starlingx/docs
Code Issues Proposed changes

Merge "Centralized OIDC usecase lacks some clarity in StarlingX documentation"

Browse Source
This commit is contained in:
Zuul 2025-05-12 14:17:36 +00:00 committed by Gerrit Code Review
commit e98a643150
4 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/source/security/kubernetes/configure-kubernetes-client-access.rst
View File

@ -21,6 +21,11 @@ Configure Kubernetes Local Client Access
Use the procedure below to configure Kubernetes access for a user logged in to Use the procedure below to configure Kubernetes access for a user logged in to
the active controller either through SSH or by using the system console. the active controller either through SSH or by using the system console.
.. note::
If the user ssh/console access is to be authenticated using an External
|WAD| or |LDAP| server, refer also to :ref:`sssd-support-5fb6c4b0320b`.
.. rubric:: |proc| .. rubric:: |proc|
#. Execute the commands below to create the Kubernetes configuration file for #. Execute the commands below to create the Kubernetes configuration file for

6
doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst
View File

@ -52,10 +52,6 @@ Validation after Bootstrapping the System
the **issuer_url** is, ``https://\[<oam-floating-ip>\]:30556/dex`` the **issuer_url** is, ``https://\[<oam-floating-ip>\]:30556/dex``
(that is, in lower case, and wrapped in square brackets). (that is, in lower case, and wrapped in square brackets).
.. rubric:: |result|
For more information on |OIDC| Authentication for subclouds, see For more information on |OIDC| Authentication for subclouds, see
:ref:`Centralized vs Distributed OIDC Authentication Setup :ref:`Centralized vs Distributed OIDC Authentication Setup
<centralized-vs-distributed-oidc-auth-setup>`. <centralized-vs-distributed-oidc-auth-setup>`.

12
doc/source/security/kubernetes/configure-oidc-auth-applications.rst
View File

@ -56,11 +56,11 @@ Configure OIDC Auth Applications
bootstrap phase of system installation, by specifying ``ssl_ca_cert: bootstrap phase of system installation, by specifying ``ssl_ca_cert:
<certificate_file>`` in the ansible bootstrap overrides <certificate_file>`` in the ansible bootstrap overrides
``localhost.yml`` file, or by using the ``localhost.yml`` file, or by using the
:command:`system ca-certificate-install <certificate_file>` command. :command:`system ca-certificate-install` command.
Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>` Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
for installing a root |CA|, which includes instruction to `lock/unlock` for installing a root |CA|, which includes instruction to `lock/unlock`
controller nodes when using :command:`system certificate-install` controller nodes when using :command:`system ca-certificate-install`
command. command.
.. important:: .. important::
@ -235,12 +235,12 @@ Configure OIDC Auth Applications
|CA|, you must ensure the system trusts the |CA| by specifying it |CA|, you must ensure the system trusts the |CA| by specifying it
either during the bootstrap phase of system installation, by either during the bootstrap phase of system installation, by
specifying ``ssl_ca_cert: dex-ca.pem`` in the ansible bootstrap specifying ``ssl_ca_cert: dex-ca.pem`` in the ansible bootstrap
overrides ``localhost.yml`` file, or by using the :command:`system overrides ``localhost.yml`` file, or by using the
certificate-install -m ssl_ca dex-ca.pem` command. :command:`system ca-certificate-install dex-ca.pem` command.
Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>` Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
for installing a root |CA|, which includes instruction to `lock/unlock` for installing a root |CA|, which includes instruction to `lock/unlock`
controller nodes when using :command:`system certificate-install` controller nodes when using :command:`system ca-certificate-install`
command. command.
- Create the secret, ``local-dex.tls``, with the certificate and key, - Create the secret, ``local-dex.tls``, with the certificate and key,
@ -310,7 +310,7 @@ Configure OIDC Auth Applications
For the complete list of dex helm chart values supported, see `Dex Helm For the complete list of dex helm chart values supported, see `Dex Helm
Chart Values Chart Values
<https://github.com/dexidp/helm-charts/blob/dex-0.15.3/charts/dex/values.yaml>`__. <https://github.com/dexidp/helm-charts/blob/dex-0.18.0/charts/dex/values.yaml>`__.
For the complete list of parameters of the dex |LDAP| connector For the complete list of parameters of the dex |LDAP| connector
configuration, see `Authentication Through LDAP configuration, see `Authentication Through LDAP
<https://dexidp.io/docs/connectors/ldap/>`__. <https://dexidp.io/docs/connectors/ldap/>`__.

9
doc/source/security/kubernetes/configure-users-groups-and-authorization.rst
View File

@ -13,9 +13,12 @@ option, **testuser** user is directly bound to a role; in the second option,
permissions. permissions.
.. note:: .. note::
For bigger environments, like a |DC| with many subclouds, or to minimize
Kubernetes custom cluster configurations, use the second option, where For larger environments, like a |DC| with many subclouds, or to minimize
permissions are granted through Kubernetes groups. Kubernetes custom cluster configurations, use the second option, where
permissions are granted through Kubernetes groups. Apply the kubernetes
|RBAC| policy to the central cloud and to each subcloud where kubernetes
permissions are required.
.. _configure-users-groups-and-authorization-option-1-b2f-ck4-dlb: .. _configure-users-groups-and-authorization-option-1-b2f-ck4-dlb: