Add more docs like config and marketplace

kubebb · Sep 11, 2023 · 1047600 · 1047600
1 parent 92183c2
commit 1047600
Show file tree

Hide file tree

Showing 20 changed files with 882 additions and 17 deletions.
diff --git a/docs/FAQ.md b/docs/FAQ.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 8
+sidebar_position: 12
 ---
 
 

diff --git a/docs/building-base/add-cluster.md b/docs/building-base/add-cluster.md
@@ -0,0 +1,26 @@
+---
+sidebar_position: 2
+---
+# 添加集群
+
+1. 为集群管理创建一个 namespace，可以使用 cluster-system，用来保存集群信息
+```
+kubectl create ns cluster-system
+```
+
+2. 获取添加集群的 token
+```
+export TOKENNAME=$(kubectl get serviceaccount/host-cluster-reader -n u4a-system -o jsonpath='{.secrets[0].name}')
+kubectl get secret $TOKENNAME -n u4a-system -o jsonpath='{.data.token}' | base64 -d
+```
+
+3. 登录管理平台，进入 “集群管理”，参考 [安装底座](../quick-start/buildingbase_quickstart.md)，点击“添加集群”。
+
+4. 输入集群名称，按需修改集群后缀，这里使用“API Token”方式接入集群。
+
+* API Host，使用支持 OIDC 协议的 K8s API 地址，可以通过 **kubectl get ingress -nu4a-system** 查看kube-oidc-proxy-server-ingress 对应的 Host 信息，比如 https://k8s.172.22.96.136.nip.io（注意结尾不要有 /）
+* API Token，输入第 2 步获取的 token 信息
+
+5. 添加成功后，可以在列表上看到集群信息及其状态；选择“租户管理”，会看到名称为 "system-tenant" 的一个系统租户
+
+
diff --git a/docs/building-base/configuration/_category_.json b/docs/building-base/configuration/_category_.json
@@ -1,6 +1,6 @@
 {
   "label": "自定义配置",
-  "position": 5,
+  "position": 3,
   "link": {
     "type": "generated-index",
     "description": "快速体验内置的配置能力，按需求进行服务门户的扩展"

diff --git a/docs/building-base/configuration/audit-config.md b/docs/building-base/configuration/audit-config.md
@@ -3,6 +3,11 @@ sidebar_position: 3
 ---
 
 # 配置审计能力
+
+:::tip
+注意，审计功能依赖对审计日志的采集功能，需要在集群设置中配置日志服务 ElasticSearch 的地址，日志服务的配置参考[日志组件](../component-market/logging.md)
+:::
+
 1、编辑 audit-policy.yaml 文件对审计进行配置，```kubectl edit cm audit-policy-conf -n u4a-system```
 
