OCP Snippets

#tech/snippets

OCP Allowed Image Registries

spec:
  registrySources:
  allowedRegistries:
  - quay.io
  - registry.redhat.io
  - image-registry.openshift-image-registry.svc:5000
  - registry.example.com:5000
  insecureRegistries:
  - registry.ocp.home.lab:8443

Security Context

# Check what scc policy is required
oc get deployment/argocd-redis -o yaml | oc adm policy scc-subject-review -f -

# Create a service account
oc create sa argocd-sa

# Add create service account to SCC
 oc adm policy add-scc-to-user nonroot-v2 -z argocd-sa
 
 # Assign service account to deployment
 oc set sa deploy argocd-redis argocd-sa

OCP OAuth LDAP Configuration

spec:
  identityProviders:
    - ldap:
        attributes:
          email:
            - userPrincipalName
          id:
            - distinguishedName
          name:
            - givenName
          preferredUsername:
            - sAMAccountName
        bindDN: 'CN=ldapadmin,CN=Users,DC=punydev,DC=me'
        bindPassword:
          name: ldap-bind-password-phm6r
        insecure: true
        url: 'ldap://ad.punydev.me:389/dc=punydev,dc=me?sAMAccountName'
      mappingMethod: claim
      name: ActiveDirectory
      type: LDAP

OCP Oauth Configuration

spec:
  identityProviders:
    - mappingMethod: claim
      name: ADFS
      openID:
        ca:
          name: openid-ca-f9r8v
        claims:
          email:
            - email
          name:
            - name
          preferredUsername:
            - preferred_username
        clientID: adfs-keycloak
        clientSecret:
          name: openid-client-secret-pgdls
        extraScopes: []
        issuer: 'https://some-issuer-url.ocp.home.lab/issuer'
      type: OpenID
	```
- Change mappingMethod to `lookup` when configuring in HostedCluster
## DaemonSet/Deployment Node Env
```yaml
env:
 - name: WAZUH_MANAGER_IP
   value: 172.18.0.4
 - name: WAZUH_AGENT_NAME
   valueFrom:
     fieldRef:
       apiVersion: v1
       fieldPath: spec.nodeName

ServiceMonitor

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: prometheus-triton-monitor
  namespace: test-ns
spec:
  endpoints:
  - interval: 30s
    port: web 
    scheme: http
  selector: 
    matchLabels:
      app: prometheus-example-app

The port name of above yaml must match the port name defined in the service that the ServiceMonitor will be watching.

Kubernetes Snippets

Use arg and cmd in Deployment

apiVersion: v1
kind: Deployment 
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
  - name: command-demo-container
    image: debian
    command: ["/bin/sh"]
    args: ["-c," "sleep infinity"]
  restartPolicy: OnFailure

Drain Nodes

oc adm drain <node> —-delete-emptydir-data —-disable-eviction —-ignore-daemonsets --force

Linux Snippets

Configure trust store in Ubuntu/Debian

1. Install ca-certificates package
   apt install ca-certificates -y
2. Copy certificate to trust store
   sudo cp rootCA.crt /etc/ssl/certs/rootCA.crt
3. Update trust store sudo update-ca-certificates

• $ Install a root CA certificate in the trust store | Ubuntu