oc extract secret/secret-name # All files
oc extract secret/secret-name --keys=my-file # Specific filesoc set data secret/secret-name --from-file my-file=my-local-fileoc get deployment -n some-namespace -l app=some-app# Basic
oc get deployment some-app -o jsonpath='{.metadata.name}'
# Get specific item from list/array
oc get deployment some-app -o jsonpath='{.status.conditions[0].type'
# Loop through list/array
oc get deployment some-app -o jsonpath='{.status.conditions[*].type'
# Filter items in list
oc get deployment some-app -o jsonpath='{.status.conditions[?(@.type=="Available")].status}'NOTE: Personally I think it's easier to filter outside of oc in a script but 🤷♂️
- It's easiest to copy an existing Role/ClusterRole, modify it, and save it as your own
- Use the web console to make RoleBindings/ClusterRoleBindings
- Alternatively use
oc policy add-role-to-userwith the-zflag for service accounts - Don't write YAML for RoleBindings (unless you hate yourself)
- Examples in the OpenShift docs are in the Nodes section under Running tasks in pods using jobs
oc create cronjob pi --image=perl --schedule='*/1 * * * *' -- perl -Mbignum=bpi -wle 'print bpi(2000)'You can put a script in a job like this:
spec:
template:
spec:
containers:
- name: whatever
command: ["/bin/sh", "-c"]
args:
- "oc get pods --all-namespaces
| sort
| uniq"# Get the route for the oauth server
oc get route -n openshift-authentication
# This command will prompt for password
curl -k -u admin "https://<host-from-route-above>/oauth/authorize?client_id=openshift-challenging-client&response_type=token"This is the method the DO380 course recommends, but more than likely this method won't work in a real environment because your cluster should be set up with external authentication (SSO, OIDC, etc.), not htpasswd.
What you should do instead is:
- Go to OpenShift console
- Select "Generate Login Command" (or whatever it's called)
- Log in if needed
- Grab the token shown
If it's an automated task, it should use a service account and the token assigned to a service account.
curl -k \
-H "Authorization: Bearer sha256~TOKEN" \
https://api.cluster.domain:6443/openapi/v2 | jq
oc get whatever -v 6 # Verbosity level 6 will print the API endpoint being called
- When in doubt,
ansible-doc <whatever-module>(This is good advice for all things Ansible)
- name: Log in to OpenShift
hosts: localhost
tasks:
- name: Get access token for admin user
redhat.openshift.openshift_auth:
host: https://api.cluster.domain:6443
username: admin
password: admin
register: auth_results
- name: Do something
hosts: localhost
module_defaults:
group/redhat.openshift.openshift:
namespace: some-namespace
api_key: "{{ auth_results['openshift_auth']['api_key'] }}"
host: https://api.cluster.domain.com:6443
group/kubernetes.core.k8s:
namespace: some-namespace
api_key: "{{ auth_results['openshift_auth']['api_key'] }}"
host: https://api.cluster.domain.com:6443If you need to install an operator from YAML, the easiest way is to install through OperatorHub, grab the YAML it creates, and add that to your automation.
If the operator is installed to "All Namespaces", it will create a Subscription in the "openshift-operators" namespace.
If the operator is installed to a specific namespace, it will create an OperatorGroup and a Subscription in the targeted namespace.
NOTE: Some operators (like OpenShift GitOps) manage a specific namespace but are installed to "All Namespaces".
Jenkins is deployed from an OpenShift template in the openshift namespace!
oc get tempalte -n openshift | grep jenkinsoc process jeknins-peristent --paramters -n openshiftoc new-app --template jenkins-persistentself-provisioner is the role that allows users to create projects.
oc adm policy add-cluster-role-to-user self-provisioner -z jenkins- Open Jenkins UI
- Select Manage Jenkins on left sidebar
- Scroll down to Manage Nodes and Clouds
- Select Configure Clouds on the left sidebar
- Under the Kubernetes cloud named openshift, select Pod Templates...
- Find the Pod Template your build will use (nodejs, java, maven, etc.)
- Add an environment variable
- Key:
GIT_SSL_CAINFO - Value:
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- Key:
- Select Save at the bottom
- Open Jenkins UI
- Select your user in the top left
- Select Configuration on the left sidebar
- Under API token, select Add new token
- Give the token an name and select Generate
# Get the route for the Jenkins server
oc get route -n <jenkins-namespace>
# Replace jenkins-route, project-name, username, and token
curl "https://<jenkins-route>/job/<project-name>/job/main/lastBuild/api/json" \
--user "<username>:<token>"- Examples in the OpenShift docs are in the Builds section under Using Build Strategies.
oc api-resources- Return resources available to OpenShift (Including CRDs)oc api-versions <resource>- Return versions of resourcesoc explain <resource>- Return details on a resource's expected fields
Kustomize is barely mentioned in the OCP docs. I have no idea if they give the Kustomize open-source docs in the exam environment.
oc kustomize # Current directory
oc kustomize my-dir # Another directoryoc apply -k . # Current directory
oc apply -k my-dir # Another directoryCreate secrets from files:
# kustomize.yaml
resources:
- whatever.yaml
secretGenerator:
- name: htpasswd
namespace: openshift-config
files:
- htpasswd=my-file.htpasswd
generatorOptions:
disableNameSuffixHash: true