 按照以下模式进行定义：

diff --git a/docs/building-base/configuration/issue-oidc-proxy-certs.md b/docs/building-base/configuration/issue-oidc-proxy-certs.md
@@ -0,0 +1,83 @@
+---
+sidebar_position: 5
+---
+# 生成 oidc-proxy 的证书
+
+#### 使用场景：
+如果无法获取到 Kubernetes 的 ca 证书，可以通过以下方式颁发 kube-oidc-proxy 的证书
+
+#### 前提条件：
+OpenSSL tools
+Kubernetes cluster
+
+#### 具体步骤
+
+1. save the openssl.cnf
+
+[ req ]
+distinguished_name = dn
+[ dn ]
+CN = kube-oidc-proxy
+[ req_ext ]
+subjectAltName = @alt_names
+[ alt_names ]
+DNS.2 = kube-oidc-proxy
+DNS.3 = kube-oidc-proxy.addon-system
+DNS.4 = kube-oidc-proxy.addon-system.svc
+IP.1 = 172.22.99.227  # need update
+
+
+2.  generate the private key of oidc-proxy
+
+openssl genrsa -out server.key 2048
+
+
+3. generate the sever.csr of oidc-proxy
+
+openssl req -new \                                
+      -sha256 \
+      -key server.key \
+      -subj "/CN=kube-oidc-proxy" \
+      -reqexts req_ext \
+      -config openssl.cnf \
+      -out server.csr
+
+
+4. generate the base64 content of server.csr
+
+cat server.csr | base64 | tr -d "\n"
+
+
+5.  create certificateSigningRequest in kubernetes cluster for oidc-proxy
+
+the request value need to replace the output content generated by Step 4 
+
+
+```
+cat <<EOF | kubectl apply -f -
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: myuser
+spec:
+  request: <need replace by the content generated by step 4>
+  signerName: kubernetes.io/kube-apiserver-client
+  usages:
+  - client auth
+EOF
+```
+
+6 approval the certificatesigningRequest
+
+kubectl certificate approve myuser
+
+
+7. get the certifcate of oidc-proxy issuer by kubernetes cluster
+
+kubectl get csr myuser -oyaml | grep certificate: | awk '{print $2}' |base64 -d > ./server.cert
+
+
+8. after the step above, you get the server.key and server.cert and can rename the server.key and server.cert that you want. you can create secret for oidc-proxy by command:
+
+kubectl create secret 
+
diff --git a/docs/component-market/_category_.json b/docs/component-market/_category_.json
@@ -0,0 +1,8 @@
+{
+  "label": "组件市场",
+  "position": 8,
+  "link": {
+    "type": "generated-index",
+    "description": "检索可用的服务组件，加入自己的服务门户"
+  }
+}
diff --git a/docs/component-market/blockchain.md b/docs/component-market/blockchain.md
@@ -0,0 +1,12 @@
+---
+sidebar_position: 4
+---
+
+# 区块链 - 联盟链
+
+区块链组件目前还没有完成组件化，但是依然可以基于底座Kit进行部署，详细参考 [bestchains 平台安装](https://bestchains.github.io/website/docs/QuickStart/installation#2-%E5%AE%89%E8%A3%85-baas-component)。
+
+- 注意修改 scripts/e2e.sh 中国呢 ingressNode，kubeProxyNode 的配置
+- 部署后即可在管理平台看到区块链相关菜单及功能
+
+bestchains 的详细使用，请参考[帮助文档](https://bestchains.github.io/website/)
diff --git a/docs/component-market/kubedashboard.md b/docs/component-market/kubedashboard.md
@@ -0,0 +1,104 @@
+---
+sidebar_position: 1
+---
+
+# kubedashboard 管理工具
+这里介绍一下如何基于 kubebb 的底座来部署 Kubernetes Dashboard，并使用统一的 OIDC 认证、单点登录及原生 Kubernetes RBAC 认证。
+
+* 工具代码地址：[kubernetes dashboard ](https://github.com/kubernetes/dashboard)
+
+* Prerequisite
+  - 部署 kubebb 的底座组件 u4a-component，提供基于 K8S 构建的基本的账号、认证、权限和审计功能。
+  - 获取部署组件
+  ```shell
+  $ git clone https://github.com/kubebb/addon-components.git
+  # 进入对应目录
+  $ cd kube-dashboard
+  ```
+
+### 安装 Kubernetes dashboard
+1. 编辑 values.yaml，按需要替换镜像地址，替换 `<replaced-` 开头的的属性值，其中 OIDC 的相关信息可以在 configmap中获取。
+
+```
+# 获取 OIDC client 相关配置
+kubectl edit cm oidc-server -n u4a-system
+# 记录 issuer，staticClients 的 id、secret 的值
+```
