Post-deployment tasks
Applies to: ✔️ Linux VMs ✔️ Flexible scale sets
After you deploy an OpenShift cluster, you can configure additional items. This article covers:
- How to configure single sign-on by using Azure Active Directory (Azure AD)
- How to configure Azure Monitor logs to monitor OpenShift
- How to configure metrics and logging
- How to install Open Service Broker for Azure (OSBA)
Configure single sign-on by using Azure Active Directory
To use Azure Active Directory for authentication, first you need to create an Azure AD app registration. This process involves two steps: creating the app registration, and configuring permissions.
Create an app registration
These steps use the Azure CLI to create the app registration, and the GUI (portal) to set the permissions. To create the app registration, you need the following five pieces of information:
- Display name: App registration name (for example, OCPAzureAD)
- Home page: OpenShift console URL (for example,
https://masterdns343khhde.westus.cloudapp.azure.com/console
) - Identifier URI: OpenShift console URL (for example,
https://masterdns343khhde.westus.cloudapp.azure.com/console
) - Reply URL: Master public URL and the app registration name (for example,
https://masterdns343khhde.westus.cloudapp.azure.com/oauth2callback/OCPAzureAD
) - Password: Secure password (use a strong password)
The following example creates an app registration by using the preceding information:
az ad app create --display-name OCPAzureAD --homepage https://masterdns343khhde.westus.cloudapp.azure.com/console --reply-urls https://masterdns343khhde.westus.cloudapp.azure.com/oauth2callback/hwocpadint --identifier-uris https://masterdns343khhde.westus.cloudapp.azure.com/console --password {Strong Password}
If the command is successful, you get a JSON output similar to:
{
"appId": "12345678-ca3c-427b-9a04-ab12345cd678",
"appPermissions": null,
"availableToOtherTenants": false,
"displayName": "OCPAzureAD",
"homepage": "https://masterdns343khhde.westus.cloudapp.azure.com/console",
"identifierUris": [
"https://masterdns343khhde.westus.cloudapp.azure.com/console"
],
"objectId": "62cd74c9-42bb-4b9f-b2b5-b6ee88991c80",
"objectType": "Application",
"replyUrls": [
"https://masterdns343khhde.westus.cloudapp.azure.com/oauth2callback/OCPAzureAD"
]
}
Take note of the appId property returned from the command for a later step.
In the Azure portal:
Select Azure Active Directory > App Registration.
Search for your app registration (for example, OCPAzureAD).
In the results, click the app registration.
Under Settings, select Required permissions.
Under Required Permissions, select Add.
Click Step 1: Select API, and then click Windows Azure Active Directory (Microsoft.Azure.ActiveDirectory). Click Select at the bottom.
On Step 2: Select Permissions, select Sign in and read user profile under Delegated Permissions, and then click Select.
Select Done.
Configure OpenShift for Azure AD authentication
To configure OpenShift to use Azure AD as an authentication provider, the /etc/origin/master/master-config.yaml file must be edited on all master nodes.
Find the tenant ID by using the following CLI command:
az account show
In the yaml file, find the following lines:
oauthConfig:
assetPublicURL: https://masterdns343khhde.westus.cloudapp.azure.com/console/
grantConfig:
method: auto
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: htpasswd_auth
provider:
apiVersion: v1
file: /etc/origin/master/htpasswd
kind: HTPasswdPasswordIdentityProvider
Insert the following lines immediately after the preceding lines:
- name: <App Registration Name>
challenge: false
login: true
mappingMethod: claim
provider:
apiVersion: v1
kind: OpenIDIdentityProvider
clientID: <appId>
clientSecret: <Strong Password>
claims:
id:
- sub
preferredUsername:
- unique_name
name:
- name
email:
- email
urls:
authorize: https://login.microsoftonline.com/<tenant Id>/oauth2/authorize
token: https://login.microsoftonline.com/<tenant Id>/oauth2/token
Make sure the text aligns correctly under identityProviders. Find the tenant ID by using the following CLI command: az account show
Restart the OpenShift master services on all master nodes:
sudo /usr/local/bin/master-restart api
sudo /usr/local/bin/master-restart controllers
In the OpenShift console, you now see two options for authentication: htpasswd_auth and [App Registration].
Monitor OpenShift with Azure Monitor logs
There are three ways to add the Log Analytics agent to OpenShift.
- Install the Log Analytics agent for Linux directly on each OpenShift node
- Enable Azure Monitor VM Extension on each OpenShift node
- Install the Log Analytics agent as an OpenShift daemon-set
Read the full instructions for more details.
Configure metrics and logging
Based on the branch, the Azure Resource Manager templates for OpenShift Container Platform and OKD may provide input parameters for enabling metrics and logging as part of the installation.
The OpenShift Container Platform Marketplace offer also provides an option to enable metrics and logging during cluster installation.
If metrics / logging wasn't enabled during the installation of the cluster, they can easily be enabled after the fact.
Azure Cloud Provider in use
SSH to the bastion node or first master node (based on template and branch in use) using the credentials provided during deployment. Issue the following command:
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-metrics/config.yml \
-e openshift_metrics_install_metrics=True \
-e openshift_metrics_cassandra_storage_type=dynamic
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml \
-e openshift_logging_install_logging=True \
-e openshift_logging_es_pvc_dynamic=true
Azure Cloud Provider not in use
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-metrics/config.yml \
-e openshift_metrics_install_metrics=True
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml \
-e openshift_logging_install_logging=True
Install Open Service Broker for Azure (OSBA)
Open Service Broker for Azure, or OSBA, lets you provision Azure Cloud Services directly from OpenShift. OSBA in an Open Service Broker API implementation for Azure. The Open Service Broker API is a spec that defines a common language for cloud providers that cloud native applications can use to manage cloud services without lock-in.
To install OSBA on OpenShift, follow the instructions located here: https://github.com/Azure/open-service-broker-azure#openshift-project-template.
Note
Only complete the steps in the OpenShift Project Template section and not the entire Installing section.