Azure Red Hat OpenShift - Connecting to Azure Active Directory

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey Stuart we're back today we're going to talk through at your Active Directory right yeah absolutely let's do it so I'm going to do a portal I'm gonna be the GUI clicker and you're gonna do it much more elegant repeatable way so watch a little intro video and come back okay so I'm gonna flip over to my screen here and where we keep all the docs is just aka the IMS wide open shape Docs which actually just take you to the to the root here and I'm going down into configure Azure Active Directory through the GUI through the portal and so there's a couple things that that you need here a you need an running gear clustering obviously which Stuart has graciously this morning given to me as I played with mine and I have it doing a upgrade to a test channel so that kind of went boom so I've gone and got some stuff here before actually walking through this so essentially what there's a couple things that you need to do a you have to add in the open ID connect identity provider and Harrow cluster and then on the has your active directory signs such as set up your callback you're on your run you alright correctly yes I might that might sound kind of daunting but that's just some copy and paste you know further down in the documentation is another yeah yeah and so what we'll do here is first off you know we'll go take a quick look over here at my - your active directory and so what I've got here is as your ad so we can see here I've got my demo azure active directory it's just black demo Microsoft and I'm going to come down here and click on app registrations this is just something you would create so you can go ahead and hit new and create one I've already created one here so I'm just good cheap and grab that and the redirect URI and all the stuff that you need from the documentation is right here so we're gonna go ahead and copy some values so we've got this creative now the redirect URI here we're going to go construct so what I'm gonna do is I'm gonna go look at that we also need the client ID and tenant ID and then a secret so I'm going to come over here grab the client ID and grab my 10 and ID and then I'm also going to come down here and generate a secret to be used for this so let's pause here ad we'll go ahead and grab a secret here so now I have the things that I need the other thing in the documentation is just optional claims and what this does is that make sure that your claims order that come back from a ad our are in a better order so that way things work better when on the OpenShift side I know that's a very hand wavy way of explaining that and so what that looks like here is token configuration since you just have to add in add an optional claim email and pop it in and the pop to the top and you're kind of done there and so let's come down here and we used to have a string here that had the for redirect arrived for you would keep the redirect URI it was yeah we know that you just had there and it actually generates it out of all of the variables that it's setting so it looks like it's pulling info out of the cluster and then some that way but since I'm using your cluster my my as your CLI won't have access to that right so you're gonna have to do some fancy copy and replace but basically that Oh F go off callback URL down to bottom the start of M is gonna be the same you just have to replace the clustered domain name as well as the Azure data center name and follow the same format you should be good to go let me cheat here endo grabbing a URL from another faster than I have if I reinvent the wheel I'm all about that but you see the formats the same as in the docs the only thing is the domain name and the data center name would potentially change depending on well the domain name have definitely changed in the data setting could change depending on where you deploy yeah sorry you're right I'm thinking of the secondary one that goes in the open ship cluster that's what I think I had the 1090 so this is just going to be and so the cluster that you gave me is here and it isn't East us so that needs to us still applies looks good yep let's go back over to Mike URI looks like a big ones in there so it's going to add this one in so that's the one that you gave me that let's go ahead and save that so now my real why are we doing this lab we're granting permission for that cluster to access the service principal correct yeah so what this means is that when when the the identity provider on the open ship cluster says hey I'm redirecting my we user over to Azure Active Directory in that Azure Active very sees that requests coming in it says hey I'm you know I know this is the fully qualified path and it's coming from from the OpenShift cluster now yes that is something that I will trust as a essentially as a provider as an RP right one party - my identity provider on the AED side and that's tricky to get this no you're good I was just saying that's it perfect it's so now that we've done that we can come over to configuring the open ship cluster and so we come down here obviously I've already cheated and got the the cube admin credentials from Stewart so if we come down here to the dashboard and we go down to okay quick and easy way to get to it so if we go on to this let's go through the good way so here we go down to admin cluster settings global configuration tab let's go to configuration and then we should see something down here for medication and where's my family on this so you looking for authentication Xaro off set up oh ah yeah other identity providers right there real off beautiful so we're going to add an open ID connect so we've got to give it a name here and so I did notice how I put in a dash of our I know if it was a - but I put in the space once don't don't do that that does not work well spaces do not well on this so the client ID and client secret is but we grabbed from Amy so we're clarity here and our secret for the app so therefore the issuer URL this is down here so if we grab this and replace our tenant ID here now why are doing this copy and paste a and definitely want to point out that on the other screen where you specify the name a ad if you do decide to call it something else I'll be it without a space you have to make sure you change that Oh auth replied URL you see how