Experimental freeipa-operator for Freeipa.
It requires golang 1.16; if your system is providing a lower version, consider to install gvm. for using different golang versions.
-
Clone the repository by:
git clone https://github.com/freeipa/freeipa-operator.git cd freeipa-operator -
Install the necessary tools by:
./devel/install-local-tools.sh
-
Build by:
make build
-
Launch tests by:
make test ./bin/operator-sdk scorecard bundle -
Now create a new namespace by:
oc create namespace my-freeipa -
As cluster-admin user logged in the cluster run:
make install
This will generate the CRD and install it into the cluster. The CRD need to be installed into the cluster even if we run the controller from our local workstation.
-
Run locally outside the cluster by (webhooks are disabled):
make run
-
Or run inside the cluster by (first build and push the image):
oc login https://my-cluster:6443 export IMAGE_TAG_BASE=quay.io/USER_ORG/freeipa-operator podman login quay.io make docker-build make docker-push # We need cert-manager for generating the certificates for the webhooks make cert-manager-install # When the cert-manager operator is installed, run this: make cert-manager-self-signed-issuer-create # Create the scc object oc create -f config/rbac/scc.yaml # Finally deploy the operator in the cluster with: make deploy
-
Create
private.mkfile and update IMG_BASE variable value.cp -vf private.mk.example private.mk
Update
private.mkwhere required -
And create a new idm resource by:
make sample-create
The deployment spend about 5 minutes to finish, after that you will see something like the below when running:
oc logs --tail=35 pod/idm-sample-main-0[ OK ] Finished Identity, Policy, Audit. ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. 3. Kerberos requires time synchronization between clients and servers for correct operation. You should consider enabling chronyd. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful FreeIPA server does not run DNS server, skipping update-self-ip-address. Created symlink /etc/systemd/system/container-ipa.target.wants/ipa-server- update-self-ip-address.service → /usr/lib/systemd/system/ipa-server-update- self-ip-address.service. Created symlink /etc/systemd/system/container-ipa.target.wants/ipa-server- upgrade.service → /usr/lib/systemd/system/ipa-server-upgrade.service. Removed /etc/systemd/system/container-ipa.target.wants/ipa-server-configure- first.service. [ OK ] Finished Configure IPA server upon the first start. FreeIPA server configured. -
Now you should be able to reach out the web interface by:
xdg-open "https://$(oc get route idm-sample -o jsonpath='{.spec.host}')" -
Look at your objects by:
kubectl get all,idm,pvc,secrets -
And clean-up the cluster by:
make undeploy oc delete -f config/rbac/scc.yaml
-
For the unit tests run:
make test -
For the integration tests with scorecard run:
# Generate bundle directory # bundle.Dockerfile is generated on this step # More information about the LABELS inside here: # https://github.com/operator-framework/operator-registry/blob/master/docs/design/operator-bundle.md#bundle-annotations # https://olm.operatorframework.io/docs/tasks/creating-operator-bundle/#contents-of-annotationsyaml-and-the-dockerfile make bundle # Running scorecard tests generated in the bundle directory by make scorecard-bundle
Pre-requisites:
- A proper
private.mkfile setup. (seeprivate.mk.example). - The freeipa SecurityContextConstraint created (
oc create -f config/rbac/scc.yaml).
Steps:
-
Create the Security Context Constraint profile (if not yet):
oc create -f config/rbac/scc.yaml
-
Create a namespace:
oc new-project ipa
-
Build and publish container images:
make docker-build docker-push \ bundle bundle-build bundle-push \ catalog-build catalog-push -
Install operator with OLM in the current namespace by:
make bundle-install
-
Create a sample idm resource:
oc create -f config/samples/persistent-storage.yaml
-
Delete the custom resource created:
oc delete -f config/samples/persistent-storage.yaml
TODO You will need to delete the PVC by hand if a new IDM resource have to be created with different options.
-
Cleanup the operator from the cluster:
make bundle-uninstall
-
Remove the namespace:
oc delete project ipa
-
Remove the Security Context Constraint profile by:
oc delete -f config/rbac/scc.yaml
See also: Operator SDK 1.0.0 - Quick Start.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent