OpenShift Service Account for Avi Vantage Authentication
Beginning with release 16.3.4, Avi Vantage supports OpenShift service accounts and corresponding token for authentication with an OpenShift cluster in addition to client certificates. This article describes the configuration workflow.
Create a Service Account for Avi
Step 1. Service Account Definition of Avi Service Account (sa.json)
{
"apiVersion": "v1",
"kind": "ServiceAccount",
"metadata": {
"name": "avi"
}
}Step 2. Create a Service Account
Use the OpenShift client using the above definition sa.json file.
>oc create -f sa.json
Create a Cluster Role
Use the OpenShift client using the below clusterrole.json file. Use this role when deploying Avi Service Engines as a Docker container via ssh.
>oc create -f clusterrole.json
{
"apiVersion": "v1",
"kind": "ClusterRole",
"metadata": {
"name": "avirole"
},
"rules": [
{
"verbs": ["get","list","watch"],
"resources": ["*"]
},
{
"verbs": ["patch","update"],
"resources": ["routes/status"]
}
]
}To provide additional privileges required for deploying Avi Service Engines as a Pod, create a cluster role with the OpenShift client using the below clusterrolesepod.json file.
>oc create -f clusterrolesepod.json
{
"apiVersion": "v1",
"kind": "ClusterRole",
"metadata": {
"name": "avirole"
},
"rules": [
{
"apiGroups": [
""
],
"resources": [
"*"
],
"verbs": [
"get",
"list",
"watch"
]
},
{
"apiGroups": [
""
],
"resources": [
"routes/status"
],
"verbs": [
"patch",
"update"
]
},
{
"apiGroups": [
""
],
"resources": [
"pods",
"secrets",
"securitycontextconstraints",
"serviceaccounts"
],
"verbs": [
"create",
"delete",
"get",
"list",
"update",
"watch"
]
},
{
"apiGroups": [
"extensions"
],
"resources": [
"daemonsets"
],
"verbs": [
"create",
"delete",
"get",
"list",
"update",
"watch"
]
}
]
}Add Created Cluster Role to Service Account
This is typically executed on the OpenShift master.
>oc adm policy add-cluster-role-to-user avirole system:serviceaccount:default:avi
Extract Token for Use in Avi Cloud Configuration
-
Use the following command to extract the token.
oc serviceaccounts get-token aviThe extracted token appears as shown below.
oc serviceaccounts get-token avi eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImF2aXZhbnRhZ2UtZmRhMDdjOWItMGUzOS00ZjdkLTk5NDEtZGJiYTEzNDIzZmE0LXRva2VuLWJ3dGdjIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImF2aXZhbnRhZ2UtZmRhMDdjOWItMGUzOS00ZjdkLTk5NDEtZGJiYTEzNDIzZmE0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDA3MDM2ZTctNjFmOC0xMWU5LWFmZWYtMDA1MDU2OGM0NDMzIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YXZpdmFudGFnZS1mZGEwN2M5Yi0wZTM5LTRmN2QtOTk0MS1kYmJhMTM0MjNmYTQifQ.C9eGg2biAzXdbrO9KmVo2UvczWdGPRqNxzFaOH7_1NPAYBSyiiXrkDcUp_aucV0IHxHJro7-i3gQIhZ1RwXuT94ejUTMVqXjHKuIuAKhx3tZj0JH_VtZNfXOsTVBLin4n17jAdSiK4jd75rFo2Nb9dYXV4Y9ob4iStAQhrWXIj5NGehGFyi7xIN5-iY8bePE325oc6YA62BhW2q_J6OKniSCHpP30t_xz_VZY3IX_z3ehAsuPQJg20gct9PLoMVCpMujWn77QYxqWrARRU1gAsm90QODw0sKMXIQYdqTYN6XkQFv74ciXdfrR1tWiKH4u8-fkHuzD-2ADn8s53dOAg -
Enter the token extracted in the field Service Account Token while configuring an OpenShift cloud on the Avi Controller.
