Merge "OIDC system-local-ca CA certificate data retrieval incorrectly references ca.crt rather than tls.crt. (dsr8)"
This commit is contained in:
commit
2ab554024f
|
@ -0,0 +1,13 @@
|
||||||
|
|
||||||
|
|
||||||
|
.. start-after: configure-oidc-begin
|
||||||
|
.. end-before: configure-oidc-end
|
||||||
|
|
||||||
|
.. start-after: configure-oidc-tls1-begin
|
||||||
|
.. end-before: configure-oidc-tls1-end
|
||||||
|
|
||||||
|
.. start-after: configure-oidc-tls2-begin
|
||||||
|
.. end-before: configure-oidc-tls2-end
|
||||||
|
|
||||||
|
.. start-after: configure-oidc-tls3-begin
|
||||||
|
.. end-before: configure-oidc-tls3-end
|
|
@ -113,29 +113,44 @@ Configure OIDC Auth Applications
|
||||||
Server Certificate and the |OIDC| Client and Identity Trusted |CA|
|
Server Certificate and the |OIDC| Client and Identity Trusted |CA|
|
||||||
certificate.
|
certificate.
|
||||||
|
|
||||||
Create a secret with the certificate of the root |CA| that signed the
|
.. only:: starlingx
|
||||||
|OIDC| client and identity provider's server certificate. In this
|
|
||||||
example, it will be the ``ca.crt`` of the ``system-local-ca``
|
|
||||||
ClusterIssuer).
|
|
||||||
|
|
||||||
.. code-block:: none
|
Create a secret with the certificate of the root |CA| that signed
|
||||||
|
the |OIDC| client and identity provider's server certificate. In
|
||||||
|
this example, it will be the ``ca.crt`` of the ``system-local-ca``
|
||||||
|
(ClusterIssuer).
|
||||||
|
|
||||||
~(keystone_admin)]$ mkdir /home/sysadmin/ssl
|
.. only:: partner
|
||||||
~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt
|
|
||||||
|
|
||||||
~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system
|
.. include:: /_includes/configure-oidc-auth-applications.rest
|
||||||
|
:start-after: configure-oidc-begin
|
||||||
|
:end-before: configure-oidc-end
|
||||||
|
|
||||||
~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
|
.. only:: starlingx
|
||||||
tlsName: oidc-auth-apps-certificate
|
|
||||||
config:
|
|
||||||
# The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
|
|
||||||
# issuer_root_ca: /home/<filename-only-of-generic-secret>
|
|
||||||
issuer_root_ca: /home/dex-ca-cert.crt
|
|
||||||
issuer_root_ca_secret: dex-ca-cert
|
|
||||||
EOF
|
|
||||||
|
|
||||||
~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
|
.. code-block:: none
|
||||||
|
|
||||||
|
~(keystone_admin)]$ mkdir /home/sysadmin/ssl
|
||||||
|
~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt
|
||||||
|
|
||||||
|
~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system
|
||||||
|
|
||||||
|
~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
|
||||||
|
tlsName: oidc-auth-apps-certificate
|
||||||
|
config:
|
||||||
|
# The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
|
||||||
|
# issuer_root_ca: /home/<filename-only-of-generic-secret>
|
||||||
|
issuer_root_ca: /home/dex-ca-cert.crt
|
||||||
|
issuer_root_ca_secret: dex-ca-cert
|
||||||
|
EOF
|
||||||
|
|
||||||
|
~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
|
||||||
|
|
||||||
|
.. only:: partner
|
||||||
|
|
||||||
|
.. include:: /_includes/configure-oidc-auth-applications.rest
|
||||||
|
:start-after: configure-oidc-tls1-begin
|
||||||
|
:end-before: configure-oidc-tls1-end
|
||||||
|
|
||||||
#. Create a secret with the certificate of the |CA| that signed the
|
#. Create a secret with the certificate of the |CA| that signed the
|
||||||
certificate of the Identity Providers (IdPs) that you will be using.
|
certificate of the Identity Providers (IdPs) that you will be using.
|
||||||
|
@ -148,15 +163,23 @@ Configure OIDC Auth Applications
|
||||||
|
|
||||||
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
|
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
|
||||||
|
|
||||||
If you will use the Local |LDAP| server, create the secret
|
.. only:: starlingx
|
||||||
``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
|
|
||||||
Local |LDAP|'s certificate using the command below. This |CA|'s
|
If you will use the Local |LDAP| server, create the secret
|
||||||
certificate, presented below as file ``local-ldap-ca-cert.crt``, can
|
``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
|
||||||
be extracted from the controller where the Local |LDAP| server is
|
Local |LDAP|'s certificate using the command below. This |CA|'s
|
||||||
running (the SystemController in DC environments) using the command
|
certificate, presented below as file ``local-ldap-ca-cert.crt``, can
|
||||||
`kubectl get secret system-local-ca -n cert-manager
|
be extracted from the controller where the Local |LDAP| server is
|
||||||
-o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
|
running (the SystemController in DC environments) using the command
|
||||||
local-ldap-ca-cert.crt`.
|
`kubectl get secret system-local-ca -n cert-manager
|
||||||
|
-o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
|
||||||
|
local-ldap-ca-cert.crt`.
|
||||||
|
|
||||||
|
.. only:: partner
|
||||||
|
|
||||||
|
.. include:: /_includes/configure-oidc-auth-applications.rest
|
||||||
|
:start-after: configure-oidc-tls2-begin
|
||||||
|
:end-before: configure-oidc-tls2-end
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
|
@ -289,15 +312,23 @@ Configure OIDC Auth Applications
|
||||||
|
|
||||||
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
|
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
|
||||||
|
|
||||||
If you will use the Local |LDAP| server, create the secret
|
.. only:: starlingx
|
||||||
``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
|
|
||||||
Local |LDAP|'s certificate using the command below. This |CA|'s
|
If you will use the Local |LDAP| server, create the secret
|
||||||
certificate, presented below as file ``local-ldap-ca-cert.crt``, can
|
``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
|
||||||
be extracted from the controller where the Local |LDAP| server is
|
Local |LDAP|'s certificate using the command below. This |CA|'s
|
||||||
running (the SystemController in DC environments) using the command
|
certificate, presented below as file ``local-ldap-ca-cert.crt``, can
|
||||||
`kubectl get secret system-local-ca -n cert-manager
|
be extracted from the controller where the Local |LDAP| server is
|
||||||
-o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
|
running (the SystemController in DC environments) using the command
|
||||||
local-ldap-ca-cert.crt`.
|
`kubectl get secret system-local-ca -n cert-manager
|
||||||
|
-o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
|
||||||
|
local-ldap-ca-cert.crt`.
|
||||||
|
|
||||||
|
.. only:: partner
|
||||||
|
|
||||||
|
.. include:: /_includes/configure-oidc-auth-applications.rest
|
||||||
|
:start-after: configure-oidc-tls3-begin
|
||||||
|
:end-before: configure-oidc-tls3-end
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue