2020-08-31 11:01:56 -04:00
.. cwn1581381515361
.. _configure-oidc-auth-applications:
2021-11-09 10:48:34 -05:00
Set up OIDC Auth Applications
2020-08-31 11:01:56 -04:00
The **oidc-auth-apps** application is a system application that needs to be
configured to use a remote Windows Active Directory server to authenticate
2021-11-09 10:48:34 -05:00
users of the Kubernetes API. The ``oidc-auth-apps`` is packaged in the ISO
2020-08-31 11:01:56 -04:00
and uploaded by default.
2021-11-09 10:48:34 -05:00
Configure OIDC Auth Applications
.. rubric:: |prereq|
2020-08-31 11:01:56 -04:00
.. _configure-oidc-auth-applications-ul-gpz-x51-llb:
2021-11-09 10:48:34 -05:00
- You must have configured the Kubernetes ``kube-apiserver`` to use
2020-08-31 11:01:56 -04:00
the **oidc-auth-apps** |OIDC| identity provider for validation of
tokens in Kubernetes API requests, which use |OIDC| authentication. For
2021-11-09 10:48:34 -05:00
more information on configuring the Kubernetes ``kube-apiserver``, see
2020-08-31 11:01:56 -04:00
:ref:`Configure Kubernetes for OIDC Token Validation while
Bootstrapping the System
or :ref:`Configure Kubernetes for OIDC Token Validation after
Bootstrapping the System
2021-11-09 10:48:34 -05:00
.. rubric:: |proc|
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
#. Create certificates using one of the following options.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
#. Create certificates using cert-manager (recommended):
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
Certificates used by ``oidc-auth-apps`` can be managed by Cert-Manager.
Doing so will automatically renew the certificates before they expire.
The ``system-local-ca`` ClusterIssuer (see
will be used to issue this certificate.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
.. important::
The namespace for ``oidc-auth-apps`` must be ``kube-system``.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
#. Create the |OIDC| client and identity provider server certificate and
private key pair.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
.. code-block:: none
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
~(keystone_admin)]$ cat <<EOF > oidc-auth-apps-certificate.yaml
2022-06-10 12:36:29 -03:00
apiVersion: cert-manager.io/v1
2021-11-09 10:48:34 -05:00
kind: Certificate
name: oidc-auth-apps-certificate
namespace: kube-system
secretName: oidc-auth-apps-certificate
duration: 2160h # 90 days
renewBefore: 360h # 15 days
name: system-local-ca
kind: ClusterIssuer
commonName: <OAM_floating_IP_address>
2022-10-26 16:02:13 -03:00
- ABC-Company
- StarlingX-system-oidc-auth-apps
2021-11-09 10:48:34 -05:00
- <OAM_floating_IP_address>
2022-10-26 16:02:13 -03:00
2021-11-09 10:48:34 -05:00
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
#. Apply the configuration.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
.. code-block:: none
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
~(keystone_admin)]$ kubectl apply -f oidc-auth-apps-certificate.yaml
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
#. Verify the configuration.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
.. code-block:: none
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
~(keystone_admin)]$ kubectl get certificate oidc-auth-apps-certificate –n kube-system
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
#. Configure the |OIDC|-client with both the |OIDC| Client and Identity
Server Certificate and the |OIDC| Client and Identity Trusted |CA|
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
Create a secret with the certificate of the root |CA| that signed the
|OIDC| client and identity provider's server certificate. In this
example, it will be the ``ca.crt`` of the ``system-local-ca``
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
.. code-block:: none
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
~(keystone_admin)]$ mkdir /home/sysadmin/ssl
~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt
2022-01-31 13:09:54 -05:00
~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system
2021-11-09 10:48:34 -05:00
~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
tlsName: oidc-auth-apps-certificate
# The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
# issuer_root_ca: /home/<filename-only-of-generic-secret>
issuer_root_ca: /home/dex-ca-cert.crt
issuer_root_ca_secret: dex-ca-cert
~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
#. Create a secret with the certificate of the |CA| that signed the
certificate of the remote Windows Active Directory server that you
will be using.