+修改 values.yaml
+```
+dashboard:
+  dashboardImage: hub.tenxcloud.com/addon_system/kube-dashboard:v2.7.0
+  proxyImage: hub.tenxcloud.com/addon_system/keycloak-gatekeeper:latest
+  metricsImage: hub.tenxcloud.com/addon_system/kube-dashboard-metrics-scraper:v1.0.8
+
+ingress:
+  class: portal-ingress
+  host: kubedashboard.<replaced-ingress-nginx-ip>.nip.io
+
+# You must check and update the value of each variable below
+kubeOidcProxy:
+  issuerUrl: <replaced-issuer-url> # https://portal.172.22.96.209.nip.io/oidc
+  clientId: <replaced-client-id>
+  clientSecret: <replaced-client-secret>
+  usernameClaim: preferred_username
+  groupClaim: groups
+  hostConfig:
+    enabled: true
+    hostAliases:
+    - hostnames:
+      # MUST update this value
+      - portal.<replaced-ingress-nginx-ip>.nip.io
+      ip: <replaced-ingress-nginx-ip>
+```
+
+2. 运行 helm 安装插件
+```
+# 如果需要，创建单独的 namespace 来部署此插件，比如 addon-system
+kubectl create ns addon-system
+# 部署 kube-dashboard 插件
+helm install kube-dashboard -n addon-system .
+```
+
+* Note: 此时，dashboard 的 pod 会处于 ContainerCreating 的状态，这是因为缺少所依赖的配置文件，接下来我们需要准备此配置文件。
+
+3. 创建 kube-dashboard 所需要的 kubeconfig 文件, 以便 kube-dashboard 可以使用统一的 kube-oidc-proxy 进行认证，同时，也需要在配置中使用正确的证书和连接 token 信息
+```
+# copy the kubeconfig template
+$ cp sample-kubeconfig kubeconfig
+# edit kubeconfig file to use the correct cluster.certificate-authority-data, cluster.server, user.token
+
+# Step 1
+$ export CLUSTER_CA=$(kubectl get secret -n u4a-system oidc-server-root-secret -o jsonpath='{.data.ca\.crt}')
+$ use the value from $CLUSTER_CA to replace cluster.certificate-authority-data(<certificate-authority-data>) in kubeconfig file
+
+# Step 2
+$ export USER_TOKEN_NAME=$(kubectl -n addon-system get serviceaccount kubernetes-dashboard -o=jsonpath='{.secrets[0].name}')
+$ export USER_TOKEN_VALUE=$(kubectl -n addon-system get secret/${USER_TOKEN_NAME} -o=go-template='{{.data.token}}' | base64 --decode)
+# use the value from $USER_TOKEN_VALUE to replace user.token(<user-token>) in kubeconfig file
+
+# Step 3 replace cluster.server(<cluster-server>) with the address of kube-oidc-proxy
+
+# Step 4 create the configmap
+$ kubectl create cm dashboard-kubeconfig --from-file=kubeconfig -n addon-system
+```
+
+4. 重启 kube-dashboard
+```
+$ kubectl delete pod -n addon-system $(kubectl  get pod -n addon-system | grep kubernetes-dashboard | awk '{print $1}')
+```
+
+5. 在 OIDC 服务中添加 kube-dashboard 的 callback 地址.
+```
+$ kubectl edit cm oidc-server -n u4a-system
+# find redirectURIs and add a new redirect url 'https://<kubedashboard-host-name>/oauth/callback'
+```
+
+6. 使用 `kubedashboard.<replaced-ingress-nginx-ip>.nip.io` 地址访问 kube-dashboard. 如果处于未登录状态，会被重定向到统一的认证服务进行登录，成功登录后即刻携带授权的 token 回到 kube-dashboard 进行正常使用了。
+
+7. 可以通过给登录的用户授权不同的 RBAC 策略，来验证是否只有授权的资源才能被该用户访问。
+
+### Uninstall
+通过 helm uninstall 来卸载该插件
+```
+helm uninstall kube-dashboard -n addon-system
+```
diff --git a/docs/component-market/kubelogin.md b/docs/component-market/kubelogin.md
@@ -0,0 +1,101 @@
+---
+sidebar_position: 5
+---
+
+# 使用 kubelogin 工具
+Here is the steps about how to install kubelogin to integrate with OIDC server for kubectl tool, so you can do authentication with Kubernetes.
+
+* Refer to [kubelogin](https://github.com/int128/kubelogin) for details.
+* Prerequisite
+Install u4a-component and it'll provide the account, authentication, authorization and audit funcationality built on Kubernetes.
+
+### Install kubelogin
