use the httpd-tools package to obtain the htpasswd binary that can generate these accounts. 

    # yum -y install httpd-tools

  2. Create a user account. 

    # touch /etc/origin/openshift-passwd
# htpasswd -b /etc/origin/openshift-passwd admin redhat

    You have created a user, admin, with the password, redhat.

  3. Restart OpenShift before going forward. 

    # master-restart api
# master-restart controllers

  4. Give this user account cluster-admin privileges, which allows it to do everything. 

    $ oc adm policy add-cluster-role-to-user cluster-admin admin

    When running oc adm commands, you should run them only from the first master listed in the Ansible host inventory file, by default /etc/ansible/hosts.

  5. You can use this username/password combination to log in via the web console or the command line. To test this, run the following command. 

    $ oc login -u admin

Before going forward, change to the default project. 

$ oc project default

For more details, see roles and authentication.

3.4. Deploy the OpenShift Router

The OpenShift router is the entry point for external network traffic destined for OpenShift services. It supports HTTP, HTTPS, and any TLS-enabled traffic that uses SNI, which enables the router to send traffic to the correct service.

Without the router, OpenShift services and pods are unable to communicate with any resource outside of the OpenShift instance.

The installer creates a default router.

  1. Delete the default router using the following command. 

    $ oc delete all -l router=router

  2. Create a new default router. 

    $ oc adm router --replicas=1 --service-account=router

The OpenShift documentation contains detailed information on Router Overview.

3.5. Deploy an Internal Registry

Openshift provides an internal, integrated container image registry that can be deployed to locally manage images. OpenShift uses the docker-registry to store, retrieve, and build container images, as well as deploy and manage them throughout their lifecycle.

The installer creates a default registry.

  1. Delete the default registry using the following command. 

    $ oc delete all -l docker-registry=default

  2. Create the docker-registry service in the default project using the registry service account. 

    $ oc adm registry

3.6. Create Persistent Storage for the Registry

The registry that you created in the previous step stores images and metadata, and uses an ephemeral volume for any pod deployment if persistent storage is not configured. This ephemeral volume is destroyed when the pod exits, losing all data, including any images built or pushed into the registry.

To configure persistent storage for the registry:

  • Provision a volume that points to a storage server on your network (we will just create it on the master).
  • Create a volume claim.
  • Manually add the claim to the registry service.
Note

The following steps to configure persistent storage for the registry apply to storage for any image that requires persistent data and not just for the registry. The registry is just another image in the OpenShift environment.

3.6.1. Provision the Persistent Volume

  1. Create a registry volume file on your master, as shown here, and call it registry-volume.yaml. 

    apiVersion: v1
kind: PersistentVolume
metadata:
  name: registry-volume
spec:
  capacity:
    storage: 3Gi
  accessModes:
  - ReadWriteMany
  nfs:
    path: /root/storage
    server: master.openshift.example.com

    The folder /root/storage must exist. Make sure to change the server entry to point to your master.

  2. Create the registry persistent volume in OpenShift. 

    $ oc create -f registry-volume.yaml

3.6.2. Create the Persistent Volume Claim

Create a claim to bind the persistent volume created earlier. This claim is what ties the registry service to the persistent volume.

  1. Create another file called registry-volume-claim.yaml. 

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: registry-volume-claim
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 3Gi

  2. Create the claim. 

    $ oc create -f registry-volume-claim.yaml

You have now created the Persistent Volume and the Persistent Volume Claim, and now need to add this claim to the registry.

3.6.3. Add the Persistent Volume Claim to the Registry

$ oc set volume dc/docker-registry \
    --add --overwrite -t persistentVolumeClaim \
    --claim-name=registry-volume-claim \
    --name=registry-storage

The docker-registry will now use the 3 GB persistent volume created for storing image and metadata.