you have a D at the end there that maps over to whatever that is two lines up so if you changes from something other than capital a ad make sure you change on that reply URL as well that's a good call because I it's not a easy way to kind of trip up and I'm not sure that the error messages are going to give you that easy thing and then the preferred username here is what we're going to grab from one of the things we put in so we're going to go ahead and here and pop in UPN so we've got UPN name and email and that's it and so at this point we add it's gonna sit here for a minute and give me probably you know 30 seconds to a minute maybe two but you will actually see it when you log out you will actually go see a secondary login option and so it's still propagating across the masters at this point but if we come back and you know a minute or two we'll see you can either pick you madman or 80 okay well we can do as we can click over to your store because I know you is going to take a few minutes and we could stay here for 30 seconds to a minute back yeah let's let me go ahead and share out here and we will switch over to the COI all right you got me yep okay so the script that I'm using here arrow arrow for - build sh I think I refer to this in the last video we did Lyle with deploying OpenShift and so I'm just using this exact same script it's going to pull in a bunch of information that it needs to deploy an arrow cluster and I've gone ahead and let it run and I subsequently have a cluster stood up and ready to go at this point I'm going to go ahead and use another script that I've generated to actually perform all the things that Lyle has done in a very quick and expedient way so that script is called arrow for - ad - Connect sh and if I go ahead and just run that without any switches it tells me I need to specify the arrow cluster name as well as the resource group name so let's go ahead and do that so the cluster name and the resource group name and so I'm gonna go ahead and hit enter here and it's going to tell me that if the arrow cluster uses a custom domain the console and app addresses must resolve prior to run the script so if you are using custom DNS make sure that you have your a records set up prior to running this script because it will call them out and try to resolve them as part of its data gathering so I'm going to go ahead and hit one to go ahead and continue then what we'll do is we'll look at some of the formal documentation and then come back and test to make sure that this thing actually works so as you can see here the script is going and pulling a whole bunch of variables you'll remember at the top of the docs section that Lyle showed it was setting a bunch of variables so this scripts is gonna do all of that for you and then it's going to go run through create the authentication provider in openshift and then subsequently push in the config as needed for Azure Active Directory so the grabbing is that using the you know the as your CLI with that query parameter with you know the - TSV - it basically allow you to go grab specific things and throw it into environment those are you doing something else no that's exactly what it's doing it's using the easy CLI and setting all those variables behind the scenes I don't have a query TSV setup of what I am doing is just using JQ so six are half dozen the other you know I like JQ I'm used to it so but you can absolutely use OT sv and then do like a jmes path query as well so you see it's gone ahead and created a manifest for the azure application as well as the service principle and so the manifest again that is just the Aero authentication provider it will log in to the Aero cluster to make sure that it has admin access and then subsequently push in the secret that it auto generates for you as well as the revised authentication provider config and then it cleans up after itself because it generates a couple of test files so I'm going to go ahead and jump over here to the actual documentation and this is for the CLI so this is looking very similar to what Lyle had just shown you however this is command-line only so a lot of the commands are going to be very similar so the main location API service so all of these variables allow you just called out a second ago how are those being set and very much the same way as as you see here on the screen happening behind the scenes for you automatically this is for creating the actual service principle again this is done behind the scenes for you the IDS of course are recorded into variables so basically all the stuff that it's asking you to write down I have it automatically set in variables so you don't have to worry about that the manifest file this is the OAuth provider for for OpenShift that's going to be pushed into the openshift config and then subsequently updating the app with the with the reply urls and other information that it needs again all of this is done behind the scenes listing the credentials and logging into the Aero cluster we saw that again just a moment ago using see login which is right here so again I I'm basically stepping through all of these commands in the script for you and saving you the the trouble of having to write all these things down that it asks you to copy and paste subsequently it will create the authentication provider agent and push that up into arrow as well and at this point you can test your config so let's just you know have a look at the script here and if you do want to download it my github is Stewart at Microsoft and the repo is a short arrow there's you know whatever I'm you know working on at the time I've pushed stuff up in there there's some build scripts and some pull secret scripts and things like that so feel free to go in and take the content that you might like but as you can see here it expects two inputs the cluster name and the resource group name which is what we saw while here is all of your cuts for setting those variables all in here and then subsequently creating the manifest creating the service principle and assigning the appropriate permissions to it as required by the documentation logging in to the azure-eyed looks at the open shift console through the api creating the authentication secrets file creating the ad provider so that's when you went into a global config ooofff and added the provider called aad and remember this name right