您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

部署后任务Post-deployment tasks

部署 OpenShift 群集后,可以配置附加的项。After you deploy an OpenShift cluster, you can configure additional items. 本文介绍:This article covers:

  • 了解如何使用 Azure Active Directory (Azure AD) 配置单一登录How to configure single sign-on by using Azure Active Directory (Azure AD)
  • 如何配置 Azure Monitor 日志以监视 OpenShiftHow to configure Azure Monitor logs to monitor OpenShift
  • 如何配置指标和日志记录How to configure metrics and logging
  • 如何安装 Open Service Broker for Azure (OSBA)How to install Open Service Broker for Azure (OSBA)

使用 Azure Active Directory 配置单一登录Configure single sign-on by using Azure Active Directory

若要使用 Azure Active Directory 进行身份验证,需要先创建 Azure AD 应用注册。To use Azure Active Directory for authentication, first you need to create an Azure AD app registration. 此过程包括两个步骤:创建应用注册、配置权限。This process involves two steps: creating the app registration, and configuring permissions.

创建应用注册Create an app registration

这些步骤使用 Azure CLI 创建应用注册,然后使用 GUI(门户)设置权限。These steps use the Azure CLI to create the app registration, and the GUI (portal) to set the permissions. 若要创建应用注册,需要提供以下五项信息:To create the app registration, you need the following five pieces of information:

  • 显示名称:应用注册名称(例如 OCPAzureAD)Display name: App registration name (for example, OCPAzureAD)
  • 主页: OpenShift 控制台 URL (例如, https://masterdns343khhde.westus.cloudapp.azure.com/console) Home page: OpenShift console URL (for example, https://masterdns343khhde.westus.cloudapp.azure.com/console)
  • 标识符 URI: OpenShift 控制台 URL (例如, https://masterdns343khhde.westus.cloudapp.azure.com/console) Identifier URI: OpenShift console URL (for example, https://masterdns343khhde.westus.cloudapp.azure.com/console)
  • 回复 URL: Master 公共 URL 和应用注册名称 (例如, https://masterdns343khhde.westus.cloudapp.azure.com/oauth2callback/OCPAzureAD) Reply URL: Master public URL and the app registration name (for example, https://masterdns343khhde.westus.cloudapp.azure.com/oauth2callback/OCPAzureAD)
  • 密码:安全密码(使用强密码)Password: Secure password (use a strong password)

以下示例使用上述信息创建应用注册:The following example creates an app registration by using the preceding information:

az ad app create --display-name OCPAzureAD --homepage https://masterdns343khhde.westus.cloudapp.azure.com/console --reply-urls https://masterdns343khhde.westus.cloudapp.azure.com/oauth2callback/hwocpadint --identifier-uris https://masterdns343khhde.westus.cloudapp.azure.com/console --password {Strong Password}

如果命令成功,将显示类似于下面的 JSON 输出:If the command is successful, you get a JSON output similar to:

{
  "appId": "12345678-ca3c-427b-9a04-ab12345cd678",
  "appPermissions": null,
  "availableToOtherTenants": false,
  "displayName": "OCPAzureAD",
  "homepage": "https://masterdns343khhde.westus.cloudapp.azure.com/console",
  "identifierUris": [
    "https://masterdns343khhde.westus.cloudapp.azure.com/console"
  ],
  "objectId": "62cd74c9-42bb-4b9f-b2b5-b6ee88991c80",
  "objectType": "Application",
  "replyUrls": [
    "https://masterdns343khhde.westus.cloudapp.azure.com/oauth2callback/OCPAzureAD"
  ]
}

记下该命令返回的 appId 属性供稍后步骤使用。Take note of the appId property returned from the command for a later step.

在 Azure 门户中:In the Azure portal:

  1. 选择 " Azure Active Directory > 应用注册"。Select Azure Active Directory > App Registration.

  2. 搜索应用注册(例如 OCPAzureAD)。Search for your app registration (for example, OCPAzureAD).

  3. 在结果中,单击“应用注册”。In the results, click the app registration.

  4. 在“设置”下,选择“所需的权限”。Under Settings, select Required permissions.

  5. 在“所需的权限”下,选择“添加”。Under Required Permissions, select Add.

    应用注册

  6. 依次单击“步骤 1: 选择 API”、“Windows Azure Active Directory (Microsoft.Azure.ActiveDirectory)”。Click Step 1: Select API, and then click Windows Azure Active Directory (Microsoft.Azure.ActiveDirectory). 单击底部的“选择”。Click Select at the bottom.

    应用注册选择 API

  7. 在“步骤 2: 选择权限”中,选择“委托的权限”下的“登录并读取用户配置文件”,并单击“选择”。On Step 2: Select Permissions, select Sign in and read user profile under Delegated Permissions, and then click Select.

    应用注册访问权限

  8. 选择“完成” 。Select Done.

为 Azure AD 身份验证配置 OpenShiftConfigure OpenShift for Azure AD authentication

若要配置 OpenShift 以将 Azure AD 用作验证提供程序,必须在所有主节点上编辑 /etc/origin/master/master-config.yaml 文件。To configure OpenShift to use Azure AD as an authentication provider, the /etc/origin/master/master-config.yaml file must be edited on all master nodes.

