starlingx/docs
Code Issues Proposed changes
Files
0aadbc62130b8b457ad2bb9731ee60f745d720b5
docs/doc/source/security/kubernetes/obtain-the-authentication-token-using-the-oidc-auth-shell-script.rst
Joao Victor Portal daa431e385 Updated OIDC app docs 
This commit does 2 changes in the OIDC app docs:

1) The docs were updated to be explicit about the OIDC app being
   compatible with LDAP servers and not only with the Windows Active
   Directory;
2) The page "Centralized OIDC Authentication Setup for Distributed
   Cloud" was renamed to "Centralized vs Distributed OIDC Authentication
   Setup" and was moved in the index of pages to be right below the
   first page "Overview of LDAP Servers". The idea is to use this page
   as a entry point for someone learning about the OIDC app, because
   every user must decide between a centralized and a distributed setup
   and because this page has links to all other pages except
   "Deprovision LDAP Server Authentication".

Story: 2010738
Task: 49455

Change-Id: I61c5b7f322ac8159b649c70eeaa0195d97ab12c7
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
2024-01-29 19:14:14 -03:00

96 lines
3.2 KiB
ReStructuredText
Raw Blame History

.. lrf1583447064969
.. _obtain-the-authentication-token-using-the-oidc-auth-shell-script:
================================================================
Obtain the Authentication Token Using the oidc-auth Shell Script
================================================================
You can obtain the authentication token using the **oidc-auth** shell script.
.. rubric:: |context|
You can use the **oidc-auth** script both locally on the active controller,
as well as on a remote workstation where you are running **kubectl** and
**helm** commands.
The **oidc-auth** script retrieves the ID token from Windows Active
Directory or |LDAP| server using the |OIDC| client, and **dex**, and updates the
Kubernetes credential for the user in the **kubectl** config file.
.. _obtain-the-authentication-token-using-the-oidc-auth-shell-script-ul-kxm-qnf-ykb:
- On controller-0, **oidc-auth** is installed as part of the base |prod|
installation, and ready to use.
- On remote hosts, **oidc-auth** must be installed from |dnload-loc|.
.. xbooklink
- On a remote workstation using remote-cli container, **oidc-auth** is
installed within the remote-cli container, and ready to use. For more
information on configuring remote CLI access, see |sysconf-doc|:
:ref:`Configure Remote CLI Access <configure-remote-cli-access>`.
- On a remote host, when using directly installed **kubectl** and **helm**,
the following setup is required:
- Install "Python Mechanize" module using the following command:
.. code-block:: none
sudo pip2 install mechanize
.. note::
**oidc-auth** script supports authenticating with a |prod|
**oidc-auth-apps** configured with single, or multiple **ldap**
connectors.
.. rubric:: |proc|
#. Run **oidc-auth** script in order to authenticate and update user
credentials in **kubectl** config file with the retrieved token.
- If **oidc-auth-apps** is deployed with a single backend **ldap**
connector, run the following command:
.. code-block:: none
~(keystone_admin)]$ oidc-auth -c <ip> -u <username>
For example,
.. code-block:: none
~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser
Password:
Login succeeded.
Updating kubectl config ...
User testuser set.
- If **oidc-auth-apps** is deployed with multiple backend **ldap**
connectors, run the following command:
.. code-block:: none
~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>
.. note::
If you are running **oidc-auth** within the |prod| containerized remote
CLI, you must use the ``-p <password>`` option to run the command
non-interactively.
When the parameter ``-c <ip>`` is ommitted, the hostname
**oamcontroller** is used. This parameter can be ommitted when
**oidc-auth** is executed inside a |prod| active controller and the
**oidc-auth-apps** is running in this controller.
When the parameter ``-u <username>`` is ommitted, the Linux username of
the current logged in user is used.
View Git Blame Copy Permalink