Create the secret ``wad-ca-cert`` with the |CA|'s certificate that
signed the Active Directory's certificate using the following
.. code-block:: none
2022-01-31 13:09:54 -05:00
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=ssl/wad-ca-cert.crt -n kube-system
2021-11-09 10:48:34 -05:00
Add the following sections to your dex helm overrides to configure the
|OIDC| Client and Identity Server Certificate and the Windows Active
Directory server |CA| Certificate for the |OIDC| Identity Server:
.. code-block:: none
2022-06-10 12:36:29 -03:00
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
2021-11-09 10:48:34 -05:00
- name: certdir
secretName: wad-ca-cert
2022-06-10 12:36:29 -03:00
- name: https-tls
defaultMode: 420
secretName: oidc-auth-apps-certificate
2021-11-09 10:48:34 -05:00
#. Apply the overrides configuration.
.. code-block:: none
~(keystone_admin)]$ system helm-override-update oidc-auth-apps dex kube-system --values dex-overrides.yaml
#. Configure the secret observer to track changes.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
Change the cronSchedule according to your needs. The cronSchedule
controls how often the application checks to see if the certificate
mounted on the dex and oidc-client pods had changed.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
Create a YAML configuration to modify the cronSchedule according to
your needs.
The cronSchedule controls how often the application checks to see
if the certificate mounted on the dex and oidc-client pods changed.
The following example sets the schedule to every 15 minutes.
.. code-block:: none
~(keystone_admin)]$ cat <<EOF > secret-observer-overrides.yaml
cronSchedule: "*/15 * * * *"
- secretName: "dex-ca-cert"
filename: "dex-ca-cert.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "oidc-dex"
Execute the following command to update the overrides:
.. code-block:: none
~(keystone_admin)]$ system helm-override-update oidc-auth-apps secret-observer kube-system --values secret-observer-overrides.yaml
#. Use certificates generated and signed by an external |CA|.
2022-06-10 12:36:29 -03:00
Although it is recommended to use cert-manager to manage certificates, as
described above in item "Create certificates using cert-manager
(recommended)", one can instead use certificates generated by an external
For backwards compatibility reasons, the default helm chart overrides of
dex, oidc-client and secret-observer in ``oidc-auth-apps`` application
are set for this example of using externally generated certificates. The
default override values of helm charts in ``oidc-auth-apps`` application
include the use of kubernetes secrets named ``local-dex.tls``, and
``dex-client-secret`` for declaring the dex server certificate and the
|CA| which signed it, respectively. These secrets are created in this
2022-08-16 16:19:27 -04:00
In addition, one can indicate the |WAD| certificate for an |LDAP| server
2022-06-10 12:36:29 -03:00
that has https enabled by using the secret ``wad-ca-cert`` as in this
2021-11-09 10:48:34 -05:00
.. rubric:: |prereq|
- You must have a |CA| signed certificate (``dex-cert.pem`` file), and
private key (``dex-key.pem file``) for the dex |OIDC| Identity
Provider of **oidc-auth-apps**.
This certificate *must* have the |prod|'s floating |OAM| IP Address
in the |SAN| list. If you are planning on defining and using a DNS
name for the |prod|'s floating |OAM| IP Address, then this DNS name
*must* also be in the |SAN| list. Refer to the documentation for the
external |CA| that you are using, in order to create a signed
certificate and key.
If you are using an intermediate |CA| to sign the dex certificate,
include both the dex certificate (signed by the intermediate |CA|),
and the intermediate |CA|'s certificate (signed by the Root |CA|) in
that order, in ``dex-cert.pem``.
- You must have the certificate of the |CA| (``dex-ca.pem`` file) that
signed the above certificate for the dex |OIDC| Identity Provider of
If an intermediate |CA| was used to sign the dex certificate and both
the dex certificate and the intermediate |CA| certificate was
included in ``dex-cert.pem``, then the ``dex-ca.pem`` file should
contain the root |CA|'s certificate.