+Get the binary here [download](https://github.com/int128/kubelogin/releases) and download the one matching your OS.
+
+Then you need to put the kubelogin binary on your path under the name kubectl-oidc_login so that the kubectl plugin mechanism can find it when you invoke kubectl oidc-login.
+
+### Prepare kubeconfig file
+1. Backup your original config file under ~/.kube/config and create a new one.
+```
+$ cd ~/.kube
+$ cp config config_backup
+$ kubectl config set-credentials oidc \
+	  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+	  --exec-command=kubectl \
+	  --exec-arg=oidc-login \
+	  --exec-arg=get-token \
+	  --exec-arg=--oidc-extra-scope=email \
+	  --exec-arg=--oidc-extra-scope=profile \
+	  --exec-arg=--oidc-issuer-url=https://portal.172.22.96.209.nip.io/oidc \
+	  --exec-arg=--oidc-client-id=bff-client \
+	  --exec-arg=--oidc-client-secret=61324af0-1234-4f61-b110-ef57013267d6 \
+	  --exec-arg=--insecure-skip-tls-verify
+```
+
+2. Point the cluster to kube-oidc-server or k8s-apiserver if oidc is enabled.
+```
+- cluster:
+    certificate-authority-data: ....
+    server: https://172.22.96.133 # Update this value
+  name: cluster-name
+```
+
+3. Add `http://localhost:8000` as a valid redirect URL of your OIDC server, so it can redirect to local server after successful login.
+
+4. Switch current context to oidc
+```
+$ kubectl config set-context --current --user=oidc
+```
+Run `kubectl get nodes`, kubectl executes kubelogin before calling the Kubernetes APIs. Kubelogin automatically opens the browser, and you can log in to the provider.
+
+After successful login, you'll get a `Authenticated` response.
+
+5. If you get `Unable to connect to the server: x509: certificate signed by unknown authority` error after `kubectl get nodes`. Remove certificate-authority-data, and add insecure-skip-tls-verify as true.
+```
+- cluster:
+    # certificate-authority-data: ....
+    server: https://172.22.96.133
+    insecure-skip-tls-verify: true # Add it here
+  name: cluster-name
+```
+You can also use a valid certificate data, for example:
+```
+export CLUSTER_CA=$(kubectl get secret -n u4a-system oidc-proxy-cert-tls -o jsonpath='{.data.ca\.crt}')
+# Use the data from CLUSTER_CA and set to certificate-authority-data
+```
+Then you can run any kubectl using the logged in user, Kubernetes RBAC and audit will take effect for the user.
+
+### Get id token from cached file
+The id_token will be cached in ~/.kube/cache/oidc-login/\<cahced-file\>, you can use `cat` to get the content and token from this file. For example:
+```
+{"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjBkMzEyM2U1MWIxN2IzZTNlNDYzNjgxZTMzZTFkOTNkM2RiY2IwZDkifQ.eyJpc3MiOiJodHRwczovL3BvcnRhbC4xNzIuMjIuOTYuMjA5Lm5pcC5pby9vaWRjIiwic3ViIjoiQ2dWaFpHMXBiaElHYXpoelkzSmsiLCJhdWQiOiJiZmYtY2xpZW50IiwiZXhwIjoxNjc0MzU3OTU0LCJpYXQiOjE2NzQyNzE1NTQsIm5vbmNlIjoiVHhJVlE4VlFINW9PTGtLeGV1ekk3VWp3VVU0WUYyOEQ1N18xLWVpVWEtVSIsImF0X2hhc2giOiJOamZKZWJ1Ry1uUlVlWDJNY2dfZzVRIiwiY19oYXNoIjoiQWVQdUtsTmN5RjgyTy1xWFFqUzEwdyIsImVtYWlsIjoiYWRtaW5AdGVueGNsb3VkLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiYWRtaW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsInBob25lIjoiIiwidXNlcmlkIjoiYWRtaW4ifQ.YtmRZbS7-B0s0vVh9myH1FYcWuKoKNNYkPZQ5asbrQE2n8eC7w74n8D7pvM6v44kvBnp27hNOeo06EK4leNR2Inb2UJtd2QBS1L9i4A3V_vm06o4DkvqfyNcbD7-hL6ES0XkzIKimG3WMMJIznvuA71W_88t77U7jC7wvtKbT7k1KZWgOV6VappWlz7uecuBSQahoCku5AO-s25H1O-FbodOYtL8-ju0sqiHrgmbNaV-f6Wuvvk9XkquAe_dztqWCJ0axfUW7u4J-M947mlR1JlWwbhm-nQXgvugyMVh3FjFOjwi7jR3BA3Me-iuS_XPNSWx-DB0dfsCfErCJ9DvBA"}
