Managing Your OpenShift Cluster Securely and Efficiently
The Problem
Have you considered a situation where you have many OpenShift clusters that you are working with at the same time just like me, and each cluster needs its own login credential such as username and password, or token to access to. And for security reason, when you initially log into a cluster, the session will be expired after a certain period of time passed. Then, you will have to use the same credential to login to the cluster again.
More worse, as a typical case, if the clusters are all short-lived instances which are reserved from a pool, that means you can have many such clusters spun up from the pool with their access information such as the server address and the password all generated randomly. It is very hard to remember. As a result, you will have to write them down somewhere, for example in a text note, which is insecure. And since the clusters are short-lived, the access information is easy to be out-of-date. To maintain such an access list manually is less valuable.
The Enhanced Version of OpenShift CLI
Here I’d like to share with you my resolution to this problem: The enhanced OpenShift CLI.
If you work on OpenShift cluster, you may know the OpenShift CLI (or oc) very well. It is the command line tool used to manage OpenShift cluster, just as kubectl to manage the vanilla Kubernetes cluster.
The enhanced OpenShift CLI (or oc) is not a replacement of the original oc. It is essentially a shell on top of the original oc. By using enhanced oc, you can manage very large amount of clusters both securely and efficiently.
The enhanced oc supports all the original oc commands and their options plus some additional cool features:
- Login a cluster with full context information provided only once, then use an alias to re-login at any time.
- Organize many clusters hierarchically, switch among them efficiently by partial input, fuzzy search, nice shell prompt.
- Share cluster context information with your team members for large scale project and team collaboration.
All the magic happens underlying for the enhanced OpenShift CLI is that it uses gopass, the password manager written in go, to save the cluster access information into a secret store, then maps that to a human-memorable alias. It also wraps the original oc into a shell scrip so that it can modify the oc input arguments to allow you to specify the alias when login to a cluster.
Moreover, the enhanced oc can do something more because of some nature characteristics that gopass has. For example:
- gopass organizes secrets using file and folder in a hierarchical way: this allows us to manage cluster access information hierarchically to support very large number of clusters.
- gopass supports non-exact match when find a secret in secret store by its name: this allows us to support partial input and fuzzy search when user specifies the alias to login a cluster.
- gopass creates the secret store as a git repository: this allows us to share the local secret store to a remote place, so your cluster access information stored locally can also be accessed by other people remotely. It is awesome for team collaboration in a large scale project.
Summary
This is the first post of enhanced oc series. We discussed an interesting idea of managing OpenShift clusters in a secure and efficient way. This is done by a shell wrapping oc command and leveraging gopass underneath. And due to the nature characteristics of gopass, it spawns a lot of fancy features such as organizing cluster access information hierarchically, switching among clusters using partial input and fuzzy search, sharing your cluster access information with your team members.
In next post, I will show you how to install the enhanced oc and demonstrate some of its features.
The enhanced OpenShift CLI is an open source project I created on GitHub. If you like it, you can consider to give star to it. You can also learn more on this project by reading its online documents. Any contributions such as bug report and code submission are very welcome.