If the signing |CA| (``dex-ca.pem``) is not a well-known trusted
|CA|, you must ensure the system trusts the |CA| by specifying it
either during the bootstrap phase of system installation, by
specifying ``ssl_ca_cert: dex-ca.pem`` in the ansible bootstrap
overrides ``localhost.yml`` file, or by using the :command:`system
certificate-install -m ssl_ca dex-ca.pem` command.
#. Create the secret, ``local-dex.tls``, with the certificate and key,
to be used by the **oidc-auth-apps**, as well as the secret,
``dex-client-secret``, with the |CA|'s certificate that signed the
``local-dex.tls`` certificate.
For example, assuming the cert and key pem files for creating these
secrets are in ``/home/sysadmin/ssl/``, run the following commands to
create the secrets:
.. note::
**oidc-auth-apps** looks specifically for secrets of these names
in the ``kube-system`` namespace.
For the generic secret ``dex-client-secret``, the filename must
be ``dex-ca.pem``.
.. code-block:: none
~(keystone_admin)]$ kubectl create secret tls local-dex.tls --cert=ssl/dex-cert.pem --key=ssl/dex-key.pem -n kube-system
~(keystone_admin)]$ kubectl create secret generic dex-client-secret --from-file=/home/sysadmin/ssl/dex-ca.pem -n kube-system
Create the secret ``wad-ca-cert`` with the |CA|'s certificate that signed
the Active Directory's certificate using the following command:
.. code-block:: none
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=ssl/wad-ca-cert.crt -n kube-system
#. Specify user overrides for **oidc-auth-apps** application, by using the
following command:
2020-08-31 11:01:56 -04:00
.. code-block:: none
2021-11-09 10:48:34 -05:00
~(keystone_admin)]$ system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/dex-overrides.yaml --reuse-values
2020-08-31 11:01:56 -04:00
The dex-overrides.yaml file contains the desired dex helm chart overrides
2021-11-09 10:48:34 -05:00
(that is, the |LDAP| connector configuration for the Active Directory
service, optional token expiry, and so on), and volume mounts for
2022-06-10 12:36:29 -03:00
providing access to the ``wad-ca-cert`` secret, described in this section.
2020-08-31 11:01:56 -04:00
For the complete list of dex helm chart values supported, see `Dex Helm
Chart Values
2022-06-10 12:36:29 -03:00
For the complete list of parameters of the dex |LDAP| connector
configuration, see `Authentication Through LDAP
2021-10-25 12:19:18 -04:00
2020-08-31 11:01:56 -04:00
2022-06-10 12:36:29 -03:00
The overall Dex documentation is available on `dexidp.io
<https://dexidp.io/docs/>`__. The configuration of dex server version
v2.31.1 is described on github
(https://github.com/dexidp/dex/blob/v2.31.1/config.yaml.dist) with example
2021-10-25 12:19:18 -04:00
The example below configures a token expiry of ten hours, a single |LDAP|
2020-08-31 11:01:56 -04:00
connector to an Active Directory service using HTTPS \(LDAPS\) using the
2022-06-10 12:36:29 -03:00
``wad-ca-cert`` secret configured in this section, the required Active
2020-08-31 11:01:56 -04:00
Directory service login information \(that is, bindDN, and bindPW\), and
example :command:`userSearch`, and :command:`groupSearch` clauses.
2021-11-09 10:48:34 -05:00
(Optional) There is a default secret in the dex configuration for
``staticClients``. You can change this using helm overrides. For example,
2021-03-15 16:56:04 -03:00
to change the secret, first run the following command to see the default
2021-11-09 10:48:34 -05:00
settings. In this example, ```` is the |prod-long| |OAM| floating
IP address.
2021-03-15 16:56:04 -03:00
.. code-block:: none
~(keystone_admin)]$ system helm-override-show oidc-auth-apps dex kube-system
2021-04-30 15:34:40 -03:00
2021-03-15 16:56:04 -03:00
- id: stx-oidc-client-app
name: STX OIDC Client app
redirectURIs: ['']
secret: St8rlingX
Change the secret from the output and copy the entire configuration section
shown above in to your dex overrides file shown in the example below.