+```
+
+### Get id token using username/password
+1. Enable passwordConnector in the oidc-server configuration
+```
+# kubectl edit cm oidc-server -n u4a-system
+    oauth2:
+      # Enable this one
+      passwordConnector: k8scrd
+      skipApprovalScreen: true
+```
+2. Get id token using kubelogin or curl
+
+* kubelogin
+```
+kubelogin get-token --oidc-issuer-url=https://portal.172.22.96.209.nip.io/oidc --oidc-client-id=bff-client --oidc-client-secret=61324af0-1234-4f61-b110-ef57013267d6 --insecure-skip-tls-verify --grant-type=password --username=admin --password=admiN\$123
+
+# here is the response, get the token from the json
+{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"2023-02-11T04:37:32Z","token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImY2ZjFjMjFkNzFhOGEyYmU3ZTg2YjQyYWIwOTYwY2MxNzU3NjdiM2MifQ.eyJpc3MiOiJodHRwczovL3BvcnRhbC4xNzIuMjIuOTYuMjA5Lm5pcC5pby9vaWRjIiwic3ViIjoiQ2dWaFpHMXBiaElHYXpoelkzSmsiLCJhdWQiOiJiZmYtY2xpZW50IiwiZXhwIjoxNjc2MDkwMjUyLCJpYXQiOjE2NzYwMDM4NTIsImF0X2hhc2giOiJyLWtsUnBQcEd3U0I5TFQyelVQSWtRIiwicGhvbmUiOiIifQ.tFOmGN1w79I_s5pWZZK4zEEHwCyuJRwkNtacmxVcCY-Jms-JOzXUJTxnNm8XzIBC3cZqt5U6oNXMuk68MHq0v3g2tQKJeAwV1aojJrIIp5QHefXMUjl_hTaFe1tRgwsvZqBWhExLi1yaTSUfjmP_SZEb23A0R_AWvc7ClO7sbuKQlkPG_gi2TPCBOeTx0UmlQ14w6U3dIJhR57hXfttdSr2nRqKma8bp_jAiUiWaKLSWSyc3tQsxWl7LeAAbRM3URx-3winVIEPEpUgwIBXnrr-ba9BZwZoD5NGytOGw4xA80eGDmmMIG8U2QarJKsZErpzS7EWbiPBLgS2_Wg1eBA"}}
+```
+* curl
+```
+curl -k -XPOST https://portal.172.22.96.209.nip.io/oidc/token -H "Authorization: Basic <base64 of oidc-client-id:oidc-client-secret>" -H "Content-Type: application/x-www-form-urlencoded"  --data 'grant_type=password&password=password&scope=openid&username=username'
+
+# here is the response, and get id_token from the json
+{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImY2ZjFjMjFkNzFhOGEyYmU3ZTg2YjQyYWIwOTYwY2MxNzU3NjdiM2MifQ.eyJpc3MiOiJodHRwczovL3BvcnRhbC4xNzIuMjIuOTYuMjA5Lm5pcC5pby9vaWRjIiwic3ViIjoiQ2dWaFpHMXBiaElHYXpoelkzSmsiLCJhdWQiOiJiZmYtY2xpZW50IiwiZXhwIjoxNjc2MDkyOTk0LCJpYXQiOjE2NzYwMDY1OTQsImF0X2hhc2giOiJtM2xsQWprUXdlQnhJbUJlQkgxRG1RIiwicGhvbmUiOiIifQ.iel5l_mzlVf2LjbMqzqXb3sqb7L195a-fY4Aaon2_CVn1lBMzOf2qDYbtVF3KhGHxNlaKRxig63uCDfyts84BMD5-Uaz_x4_mq5QaMVYVYEUw9NWsLP-jQ0bTSZE7MZKlxz_a3AGW_fXwW0Y02dqemugBfC3IagBhroYI2PSTKcNCCQz2aao-ZSQ5-rysKSyo0VPDtcY_K8ikpDChLM9GhUKzbdIvctO6mGBOOKHRkiCAbRegOCFhJ6-0O4k6b-m3rXyJkQAIBfesOPIAFxhQQhg3y9wDEVxbBTZ99fwfvfIuSxN_vsITKCsqpRr7t-30jqReIKsYktyzZ15jiJhKg","token_type":"bearer","expires_in":86399,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImY2ZjFjMjFkNzFhOGEyYmU3ZTg2YjQyYWIwOTYwY2MxNzU3NjdiM2MifQ.eyJpc3MiOiJodHRwczovL3BvcnRhbC4xNzIuMjIuOTYuMjA5Lm5pcC5pby9vaWRjIiwic3ViIjoiQ2dWaFpHMXBiaElHYXpoelkzSmsiLCJhdWQiOiJiZmYtY2xpZW50IiwiZXhwIjoxNjc2MDkyOTk0LCJpYXQiOjE2NzYwMDY1OTQsImF0X2hhc2giOiJRT3NNWGdSeDRYaUJJTVZwSElXeUlRIiwicGhvbmUiOiIifQ.ZDU7AouftfpLAs2SDE3Kb86ggVyDEwrgA3jtUxitKUQwKqosjWiaEEGc3w824FAC3eDZhFr1w5uXT6R30O2s0DPzPb0nesDN8wa2ZscU9ESjZrKAAgpgM7uE1vU41mi7GfdZEUHabx83XFvu69KvmA9OKnqaSdyi3-aPYHyBP5GfNYoQ-mteCBsAbRF8l6fe1VREIYV3sQrBC8b9s1Ony4F8YFWgFE4G_1gxV-0qz8IxgzhLGUgehuwsHTUjMLvyGgTiFrFvrPsftEuEGtOQbKswngWQGlYWSsUIWb79Fdk_-wD08fyM9YUGJyb0Bg_HO2M95CFsSASB4HDO4QHOXw"}
+```
+
+### Logout
+You can remove the local cache files under `~/.kube/cache/oidc-login/<cached-file>` to logout current user.