使用以下 CLI 命令查找租户 ID:Find the tenant ID by using the following CLI command:

az account show

在 yaml 文件中,找到以下行:In the yaml file, find the following lines:

oauthConfig:
  assetPublicURL: https://masterdns343khhde.westus.cloudapp.azure.com/console/
  grantConfig:
    method: auto
  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: htpasswd_auth
    provider:
      apiVersion: v1
      file: /etc/origin/master/htpasswd
      kind: HTPasswdPasswordIdentityProvider

紧接在上述行的后面插入以下行:Insert the following lines immediately after the preceding lines:

  - name: <App Registration Name>
    challenge: false
    login: true
    mappingMethod: claim
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      clientID: <appId>
      clientSecret: <Strong Password>
      claims:
        id:
        - sub
        preferredUsername:
        - unique_name
        name:
        - name
        email:
        - email
      urls:
        authorize: https://login.microsoftonline.com/<tenant Id>/oauth2/authorize
        token: https://login.microsoftonline.com/<tenant Id>/oauth2/token

确保 identityProviders 下的文本正确对齐。Make sure the text aligns correctly under identityProviders. 使用以下 CLI 命令查找租户 ID:az account showFind the tenant ID by using the following CLI command: az account show

在所有主节点上重启 OpenShift 主机服务:Restart the OpenShift master services on all master nodes:

sudo /usr/local/bin/master-restart api
sudo /usr/local/bin/master-restart controllers

在 OpenShift 控制台中,现在可以看到两个身份验证选项:“htpasswd_auth”和“[应用注册]”。In the OpenShift console, you now see two options for authentication: htpasswd_auth and [App Registration].

用 Azure Monitor 日志监视 OpenShiftMonitor OpenShift with Azure Monitor logs

可通过三种方法将 Log Analytics 代理添加到 OpenShift。There are three ways to add the Log Analytics agent to OpenShift.

  • 在每个 OpenShift 节点上直接安装适用于 Linux 的 Log Analytics 代理Install the Log Analytics agent for Linux directly on each OpenShift node
  • 启用每个 OpenShift 节点上的 Azure Monitor VM 扩展Enable Azure Monitor VM Extension on each OpenShift node
  • 安装 Log Analytics 代理作为 OpenShift daemon-setInstall the Log Analytics agent as an OpenShift daemon-set

有关更多详细信息,请阅读完整 说明Read the full instructions for more details.

配置指标和日志记录Configure metrics and logging

根据分支,适用于 OpenShift 容器平台和 OKD 的 Azure 资源管理器模板可以提供输入参数,用于在安装过程中启用指标和日志记录。Based on the branch, the Azure Resource Manager templates for OpenShift Container Platform and OKD may provide input parameters for enabling metrics and logging as part of the installation.

OpenShift 容器平台市场套餐还提供一个选项用于在安装群集期间启用指标和日志记录。The OpenShift Container Platform Marketplace offer also provides an option to enable metrics and logging during cluster installation.

如果在安装群集期间未启用指标/日志记录,事后可以轻松启用。If metrics / logging wasn't enabled during the installation of the cluster, they can easily be enabled after the fact.

使用中的 Azure 云提供程序Azure Cloud Provider in use

使用部署期间提供的凭据,通过 SSH 连接到守护节点或第一个主节点(取决于所用的模板和分支)。SSH to the bastion node or first master node (based on template and branch in use) using the credentials provided during deployment. 发出以下命令:Issue the following command:

ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-metrics/config.yml \
-e openshift_metrics_install_metrics=True \
-e openshift_metrics_cassandra_storage_type=dynamic

ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml \
-e openshift_logging_install_logging=True \
-e openshift_logging_es_pvc_dynamic=true

未在使用中的 Azure 提供程序Azure Cloud Provider not in use

ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-metrics/config.yml \
-e openshift_metrics_install_metrics=True

ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml \
-e openshift_logging_install_logging=True

安装 Open Service Broker for Azure (OSBA)Install Open Service Broker for Azure (OSBA)

打开 Service Broker for Azure (OSBA),以便直接从 OpenShift 预配 Azure 云服务。Open Service Broker for Azure, or OSBA, lets you provision Azure Cloud Services directly from OpenShift. OSBA 是适用于 Azure 的 Open Service Broker API 实现。OSBA in an Open Service Broker API implementation for Azure. Open Service Broker API 是为云提供程序定义通用语言的一种规范。云本机应用程序可以使用这些云提供程序来管理云服务,而不会发生锁定。The Open Service Broker API is a spec that defines a common language for cloud providers that cloud native applications can use to manage cloud services without lock-in.

若要在 OpenShift 中安装 OSBA,请遵照 https://github.com/Azure/open-service-broker-azure#openshift-project-template 中的说明。To install OSBA on OpenShift, follow the instructions located here: https://github.com/Azure/open-service-broker-azure#openshift-project-template.

备注

只完成 OpenShift 项目模板部分中的步骤,而不是整个安装部分。Only complete the steps in the OpenShift Project Template section and not the entire Installing section.

后续步骤Next steps