docs/doc/source/security/kubernetes/deprovision-ldap-server-authentication.rst


.. luo1591184217439
.. _deprovision-ldap-server-authentication:

======================================
Deprovision LDAP Server Authentication
======================================

You can remove Windows Active Directory or |LDAP| authentication from
|prod-long|.

.. rubric:: |proc|

#.  Remove the configuration of kube-apiserver to use oidc-auth-apps for
    authentication.


    #.  Determine the UUIDs of parameters used in the kubernetes **kube-apiserver** group.

        These include oidc-client-id, oidc-groups-claim,
        oidc-issuer-url and oidc-username-claim.

        .. code-block:: none

            ~(keystone_admin)]$ system service-parameter-list

    #.  Delete each parameter.

        .. code-block:: none

            ~(keystone_admin)]$ system service-parameter-delete <UUID>

    #.  Apply the changes.

        .. code-block:: none

            ~(keystone_admin)]$ system service-parameter-apply kubernetes


#.  Uninstall oidc-auth-apps.

    .. code-block:: none

        ~(keystone_admin)]$ system application-remove oidc-auth-apps

#.  Clear the helm-override configuration.

    .. code-block:: none

        ~(keystone_admin)]$ system helm-override-update oidc-auth-apps dex kube-system --reset-values
        ~(keystone_admin)]$ system helm-override-show oidc-auth-apps dex kube-system

        ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --reset-values
        ~(keystone_admin)]$ system helm-override-show oidc-auth-apps oidc-client kube-system

        ~(keystone_admin)]$ system helm-override-update oidc-auth-apps secret-observer kube-system --reset
        ~(keystone_admin)]$ system helm-override-show oidc-auth-apps secret-observer kube-system

#.  Remove secrets that contain certificate data. Depending on your
    configuration, some secrets listed below may not exist.

    .. code-block:: none

        ~(keystone_admin)]$ kubectl delete secret dex-ca-cert -n kube-system
        ~(keystone_admin)]$ kubectl delete secret oidc-auth-apps-certificate -n kube-system
        ~(keystone_admin)]$ kubectl delete secret wad-ca-cert -n kube-system
        ~(keystone_admin)]$ kubectl delete secret local-ldap-ca-cert -n kube-system
        ~(keystone_admin)]$ kubectl delete secret local-dex.tls -n kube-system
        ~(keystone_admin)]$ kubectl delete secret dex-client-secret -n kube-system

#.  Remove any |RBAC| RoleBindings added for |OIDC| users and/or groups.

    For example:

    .. code-block:: none

        $ kubectl delete clusterrolebinding testuser-rolebinding
        $ kubectl delete clusterrolebinding billingdeptgroup-rolebinding
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. luo1591184217439`
Updated OIDC app docs This commit does 2 changes in the OIDC app docs: 1) The docs were updated to be explicit about the OIDC app being compatible with LDAP servers and not only with the Windows Active Directory; 2) The page "Centralized OIDC Authentication Setup for Distributed Cloud" was renamed to "Centralized vs Distributed OIDC Authentication Setup" and was moved in the index of pages to be right below the first page "Overview of LDAP Servers". The idea is to use this page as a entry point for someone learning about the OIDC app, because every user must decide between a centralized and a distributed setup and because this page has links to all other pages except "Deprovision LDAP Server Authentication". Story: 2010738 Task: 49455 Change-Id: I61c5b7f322ac8159b649c70eeaa0195d97ab12c7 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> 2024-01-23 20:23:44 -03:00			`.. _deprovision-ldap-server-authentication:`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updated OIDC app docs This commit does 2 changes in the OIDC app docs: 1) The docs were updated to be explicit about the OIDC app being compatible with LDAP servers and not only with the Windows Active Directory; 2) The page "Centralized OIDC Authentication Setup for Distributed Cloud" was renamed to "Centralized vs Distributed OIDC Authentication Setup" and was moved in the index of pages to be right below the first page "Overview of LDAP Servers". The idea is to use this page as a entry point for someone learning about the OIDC app, because every user must decide between a centralized and a distributed setup and because this page has links to all other pages except "Deprovision LDAP Server Authentication". Story: 2010738 Task: 49455 Change-Id: I61c5b7f322ac8159b649c70eeaa0195d97ab12c7 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> 2024-01-23 20:23:44 -03:00			`======================================`
			`Deprovision LDAP Server Authentication`
			`======================================`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updated OIDC app docs This commit does 2 changes in the OIDC app docs: 1) The docs were updated to be explicit about the OIDC app being compatible with LDAP servers and not only with the Windows Active Directory; 2) The page "Centralized OIDC Authentication Setup for Distributed Cloud" was renamed to "Centralized vs Distributed OIDC Authentication Setup" and was moved in the index of pages to be right below the first page "Overview of LDAP Servers". The idea is to use this page as a entry point for someone learning about the OIDC app, because every user must decide between a centralized and a distributed setup and because this page has links to all other pages except "Deprovision LDAP Server Authentication". Story: 2010738 Task: 49455 Change-Id: I61c5b7f322ac8159b649c70eeaa0195d97ab12c7 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> 2024-01-23 20:23:44 -03:00			`You can remove Windows Active Directory or \|LDAP\| authentication from`
			`\|prod-long\|.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. rubric:: \|proc\|`

