starlingx/docs
Code Issues Proposed changes

Platform Application Components updates oidc-dex

Browse Source 
Story: 2009838
Task: 45597

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: Ia3a0e3e5308221bc8ad1c66cdbb6b1a6046fc32b
This commit is contained in:
Elisamara Aoki Goncalves 2022-06-10 12:36:29 -03:00
parent 72b67d3d14
commit b20a6233f2
2 changed files with 192 additions and 31 deletions

209
doc/source/security/kubernetes/configure-oidc-auth-applications.rst

@ -53,7 +53,7 @@ Configure OIDC Auth Applications
~(keystone_admin)]$ cat <<EOF > oidc-auth-apps-certificate.yaml
---
apiVersion: cert-manager.io/v1alpha2
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: oidc-auth-apps-certificate
@ -132,23 +132,19 @@ Configure OIDC Auth Applications
.. code-block:: none
certs:
web:
secret:
tlsName: oidc-auth-apps-certificate
caName: oidc-auth-apps-certificate
grpc:
secret:
serverTlsName: oidc-auth-apps-certificate
clientTlsName: oidc-auth-apps-certificate
caName: oidc-auth-apps-certificate
extraVolumes:
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: wad-ca-cert
extraVolumeMounts:
- name: certdir
mountPath: /etc/ssl/certs/adcert
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate
#. Apply the overrides configuration.
@ -194,6 +190,24 @@ Configure OIDC Auth Applications
#. Use certificates generated and signed by an external |CA|.
Although it is recommended to use cert-manager to manage certificates, as
described above in item "Create certificates using cert-manager
(recommended)", one can instead use certificates generated by an external
|CA|.
For backwards compatibility reasons, the default helm chart overrides of
dex, oidc-client and secret-observer in ``oidc-auth-apps`` application
are set for this example of using externally generated certificates. The
default override values of helm charts in ``oidc-auth-apps`` application
include the use of kubernetes secrets named ``local-dex.tls``, and
``dex-client-secret`` for declaring the dex server certificate and the
|CA| which signed it, respectively. These secrets are created in this
example.
In addition, one can indicate the |WAD| certificate for an ldap server
that has https enabled by using the secret ``wad-ca-cert`` as in this
example.
.. rubric:: |prereq|
- You must have a |CA| signed certificate (``dex-cert.pem`` file), and
@ -268,18 +282,25 @@ Configure OIDC Auth Applications
The dex-overrides.yaml file contains the desired dex helm chart overrides
(that is, the |LDAP| connector configuration for the Active Directory
service, optional token expiry, and so on), and volume mounts for
providing access to the ``wadcert`` secret, described in this section.
providing access to the ``wad-ca-cert`` secret, described in this section.
For the complete list of dex helm chart values supported, see `Dex Helm
Chart Values
<https://github.com/helm/charts/blob/92b6289ae93816717a8453cfe62bad51cbdb
8ad0/stable/dex/values.yaml>`__. For the complete list of parameters of the
dex |LDAP| connector configuration, see `Authentication Through LDAP
<https://github.com/dexidp/helm-charts/blob/dex-0.8.2/charts/dex/values.yaml>`__.
For the complete list of parameters of the dex |LDAP| connector
configuration, see `Authentication Through LDAP
<https://dexidp.io/docs/connectors/ldap/>`__.
The overall Dex documentation is available on `dexidp.io
<https://dexidp.io/docs/>`__. The configuration of dex server version
v2.31.1 is described on github
(https://github.com/dexidp/dex/blob/v2.31.1/config.yaml.dist) with example
``config.dev.yaml``
(https://github.com/dexidp/dex/blob/v2.31.1/config.dev.yaml).
The example below configures a token expiry of ten hours, a single |LDAP|
connector to an Active Directory service using HTTPS \(LDAPS\) using the
``wadcert`` secret configured in this section, the required Active
``wad-ca-cert`` secret configured in this section, the required Active
Directory service login information \(that is, bindDN, and bindPW\), and
example :command:`userSearch`, and :command:`groupSearch` clauses.
@ -350,13 +371,19 @@ Configure OIDC Auth Applications
userAttr: DN
groupAttr: member
nameAttr: cn
extraVolumes:
