starlingx/docs
Code Issues Proposed changes
Files
0aadbc62130b8b457ad2bb9731ee60f745d720b5
docs/doc/source/security/kubernetes/obtain-the-authentication-token-using-the-oidc-auth-shell-script.rst
Joao Victor Portal daa431e385 Updated OIDC app docs 
This commit does 2 changes in the OIDC app docs:

1) The docs were updated to be explicit about the OIDC app being
   compatible with LDAP servers and not only with the Windows Active
   Directory;
2) The page "Centralized OIDC Authentication Setup for Distributed
   Cloud" was renamed to "Centralized vs Distributed OIDC Authentication
   Setup" and was moved in the index of pages to be right below the
   first page "Overview of LDAP Servers". The idea is to use this page
   as a entry point for someone learning about the OIDC app, because
   every user must decide between a centralized and a distributed setup
   and because this page has links to all other pages except
   "Deprovision LDAP Server Authentication".

Story: 2010738
Task: 49455

Change-Id: I61c5b7f322ac8159b649c70eeaa0195d97ab12c7
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
2024-01-29 19:14:14 -03:00

3.2 KiB
Raw Blame History

Obtain the Authentication Token Using the oidc-auth Shell Script

You can obtain the authentication token using the oidc-auth shell script.

You can use the oidc-auth script both locally on the active controller, as well as on a remote workstation where you are running kubectl and helm commands.

The oidc-auth script retrieves the ID token from Windows Active Directory or server using the client, and dex, and updates the Kubernetes credential for the user in the kubectl config file.

  • On controller-0, oidc-auth is installed as part of the base installation, and ready to use.
  • On remote hosts, oidc-auth must be installed from .
  • On a remote workstation using remote-cli container, oidc-auth is

    installed within the remote-cli container, and ready to use. For more information on configuring remote CLI access, see : Configure Remote CLI Access <configure-remote-cli-access>.

  • On a remote host, when using directly installed kubectl and helm, the following setup is required:

    • Install "Python Mechanize" module using the following command:

      sudo pip2 install mechanize

Note

oidc-auth script supports authenticating with a oidc-auth-apps configured with single, or multiple ldap connectors.

  1. Run oidc-auth script in order to authenticate and update user credentials in kubectl config file with the retrieved token.

    • If oidc-auth-apps is deployed with a single backend ldap connector, run the following command:

      ~(keystone_admin)]$ oidc-auth -c <ip> -u <username>

      For example,

      ~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser
Password:
Login succeeded.
Updating kubectl config ...
User testuser set.

    • If oidc-auth-apps is deployed with multiple backend ldap connectors, run the following command:

      ~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>

    Note

    If you are running oidc-auth within the containerized remote CLI, you must use the -p <password> option to run the command non-interactively.

    When the parameter -c <ip> is ommitted, the hostname oamcontroller is used. This parameter can be ommitted when oidc-auth is executed inside a active controller and the oidc-auth-apps is running in this controller.

    When the parameter -u <username> is ommitted, the Linux username of the current logged in user is used.