From b20a6233f2f9407addfff56f7f373d3e2d77eed3 Mon Sep 17 00:00:00 2001 From: Elisamara Aoki Goncalves Date: Fri, 10 Jun 2022 12:36:29 -0300 Subject: [PATCH] Platform Application Components updates oidc-dex Story: 2009838 Task: 45597 Signed-off-by: Elisamara Aoki Goncalves Change-Id: Ia3a0e3e5308221bc8ad1c66cdbb6b1a6046fc32b --- .../configure-oidc-auth-applications.rst | 209 ++++++++++++++++-- ...the-web-admin-server-cert-9196c5794834.rst | 14 +- 2 files changed, 192 insertions(+), 31 deletions(-) diff --git a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst index fdc122095..f5ba77ed4 100644 --- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst +++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst @@ -53,7 +53,7 @@ Configure OIDC Auth Applications ~(keystone_admin)]$ cat < oidc-auth-apps-certificate.yaml --- - apiVersion: cert-manager.io/v1alpha2 + apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: oidc-auth-apps-certificate @@ -132,23 +132,19 @@ Configure OIDC Auth Applications .. code-block:: none - certs: - web: - secret: - tlsName: oidc-auth-apps-certificate - caName: oidc-auth-apps-certificate - grpc: - secret: - serverTlsName: oidc-auth-apps-certificate - clientTlsName: oidc-auth-apps-certificate - caName: oidc-auth-apps-certificate - extraVolumes: + volumeMounts: + - mountPath: /etc/ssl/certs/adcert + name: certdir + - mountPath: /etc/dex/tls + name: https-tls + volumes: - name: certdir secret: secretName: wad-ca-cert - extraVolumeMounts: - - name: certdir - mountPath: /etc/ssl/certs/adcert + - name: https-tls + secret: + defaultMode: 420 + secretName: oidc-auth-apps-certificate #. Apply the overrides configuration. @@ -194,6 +190,24 @@ Configure OIDC Auth Applications #. Use certificates generated and signed by an external |CA|. + Although it is recommended to use cert-manager to manage certificates, as + described above in item "Create certificates using cert-manager + (recommended)", one can instead use certificates generated by an external + |CA|. + + For backwards compatibility reasons, the default helm chart overrides of + dex, oidc-client and secret-observer in ``oidc-auth-apps`` application + are set for this example of using externally generated certificates. The + default override values of helm charts in ``oidc-auth-apps`` application + include the use of kubernetes secrets named ``local-dex.tls``, and + ``dex-client-secret`` for declaring the dex server certificate and the + |CA| which signed it, respectively. These secrets are created in this + example. + + In addition, one can indicate the |WAD| certificate for an ldap server + that has https enabled by using the secret ``wad-ca-cert`` as in this + example. + .. rubric:: |prereq| - You must have a |CA| signed certificate (``dex-cert.pem`` file), and @@ -268,18 +282,25 @@ Configure OIDC Auth Applications The dex-overrides.yaml file contains the desired dex helm chart overrides (that is, the |LDAP| connector configuration for the Active Directory service, optional token expiry, and so on), and volume mounts for - providing access to the ``wadcert`` secret, described in this section. + providing access to the ``wad-ca-cert`` secret, described in this section. For the complete list of dex helm chart values supported, see `Dex Helm Chart Values - `__. For the complete list of parameters of the - dex |LDAP| connector configuration, see `Authentication Through LDAP + `__. + For the complete list of parameters of the dex |LDAP| connector + configuration, see `Authentication Through LDAP `__. + The overall Dex documentation is available on `dexidp.io + `__. The configuration of dex server version + v2.31.1 is described on github + (https://github.com/dexidp/dex/blob/v2.31.1/config.yaml.dist) with example + ``config.dev.yaml`` + (https://github.com/dexidp/dex/blob/v2.31.1/config.dev.yaml). + The example below configures a token expiry of ten hours, a single |LDAP| connector to an Active Directory service using HTTPS \(LDAPS\) using the - ``wadcert`` secret configured in this section, the required Active + ``wad-ca-cert`` secret configured in this section, the required Active Directory service login information \(that is, bindDN, and bindPW\), and example :command:`userSearch`, and :command:`groupSearch` clauses. @@ -350,13 +371,19 @@ Configure OIDC Auth Applications userAttr: DN groupAttr: member nameAttr: cn - extraVolumes: + volumeMounts: + - mountPath: /etc/ssl/certs/adcert + name: certdir + - mountPath: /etc/dex/tls + name: https-tls + volumes: - name: certdir secret: