starlingx/oidc-auth-armada-app
Code Issues Proposed changes
StarlingX OIDC Authentication App
115 Commits 13 Branches 18 Tags 1.5 MiB
Python 47.4%
Go 30.3%
Makefile 18.5%
Smarty 2.4%
Dockerfile 0.7%
Other 0.7%
master
Go to file
Joaci Morais b78a185adc Fixes cert issue on oidc-auth command 
When the user tries to authenticate using oidc-auth command
externally, the oidc-auth script wasn't able to verify the local
issuer certificate as following:

user@external-machine$ oidc-auth -c <oam_ip> -u user2 -p <password>
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable
to get local issuer certificate

When the StarlingX system has HTTPS certificate enabled, one of the
steps to configure the Remote CLIs and Clients Container is to
provide the ca certificate which oidc-auth script should use to
verify the requests during the authentication procedure, the
enviroment variable OS_CACERT will hold the ca certifile file name.
Refer the guide: https://docs.starlingx.io/security/openstack/
configure-remote-clis-and-clients.html for more information.

The fix basically lets the oidc-auth script know about which
certificate should be used during the authentication procedure. By
default, now the oidc-auth script will use the certificate file
provided into the OS_CACERT enviroment variable.

Additionally, an option was created for the users to specify a cacert
file when using the oidc-auth command.

Test Plan:
PASS: Deploy a SX and configure the oidc-auth-apps.
PASS: Create an ldap user and configure the user roles.
PASS: Try to authenticate locally using oidc-auth, should be
successed.
PASS: Configure the Remote CLIs in your remote workstation in
order to get access to the oidc-auth command, refer the guide: Configure
Container-backed Remote CLIs and Clients.
PASS: Authenticate from your remote workstation with the
oidc-auth command:
oidc-auth -c <oam_ip> -u <ldap_user> -p <ldap_user_password>
The command should now successed.
PASS: Opitional, authenticate from your remote workstation with the
oidc-auth command specifying a cacert file:
oidc-auth -c <oam_ip> -u <ldap_user> -p <ldap_user_password>
-ca <path to ca-certificate file>

Closes-Bug: 2086731

Change-Id: Ia8f37b44f846207a13b8b4983cc3ed0614d97a93
Signed-off-by: Joaci Morais <Joaci.deMorais@windriver.com>
2024-11-06 14:59:38 -03:00
helm-charts Liveness tweak to avoid overload on cpu 2024-08-20 10:38:26 -03:00
oidc-auth-tools Fixes cert issue on oidc-auth command 2024-11-06 14:59:38 -03:00
python3-k8sapp-oidc Fix Tox test of dex and oidc client 2024-10-04 21:58:31 +00:00
stx-oidc-auth-helm Rename Helm repository to avoid naming collision 2024-10-10 16:09:16 -03:00
stx-oidc-client/debian reduce size of stx-oidc-client image 2022-10-03 17:35:36 -04:00
.gitignore Update app Zuul Check Jobs. 2023-12-18 09:08:54 -07:00
.gitreview Added .gitreview 2019-12-06 17:46:31 +00:00
.zuul.yaml Correct trigger for metadata job in .zuul.yaml 2024-02-06 09:44:27 -07:00
bindep.txt Add python3.9 support 2021-09-09 10:48:57 -04:00
debian_build_layer.cfg Add debian_build_layer.cfg file 2021-10-05 14:10:36 -04:00
debian_iso_image.inc oidc-auth-armada-app: update debian_iso_image.inc 2022-11-22 14:16:12 +08:00
debian_pkg_dirs Auto-increment chart versions 2024-03-05 13:45:03 -07:00
debian_stable_docker_images.inc move oidc-client docker image to Debian 2022-09-29 13:31:18 +00:00
requirements.txt Add Dex as a platform managed application 2020-01-07 14:13:34 -05:00
test-requirements.txt Update app Zuul Check Jobs. 2023-12-18 09:08:54 -07:00
tox.ini Update app Zuul Check Jobs. 2023-12-18 09:08:54 -07:00