2021-11-09 10:48:34 -05:00
.. warning::
Do not forget to include the id, name, and redirectURIs parameters.
2021-03-15 16:56:04 -03:00
.. note::
2021-11-09 10:48:34 -05:00
There is an internal ``client_secret`` that is used between the
2021-03-15 16:56:04 -03:00
oidc-client container and the dex container. It is recommended that you
2021-11-09 10:48:34 -05:00
configure a unique, more secure ``client_secret`` by specifying the
2021-03-15 16:56:04 -03:00
value in the dex overrides file, as shown in the example below.
2021-04-30 15:34:40 -03:00
2021-11-09 10:48:34 -05:00
.. begin-connector-config
2020-08-31 11:01:56 -04:00
.. code-block:: none
2021-03-15 16:56:04 -03:00
- id: stx-oidc-client-app
name: STX OIDC Client app
redirectURIs: ['<OAM floating IP address>/callback']
2021-04-30 15:34:40 -03:00
secret: BetterSecret
2021-03-15 16:56:04 -03:00
client_secret: BetterSecret
2020-08-31 11:01:56 -04:00
idTokens: "10h"
- type: ldap
name: OpenLDAP
id: ldap
2021-11-09 10:48:34 -05:00
host: pv-windows-acti.windows-activedir.example.com:636
rootCA: /etc/ssl/certs/adcert/wad-ca-cert.crt
2020-08-31 11:01:56 -04:00
insecureNoSSL: false
insecureSkipVerify: false
2021-11-09 10:48:34 -05:00
bindDN: cn=Administrator,cn=Users,dc=windows-activedir,dc=example,dc=com
2021-03-15 16:56:04 -03:00
bindPW: [<password>]
2020-08-31 11:01:56 -04:00
usernamePrompt: Username
2021-11-09 10:48:34 -05:00
baseDN: ou=Users,ou=Titanium,dc=windows-activedir,dc=example,dc=com
2020-08-31 11:01:56 -04:00
filter: "(objectClass=user)"
username: sAMAccountName
idAttr: sAMAccountName
emailAttr: sAMAccountName
nameAttr: displayName
2021-11-09 10:48:34 -05:00
baseDN: ou=Groups,ou=Titanium,dc=windows-activedir,dc=example,dc=com
2020-08-31 11:01:56 -04:00
filter: "(objectClass=group)"
userAttr: DN
groupAttr: member
nameAttr: cn
2022-06-10 12:36:29 -03:00
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
2020-08-31 11:01:56 -04:00
- name: certdir
2021-11-09 10:48:34 -05:00
secretName: wad-ca-cert
2022-06-10 12:36:29 -03:00
- name: https-tls
defaultMode: 420
secretName: oidc-auth-apps-certificate
2021-11-09 10:48:34 -05:00
.. end-connector-config
2020-08-31 11:01:56 -04:00
If more than one Windows Active Directory service is required for
2021-11-09 10:48:34 -05:00
authenticating the different users of the |prod|, multiple ``ldap``
2020-08-31 11:01:56 -04:00
type connectors can be configured; one for each Windows Active
Directory service.
2021-11-09 10:48:34 -05:00
If more than one ``userSearch`` plus ``groupSearch`` clauses are
2020-08-31 11:01:56 -04:00
required for the same Windows Active Directory service, multiple
2021-11-09 10:48:34 -05:00
``ldap`` type connectors, with the same host information but
different ``userSearch`` plus ``groupSearch`` clauses, should be used.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
Whenever you use multiple ``ldap`` type connectors, ensure you use
unique ``name:`` and ``id:`` parameters for each connector.
2020-08-31 11:01:56 -04:00
2021-11-09 10:48:34 -05:00
#. An override in the secrets in the dex helm chart must be accompanied by
an override in the oidc-client helm chart.