			`#. Remove the configuration of kube-apiserver to use oidc-auth-apps for`
			`authentication.`


			`#. Determine the UUIDs of parameters used in the kubernetes kube-apiserver group.`

Updated OIDC service parameter names - Added a note about historical service parameters for OIDC. - Renamed the parameters to have dashes instead of underscores. - Removed occurrences of "\" before "-". Story: 2009766 Task: 46855 Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: I47e5ab3c689184bdec20b39b2a00bf999ac5706a 2022-11-11 17:38:21 -03:00			`These include oidc-client-id, oidc-groups-claim,`
			`oidc-issuer-url and oidc-username-claim.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. code-block:: none`

Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ system service-parameter-list`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`#. Delete each parameter.`

			`.. code-block:: none`

Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ system service-parameter-delete <UUID>`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`#. Apply the changes.`

			`.. code-block:: none`

Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ system service-parameter-apply kubernetes`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00

			`#. Uninstall oidc-auth-apps.`

			`.. code-block:: none`

Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ system application-remove oidc-auth-apps`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`#. Clear the helm-override configuration.`

			`.. code-block:: none`

Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ system helm-override-update oidc-auth-apps dex kube-system --reset-values`
			`~(keystone_admin)]$ system helm-override-show oidc-auth-apps dex kube-system`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --reset-values`
			`~(keystone_admin)]$ system helm-override-show oidc-auth-apps oidc-client kube-system`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updated OIDC app docs This commit does 2 changes in the OIDC app docs: 1) The docs were updated to be explicit about the OIDC app being compatible with LDAP servers and not only with the Windows Active Directory; 2) The page "Centralized OIDC Authentication Setup for Distributed Cloud" was renamed to "Centralized vs Distributed OIDC Authentication Setup" and was moved in the index of pages to be right below the first page "Overview of LDAP Servers". The idea is to use this page as a entry point for someone learning about the OIDC app, because every user must decide between a centralized and a distributed setup and because this page has links to all other pages except "Deprovision LDAP Server Authentication". Story: 2010738 Task: 49455 Change-Id: I61c5b7f322ac8159b649c70eeaa0195d97ab12c7 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> 2024-01-23 20:23:44 -03:00			`~(keystone_admin)]$ system helm-override-update oidc-auth-apps secret-observer kube-system --reset`
			`~(keystone_admin)]$ system helm-override-show oidc-auth-apps secret-observer kube-system`

			`#. Remove secrets that contain certificate data. Depending on your`
			`configuration, some secrets listed below may not exist.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. code-block:: none`

Updated OIDC app docs This commit does 2 changes in the OIDC app docs: 1) The docs were updated to be explicit about the OIDC app being compatible with LDAP servers and not only with the Windows Active Directory; 2) The page "Centralized OIDC Authentication Setup for Distributed Cloud" was renamed to "Centralized vs Distributed OIDC Authentication Setup" and was moved in the index of pages to be right below the first page "Overview of LDAP Servers". The idea is to use this page as a entry point for someone learning about the OIDC app, because every user must decide between a centralized and a distributed setup and because this page has links to all other pages except "Deprovision LDAP Server Authentication". Story: 2010738 Task: 49455 Change-Id: I61c5b7f322ac8159b649c70eeaa0195d97ab12c7 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> 2024-01-23 20:23:44 -03:00			`~(keystone_admin)]$ kubectl delete secret dex-ca-cert -n kube-system`
			`~(keystone_admin)]$ kubectl delete secret oidc-auth-apps-certificate -n kube-system`
			`~(keystone_admin)]$ kubectl delete secret wad-ca-cert -n kube-system`
			`~(keystone_admin)]$ kubectl delete secret local-ldap-ca-cert -n kube-system`
Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ kubectl delete secret local-dex.tls -n kube-system`
			`~(keystone_admin)]$ kubectl delete secret dex-client-secret -n kube-system`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`#. Remove any \|RBAC\| RoleBindings added for \|OIDC\| users and/or groups.`

			`For example:`

			`.. code-block:: none`

			`$ kubectl delete clusterrolebinding testuser-rolebinding`
			`$ kubectl delete clusterrolebinding billingdeptgroup-rolebinding`