secretName: wad-ca-cert - extraVolumeMounts: - - name: certdir - mountPath: /etc/ssl/certs/adcert + - name: https-tls + secret: + defaultMode: 420 + secretName: oidc-auth-apps-certificate .. end-connector-config @@ -403,3 +430,137 @@ Configure OIDC Auth Applications .. code-block:: none ~(keystone_admin)]$ system application-apply oidc-auth-apps + +Default helm overrides for oidc-auth-apps application +===================================================== + +For backwards compatibility reasons, the default helm overrides for dex helm +are: + +.. note:: + + It is NOT recommended to use these; it is recommended to create + certificates using ``cert-manager`` and explicitly refer to the resulting + certificate secrets in user-specified helm overrides, as described on the + procedure above. + +.. code-block:: none + + image: + repository: ghcr.io/dexidp/dex + pullPolicy: IfNotPresent + tag: v2.31.1 + imagePullSecrets: + - name: default-registry-key + env: + name: KUBERNETES_POD_NAMESPACE + value: kube-system + config: + issuer: https://:30556/dex + staticClients: + - id: stx-oidc-client-app + name: STX OIDC Client app + secret: St8rlingX + redirectURIs: + - https://:30555/callback + enablePasswordDB: false + web: + tlsCert: /etc/dex/tls/tls.crt + tlsKey: /etc/dex/tls/tls.key + storage: + type: kubernetes + config: + inCluster: true + oauth2: + skipApprovalScreen: true + logger: + level: debug + service: + type: NodePort + ports: + https: + nodePort: 30556 + https: + enabled: true + grpc: + enabled: false + nodeSelector: + node-role.kubernetes.io/master: "" + volumeMounts: + - mountPath: /etc/dex/tls/ + name: https-tls + volumes: + - name: https-tls + secret: + defaultMode: 420 + secretName: local-dex.tls + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - dex + topologyKey: kubernetes.io/hostname + +The default helm overrides for oidc-client are: + +.. code-block:: none + + config: + client_id: stx-oidc-client-app + client_secret: St8rlingX + issuer: https://:30556/dex + issuer_root_ca: /home/dex-ca.pem + listen: https://0.0.0.0:5555 + redirect_uri: https://:30555/callback + tlsCert: /etc/dex/tls/https/server/tls.crt + tlsKey: /etc/dex/tls/https/server/tls.key + nodeSelector: + node-role.kubernetes.io/master: "" + service: + type: NodePort + port: 5555 + nodePort: 30555 + replicas: + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - stx-oidc-client + topologyKey: kubernetes.io/hostname + helmv3Compatible: true + +The default helm overrides for secret-observer are: + +.. code-block:: none + + namespace: "kube-system" + observedSecrets: + - secretName: "dex-client-secret" + filename: "dex-ca.pem" + deploymentToRestart: "stx-oidc-client" + - secretName: "local-dex.tls" + filename: "tls.crt" + deploymentToRestart: "stx-oidc-client" + - secretName: "local-dex.tls" + filename: "tls.crt" + deploymentToRestart: "oidc-dex" + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" diff --git a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst index 419e88bbf..ac6c10fc8 100644 --- a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst +++ b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst @@ -43,14 +43,14 @@ certificates. ~(keystone_admin)]$ cat < cluster-issuer.yaml --- - apiVersion: cert-manager.io/v1alpha2 + apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: system-selfsigning spec: selfSigned: {} --- - apiVersion: cert-manager.io/v1alpha2 + apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: system-local-ca @@ -68,7 +68,7 @@ certificates. name: system-selfsigning kind: ClusterIssuer --- - apiVersion: cert-manager.io/v1alpha2 + apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: system-local-ca @@ -78,7 +78,8 @@ certificates. EOF For more information on supported parameters, see - https://cert-manager.io/v0.14-docs/reference/api-docs/#acme.cert-manager.io%2fv1alpha2 + `https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1 + `__. #. Apply the configuration. @@ -122,7 +123,7 @@ certificates. #. Copy the |PEM| encoded certificate and key from the externally generated |CA| to the controller host. -#. Create a |TLS| secret in ‘cert-manager’ namespace with the certificate/Key +#. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key files: .. code-block:: none @@ -135,14 +136,13 @@ certificates. ~(keystone_admin)]$ cat < cluster-issuer.yaml --- - apiVersion: cert-manager.io/v1alpha2 + apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: system-local-ca spec: ca: secretName: system-local-ca - EOF #. Apply the configuration.