2021-03-15 16:56:04 -03:00
The following override is sufficient for changing the secret in the
2021-11-09 10:48:34 -05:00
``/home/sysadmin/oidc-client-overrides.yaml`` file.
2021-03-15 16:56:04 -03:00
.. code-block:: none
2021-04-30 15:34:40 -03:00
2021-03-15 16:56:04 -03:00
client_secret: BetterSecret
Apply the oidc-client overrides using the following command:
.. code-block:: none
2021-11-09 10:48:34 -05:00
~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values /home/sysadmin/oidc-client-overrides.yaml --reuse-values
2021-03-15 16:56:04 -03:00
.. note::
2021-04-30 15:34:40 -03:00
2021-11-09 10:48:34 -05:00
If you need to manually override the secrets, the client_secret in the
2021-03-15 16:56:04 -03:00
oidc-client overrides must match the staticClients secret and
2021-11-09 10:48:34 -05:00
client_secret in the dex overrides, otherwise the oidc-auth |CLI|
2021-03-15 16:56:04 -03:00
client will not function.
2020-08-31 11:01:56 -04:00
#. Use the :command:`system application-apply` command to apply the
.. code-block:: none
2021-11-09 10:48:34 -05:00
~(keystone_admin)]$ system application-apply oidc-auth-apps
2022-06-10 12:36:29 -03:00
Default helm overrides for oidc-auth-apps application
For backwards compatibility reasons, the default helm overrides for dex helm
.. note::
It is NOT recommended to use these; it is recommended to create
certificates using ``cert-manager`` and explicitly refer to the resulting
certificate secrets in user-specified helm overrides, as described on the
procedure above.
.. code-block:: none
repository: ghcr.io/dexidp/dex
pullPolicy: IfNotPresent
tag: v2.31.1
- name: default-registry-key
value: kube-system
issuer: https://<OAM_IP>:30556/dex
- id: stx-oidc-client-app
name: STX OIDC Client app
secret: St8rlingX
- https://<OAM_IP>:30555/callback
enablePasswordDB: false
tlsCert: /etc/dex/tls/tls.crt
tlsKey: /etc/dex/tls/tls.key
type: kubernetes
inCluster: true
skipApprovalScreen: true
level: debug
type: NodePort
nodePort: 30556
enabled: true
enabled: false
2022-10-25 07:01:23 -04:00
node-role.kubernetes.io/control-plane: ""
2022-06-10 12:36:29 -03:00
- mountPath: /etc/dex/tls/
name: https-tls
- name: https-tls
defaultMode: 420
secretName: local-dex.tls
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
2022-10-25 07:01:23 -04:00
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
2022-06-10 12:36:29 -03:00
- labelSelector:
- key: app
operator: In
- dex
topologyKey: kubernetes.io/hostname
The default helm overrides for oidc-client are:
.. code-block:: none
client_id: stx-oidc-client-app
client_secret: St8rlingX
issuer: https://<OAM_IP>:30556/dex
issuer_root_ca: /home/dex-ca.pem
redirect_uri: https://<OAM_IP>:30555/callback
tlsCert: /etc/dex/tls/https/server/tls.crt
tlsKey: /etc/dex/tls/https/server/tls.key
2022-10-25 07:01:23 -04:00
node-role.kubernetes.io/control-plane: ""
2022-06-10 12:36:29 -03:00
type: NodePort
port: 5555
nodePort: 30555
replicas: <replicate count>
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
2022-10-25 07:01:23 -04:00
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
2022-06-10 12:36:29 -03:00
- labelSelector:
- key: app
operator: In
- stx-oidc-client
topologyKey: kubernetes.io/hostname
helmv3Compatible: true
The default helm overrides for secret-observer are:
.. code-block:: none
namespace: "kube-system"
- secretName: "dex-client-secret"
filename: "dex-ca.pem"
deploymentToRestart: "stx-oidc-client"
- secretName: "local-dex.tls"
filename: "tls.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "local-dex.tls"
filename: "tls.crt"
deploymentToRestart: "oidc-dex"
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
2022-10-25 07:01:23 -04:00
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"