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: wad-ca-cert
extraVolumeMounts:
- name: certdir
mountPath: /etc/ssl/certs/adcert
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate
.. end-connector-config
@ -403,3 +430,137 @@ Configure OIDC Auth Applications
.. code-block:: none
~(keystone_admin)]$ system application-apply oidc-auth-apps
Default helm overrides for oidc-auth-apps application
=====================================================
For backwards compatibility reasons, the default helm overrides for dex helm
are:
.. note::
It is NOT recommended to use these; it is recommended to create
certificates using ``cert-manager`` and explicitly refer to the resulting
certificate secrets in user-specified helm overrides, as described on the
procedure above.
.. code-block:: none
image:
repository: ghcr.io/dexidp/dex
pullPolicy: IfNotPresent
tag: v2.31.1
imagePullSecrets:
- name: default-registry-key
env:
name: KUBERNETES_POD_NAMESPACE
value: kube-system
config:
issuer: https://<OAM_IP>:30556/dex
staticClients:
- id: stx-oidc-client-app
name: STX OIDC Client app
secret: St8rlingX
redirectURIs:
- https://<OAM_IP>:30555/callback
enablePasswordDB: false
web:
tlsCert: /etc/dex/tls/tls.crt
tlsKey: /etc/dex/tls/tls.key
storage:
type: kubernetes
config:
inCluster: true
oauth2:
skipApprovalScreen: true
logger:
level: debug
service:
type: NodePort
ports:
https:
nodePort: 30556
https:
enabled: true
grpc:
enabled: false
nodeSelector:
node-role.kubernetes.io/master: ""
volumeMounts:
- mountPath: /etc/dex/tls/
name: https-tls
volumes:
- name: https-tls
secret:
defaultMode: 420
secretName: local-dex.tls
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- dex
topologyKey: kubernetes.io/hostname
The default helm overrides for oidc-client are:
.. code-block:: none
config:
client_id: stx-oidc-client-app
client_secret: St8rlingX
issuer: https://<OAM_IP>:30556/dex
issuer_root_ca: /home/dex-ca.pem
listen: https://0.0.0.0:5555
redirect_uri: https://<OAM_IP>:30555/callback
tlsCert: /etc/dex/tls/https/server/tls.crt
tlsKey: /etc/dex/tls/https/server/tls.key
nodeSelector:
node-role.kubernetes.io/master: ""
service:
type: NodePort
port: 5555
nodePort: 30555
replicas: <replicate count>
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- stx-oidc-client
topologyKey: kubernetes.io/hostname
helmv3Compatible: true
The default helm overrides for secret-observer are:
.. code-block:: none
namespace: "kube-system"
observedSecrets:
- secretName: "dex-client-secret"
filename: "dex-ca.pem"
deploymentToRestart: "stx-oidc-client"
- secretName: "local-dex.tls"
filename: "tls.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "local-dex.tls"
filename: "tls.crt"
deploymentToRestart: "oidc-dex"
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"

14
doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst

@ -43,14 +43,14 @@ certificates.
~(keystone_admin)]$ cat <<EOF > cluster-issuer.yaml
---
apiVersion: cert-manager.io/v1alpha2
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: system-selfsigning
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: system-local-ca
@ -68,7 +68,7 @@ certificates.
name: system-selfsigning
kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1alpha2
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: system-local-ca
@ -78,7 +78,8 @@ certificates.
EOF
For more information on supported parameters, see
https://cert-manager.io/v0.14-docs/reference/api-docs/#acme.cert-manager.io%2fv1alpha2
`https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1
<https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1>`__.
#. Apply the configuration.
@ -122,7 +123,7 @@ certificates.
#. Copy the |PEM| encoded certificate and key from the externally generated
|CA| to the controller host.
#. Create a |TLS| secret in cert-manager namespace with the certificate/Key
#. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
files:
.. code-block:: none
@ -135,14 +136,13 @@ certificates.
~(keystone_admin)]$ cat <<EOF > cluster-issuer.yaml
---
apiVersion: cert-manager.io/v1alpha2
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: system-local-ca
spec:
ca:
secretName: system-local-ca
EOF
#. Apply the configuration.