starlingx/docs
Code Issues Proposed changes

Merge "Update OIDC overrides to use oidc-auth-apps-certificate created by cert-manager (dsR10, dsR10minor)" into r/stx.10.0

Browse Source
This commit is contained in:
Zuul 2025-05-09 19:27:16 +00:00 committed by Gerrit Code Review
commit 9aee62c31f
1 changed files with 139 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

268
doc/source/security/kubernetes/configure-oidc-auth-applications.rst
View File

@ -114,44 +114,22 @@ Configure OIDC Auth Applications
Server Certificate and the |OIDC| Client and Identity Trusted |CA|
certificate.
.. only:: starlingx
Configure the certificate of the root |CA| that signed the |OIDC| client
and identity provider's server certificate. In this example, it will be
the ``ca.crt`` of the ``oidc-auth-apps-certificate`` (ClusterIssuer).
Create a secret with the certificate of the root |CA| that signed
the |OIDC| client and identity provider's server certificate. In
this example, it will be the ``ca.crt`` of the ``system-local-ca``
(ClusterIssuer).
.. code-block:: none
.. only:: partner
~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
tlsName: oidc-auth-apps-certificate
config:
# The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
# issuer_root_ca: /home/<filename-only-of-generic-secret>
issuer_root_ca: /home/ca.crt
issuer_root_ca_secret: oidc-auth-apps-certificate
EOF
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-begin
:end-before: configure-oidc-end
.. only:: starlingx
.. code-block:: none
~(keystone_admin)]$ mkdir /home/sysadmin/ssl
~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt
~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system
~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
tlsName: oidc-auth-apps-certificate
config:
# The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
# issuer_root_ca: /home/<filename-only-of-generic-secret>
issuer_root_ca: /home/dex-ca-cert.crt
issuer_root_ca_secret: dex-ca-cert
EOF
~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
.. only:: partner
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-tls1-begin
:end-before: configure-oidc-tls1-end
~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
#. Create a secret with the certificate of the |CA| that signed the
certificate of the Identity Providers (IdPs) that you will be using.
@ -164,30 +142,12 @@ Configure OIDC Auth Applications
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
.. only:: starlingx
If you will use the Local |LDAP| server, use the Root |CA| data from
``oidc-auth-apps-certificate``, since it is the same Root |CA| that
signs the Local |LDAP| certificate (``system-local-ca``).
If you will use the Local |LDAP| server, create the secret
``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
Local |LDAP|'s certificate using the command below. This |CA|'s
certificate, presented below as file ``local-ldap-ca-cert.crt``, can
be extracted from the controller where the Local |LDAP| server is
running (the SystemController in DC environments) using the command
`kubectl get secret system-local-ca -n cert-manager
-o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
local-ldap-ca-cert.crt`.
.. only:: partner
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-tls2-begin
:end-before: configure-oidc-tls2-end
.. code-block:: none
~(keystone_admin)]$ kubectl create secret generic local-ldap-ca-cert --from-file=local-ldap-ca-cert.crt -n kube-system
The secrets ``wad-ca-cert`` and/or ``local-ldap-ca-cert`` will be used
later in the application overrides.
The secrets ``wad-ca-cert`` and/or ``oidc-auth-apps-certificate`` will
be used later in the application overrides.
#. Configure the secret observer to track changes.
@ -204,19 +164,19 @@ Configure OIDC Auth Applications
.. code-block:: none
~(keystone_admin)]$ cat <<EOF > secret-observer-overrides.yaml
cronSchedule: "*/15 * * * *"
observedSecrets:
- secretName: "dex-ca-cert"
filename: "dex-ca-cert.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "oidc-dex"
EOF
~(keystone_admin)]$ cat <<EOF > secret-observer-overrides.yaml
cronSchedule: "*/15 * * * *"
observedSecrets:
- secretName: "oidc-auth-apps-certificate"
filename: "ca.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "oidc-dex"
EOF
Execute the following command to update the overrides:
@ -400,8 +360,6 @@ Configure OIDC Auth Applications
For only a |WAD| server, the configuration is shown below.
.. begin-wad-connector-config
.. code-block:: none
config:
@ -452,74 +410,127 @@ Configure OIDC Auth Applications
defaultMode: 420
secretName: oidc-auth-apps-certificate
.. end-wad-connector-config
For only the Local |LDAP| server, the configuration is shown below. The
value of ``bindPW`` can be retrieved through command `keyring get ldap
ldapadmin` executed in the controller where the Local |LDAP| server is
running. In DC environments, the MGMT floating IP address to be used is the
one from the SystemController.
value of bindPW can be retrieved through :command:`keyring get ldap ldapadmin`
command executed in the controller where the Local |LDAP| server
is running. In DC environments, the MGMT floating IP address to be used is
the one from the SystemController.
.. begin-local-ldap-connector-config
#. For the secret ``oidc-auth-apps-certificate`` created using cert-manager
(recommended):
.. code-block:: none
.. code-block:: none
config:
staticClients:
- id: stx-oidc-client-app
name: STX OIDC Client app
redirectURIs: ['https://<OAM floating IP address>:30555/callback']
secret: BetterSecret
expiry:
idTokens: "10h"
connectors:
- type: ldap
name: LocalLDAP
id: localldap-1
cat <<EOF > dex-overrides.yaml
config:
host: <MGMT floating IP address>:636
rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt
insecureNoSSL: false
insecureSkipVerify: false
bindDN: CN=ldapadmin,DC=cgcs,DC=local
bindPW: [<password>]
usernamePrompt: Username
userSearch:
baseDN: ou=People,dc=cgcs,dc=local
filter: "(objectClass=posixAccount)"
username: uid
idAttr: DN
emailAttr: uid
nameAttr: gecos
groupSearch:
baseDN: ou=Group,dc=cgcs,dc=local
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: uid
groupAttr: memberUid
nameAttr: cn
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: local-ldap-ca-cert
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate
staticClients:
- id: stx-oidc-client-app
name: STX OIDC Client app
secret: St8rlingX
redirectURIs:
- https://<OAM floating IP address>:30555/callback
expiry:
idTokens: "10h"
connectors:
- type: ldap
name: LocalLDAP
id: localldap-1
config:
host: <MGMT floating IP address>:636
rootCA: /etc/ssl/certs/adcert/ca.crt
insecureNoSSL: false
insecureSkipVerify: false
bindDN: CN=ldapadmin,DC=cgcs,DC=local
bindPW: [<password>]
usernamePrompt: Username
userSearch:
baseDN: ou=People,dc=cgcs,dc=local
filter: "(objectClass=posixAccount)"
username: uid
idAttr: DN
emailAttr: uid
nameAttr: gecos
groupSearch:
baseDN: ou=Group,dc=cgcs,dc=local
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: uid
groupAttr: memberUid
nameAttr: cn
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: oidc-auth-apps-certificate
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate
#. Use certificates generated and signed by an external |CA|.
.. code-block:: none
config:
staticClients:
- id: stx-oidc-client-app
name: STX OIDC Client app
secret: St8rlingX
redirectURIs:
- https://<OAM floating IP address>:30555/callback
expiry:
idTokens: "10h"
connectors:
- type: ldap
name: LocalLDAP
id: localldap-1
config:
host: <MGMT floating IP address>:636
rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt
insecureNoSSL: false
insecureSkipVerify: false
bindDN: CN=ldapadmin,DC=cgcs,DC=local
bindPW: [<password>]
usernamePrompt: Username
userSearch:
baseDN: ou=People,dc=cgcs,dc=local
filter: "(objectClass=posixAccount)"
username: uid
idAttr: DN
emailAttr: uid
nameAttr: gecos
groupSearch:
baseDN: ou=Group,dc=cgcs,dc=local
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: uid
groupAttr: memberUid
nameAttr: cn
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: local-ldap-ca-cert
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate
.. end-local-ldap-connector-config
If both |WAD| and Local |LDAP| servers are used at same time, use the
examples above with the connectors from |WAD| and Local |LDAP| in the same
``connectors`` list while the ``volumes`` to be used is the one written
below.
.. begin-both-wad-and-local-ldap-volume-config
.. code-block:: none
@ -536,7 +547,6 @@ Configure OIDC Auth Applications
defaultMode: 420
secretName: oidc-auth-apps-certificate
.. end-both-wad-and-local-ldap-volume-config
If more than one Windows Active Directory service is required for
authenticating the different users of the |prod|, multiple ``ldap``