starlingx/docs
Code Issues Proposed changes

Update OIDC overrides to use oidc-auth-apps-certificate created by cert-manager (dsR10, dsR10minor)

Browse Source 
Change OIDC overrides to use oidc-auth-apps-certificate created by cert-manager.

Change-Id: I02f79f03299494f1986385acd0ce5b9f80926059
Signed-off-by: Elisamara Aoki Gonçalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
Elisamara Aoki Gonçalves
2025-05-06 17:15:57 +00:00
parent 227b9c41a2
commit 272c071627
1 changed files with 139 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

268
doc/source/security/kubernetes/configure-oidc-auth-applications.rst
View File

@@ -114,44 +114,22 @@ Configure OIDC Auth Applications
Server Certificate and the |OIDC| Client and Identity Trusted |CA| Server Certificate and the |OIDC| Client and Identity Trusted |CA|
certificate. certificate.
.. only:: starlingx Configure the certificate of the root |CA| that signed the |OIDC| client
and identity provider's server certificate. In this example, it will be
the ``ca.crt`` of the ``oidc-auth-apps-certificate`` (ClusterIssuer).
Create a secret with the certificate of the root |CA| that signed .. code-block:: none
the |OIDC| client and identity provider's server certificate. In
this example, it will be the ``ca.crt`` of the ``system-local-ca``
(ClusterIssuer).
.. only:: partner ~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
tlsName: oidc-auth-apps-certificate
config:
# The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
# issuer_root_ca: /home/<filename-only-of-generic-secret>
issuer_root_ca: /home/ca.crt
issuer_root_ca_secret: oidc-auth-apps-certificate
EOF
.. include:: /_includes/configure-oidc-auth-applications.rest ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
:start-after: configure-oidc-begin
:end-before: configure-oidc-end
.. only:: starlingx
.. code-block:: none
~(keystone_admin)]$ mkdir /home/sysadmin/ssl
~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt
~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system
~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
tlsName: oidc-auth-apps-certificate
config:
# The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
# issuer_root_ca: /home/<filename-only-of-generic-secret>
issuer_root_ca: /home/dex-ca-cert.crt
issuer_root_ca_secret: dex-ca-cert
EOF
~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
.. only:: partner
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-tls1-begin
:end-before: configure-oidc-tls1-end
#. Create a secret with the certificate of the |CA| that signed the #. Create a secret with the certificate of the |CA| that signed the
certificate of the Identity Providers (IdPs) that you will be using. certificate of the Identity Providers (IdPs) that you will be using.
@@ -164,30 +142,12 @@ Configure OIDC Auth Applications
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system ~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
.. only:: starlingx If you will use the Local |LDAP| server, use the Root |CA| data from
``oidc-auth-apps-certificate``, since it is the same Root |CA| that
signs the Local |LDAP| certificate (``system-local-ca``).
If you will use the Local |LDAP| server, create the secret The secrets ``wad-ca-cert`` and/or ``oidc-auth-apps-certificate`` will
``local-ldap-ca-cert`` with the |CA|'s certificate that signed the be used later in the application overrides.
Local |LDAP|'s certificate using the command below. This |CA|'s
certificate, presented below as file ``local-ldap-ca-cert.crt``, can
be extracted from the controller where the Local |LDAP| server is
running (the SystemController in DC environments) using the command
`kubectl get secret system-local-ca -n cert-manager
-o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
local-ldap-ca-cert.crt`.
.. only:: partner
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-tls2-begin
:end-before: configure-oidc-tls2-end
.. code-block:: none
~(keystone_admin)]$ kubectl create secret generic local-ldap-ca-cert --from-file=local-ldap-ca-cert.crt -n kube-system
The secrets ``wad-ca-cert`` and/or ``local-ldap-ca-cert`` will be used
later in the application overrides.
#. Configure the secret observer to track changes. #. Configure the secret observer to track changes.
@@ -204,19 +164,19 @@ Configure OIDC Auth Applications
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ cat <<EOF > secret-observer-overrides.yaml ~(keystone_admin)]$ cat <<EOF > secret-observer-overrides.yaml
cronSchedule: "*/15 * * * *" cronSchedule: "*/15 * * * *"
observedSecrets: observedSecrets:
- secretName: "dex-ca-cert" - secretName: "oidc-auth-apps-certificate"
filename: "dex-ca-cert.crt" filename: "ca.crt"
deploymentToRestart: "stx-oidc-client" deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate" - secretName: "oidc-auth-apps-certificate"
filename: "tls.crt" filename: "tls.crt"
deploymentToRestart: "stx-oidc-client" deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate" - secretName: "oidc-auth-apps-certificate"
filename: "tls.crt" filename: "tls.crt"
deploymentToRestart: "oidc-dex" deploymentToRestart: "oidc-dex"
EOF EOF
Execute the following command to update the overrides: Execute the following command to update the overrides:
