diff --git a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst index 53c904f39..1507fa405 100644 --- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst +++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst @@ -114,44 +114,22 @@ Configure OIDC Auth Applications Server Certificate and the |OIDC| Client and Identity Trusted |CA| certificate. - .. only:: starlingx + Configure the certificate of the root |CA| that signed the |OIDC| client + and identity provider's server certificate. In this example, it will be + the ``ca.crt`` of the ``oidc-auth-apps-certificate`` (ClusterIssuer). - Create a secret with the certificate of the root |CA| that signed - the |OIDC| client and identity provider's server certificate. In - this example, it will be the ``ca.crt`` of the ``system-local-ca`` - (ClusterIssuer). + .. code-block:: none - .. only:: partner + ~(keystone_admin)]$ cat < stx-oidc-client.yaml + tlsName: oidc-auth-apps-certificate + config: + # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore + # issuer_root_ca: /home/ + issuer_root_ca: /home/ca.crt + issuer_root_ca_secret: oidc-auth-apps-certificate + EOF - .. include:: /_includes/configure-oidc-auth-applications.rest - :start-after: configure-oidc-begin - :end-before: configure-oidc-end - - .. only:: starlingx - - .. code-block:: none - - ~(keystone_admin)]$ mkdir /home/sysadmin/ssl - ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt - - ~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system - - ~(keystone_admin)]$ cat < stx-oidc-client.yaml - tlsName: oidc-auth-apps-certificate - config: - # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore - # issuer_root_ca: /home/ - issuer_root_ca: /home/dex-ca-cert.crt - issuer_root_ca_secret: dex-ca-cert - EOF - - ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml - - .. only:: partner - - .. include:: /_includes/configure-oidc-auth-applications.rest - :start-after: configure-oidc-tls1-begin - :end-before: configure-oidc-tls1-end + ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml #. Create a secret with the certificate of the |CA| that signed the certificate of the Identity Providers (IdPs) that you will be using. @@ -164,30 +142,12 @@ Configure OIDC Auth Applications ~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system - .. only:: starlingx + If you will use the Local |LDAP| server, use the Root |CA| data from + ``oidc-auth-apps-certificate``, since it is the same Root |CA| that + signs the Local |LDAP| certificate (``system-local-ca``). - If you will use the Local |LDAP| server, create the secret - ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the - Local |LDAP|'s certificate using the command below. This |CA|'s - certificate, presented below as file ``local-ldap-ca-cert.crt``, can - be extracted from the controller where the Local |LDAP| server is - running (the SystemController in DC environments) using the command - `kubectl get secret system-local-ca -n cert-manager - -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > - local-ldap-ca-cert.crt`. - - .. only:: partner - - .. include:: /_includes/configure-oidc-auth-applications.rest - :start-after: configure-oidc-tls2-begin - :end-before: configure-oidc-tls2-end - - .. code-block:: none - - ~(keystone_admin)]$ kubectl create secret generic local-ldap-ca-cert --from-file=local-ldap-ca-cert.crt -n kube-system - - The secrets ``wad-ca-cert`` and/or ``local-ldap-ca-cert`` will be used - later in the application overrides. + The secrets ``wad-ca-cert`` and/or ``oidc-auth-apps-certificate`` will + be used later in the application overrides. #. Configure the secret observer to track changes. @@ -204,19 +164,19 @@ Configure OIDC Auth Applications .. code-block:: none - ~(keystone_admin)]$ cat < secret-observer-overrides.yaml - cronSchedule: "*/15 * * * *" - observedSecrets: - - secretName: "dex-ca-cert" - filename: "dex-ca-cert.crt" - deploymentToRestart: "stx-oidc-client" - - secretName: "oidc-auth-apps-certificate" - filename: "tls.crt" - deploymentToRestart: "stx-oidc-client" - - secretName: "oidc-auth-apps-certificate" - filename: "tls.crt" - deploymentToRestart: "oidc-dex" - EOF + ~(keystone_admin)]$ cat < secret-observer-overrides.yaml + cronSchedule: "*/15 * * * *" + observedSecrets: + - secretName: "oidc-auth-apps-certificate" + filename: "ca.crt" + deploymentToRestart: "stx-oidc-client" + - secretName: "oidc-auth-apps-certificate" + filename: "tls.crt" + deploymentToRestart: "stx-oidc-client" + - secretName: "oidc-auth-apps-certificate" + filename: "tls.crt" + deploymentToRestart: "oidc-dex" + EOF Execute the following command to update the overrides: @@ -400,8 +360,6 @@ Configure OIDC Auth Applications For only a |WAD| server, the configuration is shown below. - .. begin-wad-connector-config - .. code-block:: none config: @@ -452,74 +410,127 @@ Configure OIDC Auth Applications defaultMode: 420 secretName: oidc-auth-apps-certificate - .. end-wad-connector-config For only the Local |LDAP| server, the configuration is shown below. The - value of ``bindPW`` can be retrieved through command `keyring get ldap - ldapadmin` executed in the controller where the Local |LDAP| server is - running. In DC environments, the MGMT floating IP address to be used is the - one from the SystemController. + value of bindPW can be retrieved through :command:`keyring get ldap ldapadmin` + command executed in the controller where the Local |LDAP| server + is running. In DC environments, the MGMT floating IP address to be used is + the one from the SystemController. - .. begin-local-ldap-connector-config + #. For the secret ``oidc-auth-apps-certificate`` created using cert-manager + (recommended): - .. code-block:: none + .. code-block:: none - config: - staticClients: - - id: stx-oidc-client-app - name: STX OIDC Client app - redirectURIs: ['https://:30555/callback'] - secret: BetterSecret - expiry: - idTokens: "10h" - connectors: - - type: ldap - name: LocalLDAP - id: localldap-1 + cat < dex-overrides.yaml config: - host: :636 - rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt - insecureNoSSL: false - insecureSkipVerify: false - bindDN: CN=ldapadmin,DC=cgcs,DC=local - bindPW: [] - usernamePrompt: Username - userSearch: - baseDN: ou=People,dc=cgcs,dc=local - filter: "(objectClass=posixAccount)" - username: uid - idAttr: DN - emailAttr: uid - nameAttr: gecos - groupSearch: - baseDN: ou=Group,dc=cgcs,dc=local - filter: "(objectClass=posixGroup)" - userMatchers: - - userAttr: uid - groupAttr: memberUid - nameAttr: cn - volumeMounts: - - mountPath: /etc/ssl/certs/adcert - name: certdir - - mountPath: /etc/dex/tls - name: https-tls - volumes: - - name: certdir - secret: - secretName: local-ldap-ca-cert - - name: https-tls - secret: - defaultMode: 420 - secretName: oidc-auth-apps-certificate + staticClients: + - id: stx-oidc-client-app + name: STX OIDC Client app + secret: St8rlingX + redirectURIs: + - https://:30555/callback + expiry: + idTokens: "10h" + connectors: + - type: ldap + name: LocalLDAP + id: localldap-1 + config: + host: :636 + rootCA: /etc/ssl/certs/adcert/ca.crt + insecureNoSSL: false + insecureSkipVerify: false + bindDN: CN=ldapadmin,DC=cgcs,DC=local + bindPW: [] + usernamePrompt: Username + userSearch: + baseDN: ou=People,dc=cgcs,dc=local + filter: "(objectClass=posixAccount)" + username: uid + idAttr: DN + emailAttr: uid + nameAttr: gecos + groupSearch: + baseDN: ou=Group,dc=cgcs,dc=local + filter: "(objectClass=posixGroup)" + userMatchers: + - userAttr: uid + groupAttr: memberUid + nameAttr: cn + volumeMounts: + - mountPath: /etc/ssl/certs/adcert + name: certdir + - mountPath: /etc/dex/tls + name: https-tls + volumes: + - name: certdir + secret: + secretName: oidc-auth-apps-certificate + - name: https-tls + secret: + defaultMode: 420 + secretName: oidc-auth-apps-certificate + + #. Use certificates generated and signed by an external |CA|. + + .. code-block:: none + + config: + staticClients: + - id: stx-oidc-client-app + name: STX OIDC Client app + secret: St8rlingX + redirectURIs: + - https://:30555/callback + expiry: + idTokens: "10h" + connectors: + - type: ldap + name: LocalLDAP + id: localldap-1 + config: + host: :636 + rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt + insecureNoSSL: false + insecureSkipVerify: false + bindDN: CN=ldapadmin,DC=cgcs,DC=local + bindPW: [] + usernamePrompt: Username + userSearch: + baseDN: ou=People,dc=cgcs,dc=local + filter: "(objectClass=posixAccount)" + username: uid + idAttr: DN + emailAttr: uid + nameAttr: gecos + groupSearch: + baseDN: ou=Group,dc=cgcs,dc=local + filter: "(objectClass=posixGroup)" + userMatchers: + - userAttr: uid + groupAttr: memberUid + nameAttr: cn + volumeMounts: + - mountPath: /etc/ssl/certs/adcert + name: certdir + - mountPath: /etc/dex/tls + name: https-tls + volumes: + - name: certdir + secret: + secretName: local-ldap-ca-cert + - name: https-tls + secret: + defaultMode: 420 + secretName: oidc-auth-apps-certificate - .. end-local-ldap-connector-config If both |WAD| and Local |LDAP| servers are used at same time, use the examples above with the connectors from |WAD| and Local |LDAP| in the same ``connectors`` list while the ``volumes`` to be used is the one written below. - .. begin-both-wad-and-local-ldap-volume-config .. code-block:: none @@ -536,7 +547,6 @@ Configure OIDC Auth Applications defaultMode: 420 secretName: oidc-auth-apps-certificate - .. end-both-wad-and-local-ldap-volume-config If more than one Windows Active Directory service is required for authenticating the different users of the |prod|, multiple ``ldap``