starlingx/docs
Code Issues Proposed changes

Centralized OIDC usecase lacks some clarity in StarlingX documentation

Browse Source 
Improve OIDC documentation.

Change-Id: I64c7fe5ba54935cee12c7d32d56934b1e026d0d9
Signed-off-by: Elisamara Aoki Gonçalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
Elisamara Aoki Gonçalves 2025-05-06 19:04:19 +00:00
parent 227b9c41a2
commit 6d6dceddf4
4 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/source/security/kubernetes/configure-kubernetes-client-access.rst
View File

@ -21,6 +21,11 @@ Configure Kubernetes Local Client Access
Use the procedure below to configure Kubernetes access for a user logged in to
the active controller either through SSH or by using the system console.
.. note::
If the user ssh/console access is to be authenticated using an External
|WAD| or |LDAP| server, refer also to :ref:`sssd-support-5fb6c4b0320b`.
.. rubric:: |proc|
#. Execute the commands below to create the Kubernetes configuration file for

4
doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst
View File

@ -52,10 +52,6 @@ Validation after Bootstrapping the System
the **issuer_url** is, ``https://\[<oam-floating-ip>\]:30556/dex``
(that is, in lower case, and wrapped in square brackets).
.. rubric:: |result|
For more information on |OIDC| Authentication for subclouds, see
:ref:`Centralized vs Distributed OIDC Authentication Setup
<centralized-vs-distributed-oidc-auth-setup>`.

12
doc/source/security/kubernetes/configure-oidc-auth-applications.rst
View File

@ -56,11 +56,11 @@ Configure OIDC Auth Applications
bootstrap phase of system installation, by specifying ``ssl_ca_cert:
<certificate_file>`` in the ansible bootstrap overrides
``localhost.yml`` file, or by using the
:command:`system ca-certificate-install <certificate_file>` command.
:command:`system ca-certificate-install` command.
Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
for installing a root |CA|, which includes instruction to `lock/unlock`
controller nodes when using :command:`system certificate-install`
controller nodes when using :command:`system ca-certificate-install`
command.
.. important::
@ -275,12 +275,12 @@ Configure OIDC Auth Applications
|CA|, you must ensure the system trusts the |CA| by specifying it
either during the bootstrap phase of system installation, by
specifying ``ssl_ca_cert: dex-ca.pem`` in the ansible bootstrap
overrides ``localhost.yml`` file, or by using the :command:`system
certificate-install -m ssl_ca dex-ca.pem` command.
overrides ``localhost.yml`` file, or by using the
:command:`system ca-certificate-install dex-ca.pem` command.
Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
for installing a root |CA|, which includes instruction to `lock/unlock`
controller nodes when using :command:`system certificate-install`
controller nodes when using :command:`system ca-certificate-install`
command.
- Create the secret, ``local-dex.tls``, with the certificate and key,
@ -350,7 +350,7 @@ Configure OIDC Auth Applications
For the complete list of dex helm chart values supported, see `Dex Helm
Chart Values
<https://github.com/dexidp/helm-charts/blob/dex-0.15.3/charts/dex/values.yaml>`__.
<https://github.com/dexidp/helm-charts/blob/dex-0.18.0/charts/dex/values.yaml>`__.
For the complete list of parameters of the dex |LDAP| connector
configuration, see `Authentication Through LDAP
<https://dexidp.io/docs/connectors/ldap/>`__.

7
doc/source/security/kubernetes/configure-users-groups-and-authorization.rst
View File

@ -13,9 +13,12 @@ option, **testuser** user is directly bound to a role; in the second option,
permissions.
.. note::
For bigger environments, like a |DC| with many subclouds, or to minimize
For larger environments, like a |DC| with many subclouds, or to minimize
Kubernetes custom cluster configurations, use the second option, where
permissions are granted through Kubernetes groups.
permissions are granted through Kubernetes groups. Apply the kubernetes
|RBAC| policy to the central cloud and to each subcloud where kubernetes
permissions are required.
.. _configure-users-groups-and-authorization-option-1-b2f-ck4-dlb: