OpenShift Service Account for Avi Vantage Authentication

Beginning with release 16.3.4, Avi Vantage supports OpenShift service accounts and corresponding token for authentication with an OpenShift cluster in addition to client certificates. This article describes the configuration workflow.

Create a Service Account for Avi

Step 1. Service Account Definition of Avi Service Account (sa.json)

{
  "apiVersion": "v1",
  "kind": "ServiceAccount",
  "metadata": {
    "name": "avi"
  }
}

Step 2. Create a Service Account

Use the OpenShift client using the above definition sa.json file.

>oc create -f sa.json

Create a Cluster Role

Use the OpenShift client using the below clusterrole.json file. Use this role when deploying Avi Service Engines as a Docker container via ssh.

>oc create -f clusterrole.json

{
  "apiVersion": "v1",
  "kind": "ClusterRole",
  "metadata": {
    "name": "avirole"
  },
  "rules": [
  {
      "verbs": ["get","list","watch"],
      "resources": ["*"]
  },
  {
      "verbs": ["patch","update"],
      "resources": ["routes/status"]
  }
  ]
}

To provide additional privileges required for deploying Avi Service Engines as a Pod, create a cluster role with the OpenShift client using the below clusterrolesepod.json file.

>oc create -f clusterrolesepod.json

{
    "apiVersion": "v1",
    "kind": "ClusterRole",
    "metadata": {
        "name": "avirole"
    },
    "rules": [
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "*"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "routes/status"
                            ],
            "verbs": [
                "patch",
                "update"
            ]
        },
        {
            "apiGroups": [
                ""
            ],
            "resources": [
                "pods",
                "secrets",
                "securitycontextconstraints",
                "serviceaccounts"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        },
        {
            "apiGroups": [
                "extensions"
            ],
            "resources": [
                "daemonsets"
            ],
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "update",
                "watch"
            ]
        }
    ]
}

Add Created Cluster Role to Service Account

This is typically executed on the OpenShift master.

>oc adm policy add-cluster-role-to-user avirole system:serviceaccount:default:avi

Extract Token for Use in Avi Cloud Configuration

  1. Use the following command to extract the token.

    
     oc serviceaccounts get-token avi
     

    The extracted token appears as shown below.

    
     oc serviceaccounts get-token avi
     eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImF2aXZhbnRhZ2UtZmRhMDdjOWItMGUzOS00ZjdkLTk5NDEtZGJiYTEzNDIzZmE0LXRva2VuLWJ3dGdjIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImF2aXZhbnRhZ2UtZmRhMDdjOWItMGUzOS00ZjdkLTk5NDEtZGJiYTEzNDIzZmE0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDA3MDM2ZTctNjFmOC0xMWU5LWFmZWYtMDA1MDU2OGM0NDMzIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YXZpdmFudGFnZS1mZGEwN2M5Yi0wZTM5LTRmN2QtOTk0MS1kYmJhMTM0MjNmYTQifQ.C9eGg2biAzXdbrO9KmVo2UvczWdGPRqNxzFaOH7_1NPAYBSyiiXrkDcUp_aucV0IHxHJro7-i3gQIhZ1RwXuT94ejUTMVqXjHKuIuAKhx3tZj0JH_VtZNfXOsTVBLin4n17jAdSiK4jd75rFo2Nb9dYXV4Y9ob4iStAQhrWXIj5NGehGFyi7xIN5-iY8bePE325oc6YA62BhW2q_J6OKniSCHpP30t_xz_VZY3IX_z3ehAsuPQJg20gct9PLoMVCpMujWn77QYxqWrARRU1gAsm90QODw0sKMXIQYdqTYN6XkQFv74ciXdfrR1tWiKH4u8-fkHuzD-2ADn8s53dOAg
     
  2. Enter the token extracted in the field Service Account Token while configuring an OpenShift cloud on the Avi Controller.

    Screen Shot 2017-01-22 at 8.25.14 PM