starlingx/docs
Code Issues Proposed changes
d95c80d36f
docs/doc/source/security/kubernetes/obtain-the-authentication-token-using-the-oidc-auth-shell-script.rst
Rafael Jardim d95c80d36f Update Security 
Fixed merge conflict (RS)

Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com>
Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2021-04-01 16:02:36 -04:00

2.7 KiB
Raw Blame History

Obtain the Authentication Token Using the oidc-auth Shell Script

You can obtain the authentication token using the oidc-auth shell script.

You can use the oidc-auth script both locally on the active controller, as well as on a remote workstation where you are running kubectl and helm commands.

The oidc-auth script retrieves the ID token from Windows Active Directory using the client, and dex, and updates the Kubernetes credential for the user in the kubectl config file.

  • On controller-0, oidc-auth is installed as part of the base installation, and ready to use.
  • On a remote workstation using remote-cli container, oidc-auth is

    installed within the remote-cli container, and ready to use. For more information on configuring remote CLI access, see : Configure Remote CLI Access <configure-remote-cli-access>.

  • On a remote host, when using directly installed kubectl and helm, the following setup is required:

    • Install "Python Mechanize" module using the following command:

      # sudo pip2 install mechanize

    • Get the oidc-auth script from WindShare.

Note

oidc-auth script supports authenticating with a oidc-auth-apps configured with single, or multiple ldap connectors.

  1. Run oidc-auth script in order to authenticate and update user credentials in kubectl config file with the retrieved token.

    • If oidc-auth-apps is deployed with a single backend ldap connector, run the following command:

      ~(keystone_admin)]$ oidc-auth -c <ip> -u <username>

      For example,

      ~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser
Password:
Login succeeded.
Updating kubectl config ...
User testuser set.

    • If oidc-auth-apps is deployed with multiple backend ldap connectors, run the following command:

      ~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>

    Note

    If you are running oidc-auth within the containerized remote CLI, you must use the -p <password> option to run the command non-interactively.