here on line 126 will translate into that reply URL which should have already been set for us it sets the variables so remember you did a copy and paste of the tenant ID again I set that as a variable so you know again another thing you don't have to copy and paste and then subsequently pushing that config up into arrow and then cleaning up after itself so let's jump back over here to the to the shell and I'm just going to go ahead and open this URL and hopefully I see an option for logging in with AD would you do certainly you can delete this cubed min user if you like and then it will actually just log you right in at that point cubed min is you know kind of like the backdoor account if you will to log in with cluster admin access up to you whether you want to delete it but just clicking on aad I'm gonna get a box that comes up prompted me to accept the permissions for the connector service principle that I've set up and then once I do that we should be logged into the cluster and so here we go I'm logged in as a generic user I can then subsequently create a project and be all set to go at that point certainly if I'm a cluster admin user I can go ahead and assign different user level permissions to this account that I've set up now that I have logged in that account does exist but that is essentially it Wow let's check out mine and then we'll talk about other things that I've done for some of us here in there in our Microsoft team so this is the cluster so mines at the running on a tee so if I come over here into a tee obviously you know I need to pop in the information around by my account that I was using and so this is just a user in my tenant are you sharing your screen out well Oh Donna was no yeah I actually have to hit the button there we go so it actually I've you know asked me to change my password so we're gonna do the graceful thing in here and just put in and add a number and at the end button so you can see I've logged in this test that while that's going on at Microsoft and yeah sure we'll stay signed any time in private so I'm in my cluster too and so it's funny as you know as we were working on this with some of our field teams trying to say okay look obviously you can you have cluster admin now and so we're trying to figure out hey what's a quick and easy way if you're just spinning up an arrow cluster for a couple of people to go play around with you know what are some things that you could do easily on this and and so one of the things that we did was just went in you know obviously I'm sign-in with that account which doesn't have the permissions but if I was to go back and sign-in cube admin so let's actually go ahead and do this right now one of the things that we did for some of us you know obviously not not the best practice for a production environment but we just went over here and created a new cluster wall binding han said you know admin for all for a few days yeah and this is just something that we did that you know made it so hey look we just we need a cluster we want to go hack on some stuff this is just something that work you know we're not doing as a build of things so you know we're doing this short term but just to get people to be able to play around for a little bit and this is a really quick way to just to do this so if you just give it whatever you name you want like hey you know this is super bad production but if you just need to cluster and you need a couple of people that be able to hack away with it for a few days or just be able to log in and see what area looks like and make it easier for people just give them a cluster admin and the group of system authenticate it's a lot this means at this point when you create this cluster world binding and once it's propagated if I log in as and it has an authenticated user so somebody in my tenant when I come back in as on this is the fly here you'll see hey I can go and do everything that I couldn't do before so you know just a nice quick you know not production but you know you've got a couple of people that aren't trying to figure out what arrow is or getting getting used to it or you know you've got a couple devs and it got a local cluster that you want not not as you're pretty proud of your prod but this is our cluster that we're just going to go hack and go hack away at it until we start to actually get to the point where okay let's go make sure we're doing a project make sure they're doing role bindings for projects and for groups and the extra setting up your floor back I found this is just a quick and easy way to make sure that you know okay a couple of people want to go play with an arrow cluster give them this you know they blow it up like you said it's it's a quick rebuild of a cluster and then you can go run a script you have in your rock and running kind of sounds like a chmod 777 kinda gets there on the back of my neck stand up there you know yes a couple people I've set this up for like that is not the way to have I guess this is just for when you're when you're tinkering around and you want people to be able to tinker easily so excellent well thanks Stuart appreciate it allow yeah I think we've covered this both from the graphical interface as well as the command line and hopefully that gets anyone watching this well on your way to getting connected to your at your Active Directory yeah I think you know this lists to be clear so this allows you to authenticate it does not set up like group sync or using a eighty groups as groups in OpenShift and things like that to do to do that there are some other things you have to do correct yeah that's right but this allows you to go ahead and log into the cluster and then you can kind of go set up customer bindings from here and you could actually go look when you when you see that user they actually show up in there so you can go ahead and take that user and let users ID and map it to groups inside of the openshift cluster at least do that alright yeah let's do a video on maybe I don't know hold secrets or custom SSL Certificates I mean lots of things we can do so excited for we have coming up yeah thanks I'll

Info

Channel: Azure in the Enterprise

Views: 469

Rating: undefined out of 5

Keywords: azure, redhat, openshift, aro, azure red hat openshift, microsoft

Id: uqTHphjkolM

Channel Id: undefined

Length: 23min 13sec (1393 seconds)

Published: Fri May 15 2020