@@ -400,8 +360,6 @@ Configure OIDC Auth Applications
For only a |WAD| server, the configuration is shown below. For only a |WAD| server, the configuration is shown below.
.. begin-wad-connector-config
.. code-block:: none .. code-block:: none
config: config:
@@ -452,74 +410,127 @@ Configure OIDC Auth Applications
defaultMode: 420 defaultMode: 420
secretName: oidc-auth-apps-certificate secretName: oidc-auth-apps-certificate
.. end-wad-connector-config
For only the Local |LDAP| server, the configuration is shown below. The For only the Local |LDAP| server, the configuration is shown below. The
value of ``bindPW`` can be retrieved through command `keyring get ldap value of bindPW can be retrieved through :command:`keyring get ldap ldapadmin`
ldapadmin` executed in the controller where the Local |LDAP| server is command executed in the controller where the Local |LDAP| server
running. In DC environments, the MGMT floating IP address to be used is the is running. In DC environments, the MGMT floating IP address to be used is
one from the SystemController. the one from the SystemController.
.. begin-local-ldap-connector-config #. For the secret ``oidc-auth-apps-certificate`` created using cert-manager
(recommended):
.. code-block:: none .. code-block:: none
config: cat <<EOF > dex-overrides.yaml
staticClients:
- id: stx-oidc-client-app
name: STX OIDC Client app
redirectURIs: ['https://<OAM floating IP address>:30555/callback']
secret: BetterSecret
expiry:
idTokens: "10h"
connectors:
- type: ldap
name: LocalLDAP
id: localldap-1
config: config:
host: <MGMT floating IP address>:636 staticClients:
rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt - id: stx-oidc-client-app
insecureNoSSL: false name: STX OIDC Client app
insecureSkipVerify: false secret: St8rlingX
bindDN: CN=ldapadmin,DC=cgcs,DC=local redirectURIs:
bindPW: [<password>] - https://<OAM floating IP address>:30555/callback
usernamePrompt: Username expiry:
userSearch: idTokens: "10h"
baseDN: ou=People,dc=cgcs,dc=local connectors:
filter: "(objectClass=posixAccount)" - type: ldap
username: uid name: LocalLDAP
idAttr: DN id: localldap-1
emailAttr: uid config:
nameAttr: gecos host: <MGMT floating IP address>:636
groupSearch: rootCA: /etc/ssl/certs/adcert/ca.crt
baseDN: ou=Group,dc=cgcs,dc=local insecureNoSSL: false
filter: "(objectClass=posixGroup)" insecureSkipVerify: false
userMatchers: bindDN: CN=ldapadmin,DC=cgcs,DC=local
- userAttr: uid bindPW: [<password>]
groupAttr: memberUid usernamePrompt: Username
nameAttr: cn userSearch:
volumeMounts: baseDN: ou=People,dc=cgcs,dc=local
- mountPath: /etc/ssl/certs/adcert filter: "(objectClass=posixAccount)"
name: certdir username: uid
- mountPath: /etc/dex/tls idAttr: DN
name: https-tls emailAttr: uid
volumes: nameAttr: gecos
- name: certdir groupSearch:
secret: baseDN: ou=Group,dc=cgcs,dc=local
secretName: local-ldap-ca-cert filter: "(objectClass=posixGroup)"
- name: https-tls userMatchers:
secret: - userAttr: uid
defaultMode: 420 groupAttr: memberUid
secretName: oidc-auth-apps-certificate nameAttr: cn
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: oidc-auth-apps-certificate
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate
#. Use certificates generated and signed by an external |CA|.
.. code-block:: none
config:
staticClients:
- id: stx-oidc-client-app
name: STX OIDC Client app
secret: St8rlingX
redirectURIs:
- https://<OAM floating IP address>:30555/callback
expiry:
idTokens: "10h"
connectors:
- type: ldap
name: LocalLDAP
id: localldap-1
config:
host: <MGMT floating IP address>:636
rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt
insecureNoSSL: false
insecureSkipVerify: false
bindDN: CN=ldapadmin,DC=cgcs,DC=local
bindPW: [<password>]
usernamePrompt: Username
userSearch:
baseDN: ou=People,dc=cgcs,dc=local
filter: "(objectClass=posixAccount)"
username: uid
idAttr: DN
emailAttr: uid
nameAttr: gecos
groupSearch:
baseDN: ou=Group,dc=cgcs,dc=local
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: uid
groupAttr: memberUid
nameAttr: cn
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: local-ldap-ca-cert
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate
.. end-local-ldap-connector-config
If both |WAD| and Local |LDAP| servers are used at same time, use the If both |WAD| and Local |LDAP| servers are used at same time, use the
examples above with the connectors from |WAD| and Local |LDAP| in the same examples above with the connectors from |WAD| and Local |LDAP| in the same
``connectors`` list while the ``volumes`` to be used is the one written ``connectors`` list while the ``volumes`` to be used is the one written
below. below.
.. begin-both-wad-and-local-ldap-volume-config
.. code-block:: none .. code-block:: none
@@ -536,7 +547,6 @@ Configure OIDC Auth Applications
defaultMode: 420 defaultMode: 420
secretName: oidc-auth-apps-certificate secretName: oidc-auth-apps-certificate
.. end-both-wad-and-local-ldap-volume-config
If more than one Windows Active Directory service is required for If more than one Windows Active Directory service is required for
authenticating the different users of the |prod|, multiple ``ldap`` authenticating the different users of the |prod|, multiple ``ldap``