Merge "OIDC system-local-ca CA certificate data retrieval incorrectly references ca.crt rather than tls.crt. (dsr8)"

doc/source/_includes/configure-oidc-auth-applications.rest

@@ -0,0 +1,13 @@
+
+
+.. start-after: configure-oidc-begin
+.. end-before: configure-oidc-end
+
+.. start-after: configure-oidc-tls1-begin
+.. end-before: configure-oidc-tls1-end
+
+.. start-after: configure-oidc-tls2-begin
+.. end-before: configure-oidc-tls2-end
+
+.. start-after: configure-oidc-tls3-begin
+.. end-before: configure-oidc-tls3-end

doc/source/security/kubernetes/configure-oidc-auth-applications.rst

@@ -113,29 +113,44 @@ Configure OIDC Auth Applications
          Server Certificate and the |OIDC| Client and Identity Trusted |CA|
          certificate.
 
-         Create a secret with the certificate of the root |CA| that signed the
-         |OIDC| client and identity provider's server certificate.  In this
-         example, it will be the ``ca.crt`` of the ``system-local-ca``
-         ClusterIssuer).
+         .. only:: starlingx
 
-         .. code-block:: none
+             Create a secret with the certificate of the root |CA| that signed
+             the |OIDC| client and identity provider's server certificate. In
+             this example, it will be the ``ca.crt`` of the ``system-local-ca``
+             (ClusterIssuer).
 
-            ~(keystone_admin)]$ mkdir /home/sysadmin/ssl
-            ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt
+         .. only:: partner
 
-            ~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt  -n kube-system
+             .. include:: /_includes/configure-oidc-auth-applications.rest
+                 :start-after: configure-oidc-begin
+                 :end-before: configure-oidc-end
 
-            ~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
-            tlsName: oidc-auth-apps-certificate
-            config:
-               # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
-               # issuer_root_ca: /home/<filename-only-of-generic-secret>
-               issuer_root_ca: /home/dex-ca-cert.crt
-               issuer_root_ca_secret: dex-ca-cert
-            EOF
+         .. only:: starlingx
 
-            ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
+             .. code-block:: none
 
+                 ~(keystone_admin)]$ mkdir /home/sysadmin/ssl
+                 ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt
+
+                 ~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt  -n kube-system
+
+                 ~(keystone_admin)]$ cat <<EOF > stx-oidc-client.yaml
+                 tlsName: oidc-auth-apps-certificate
+                 config:
+                    # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
+                    # issuer_root_ca: /home/<filename-only-of-generic-secret>
+                    issuer_root_ca: /home/dex-ca-cert.crt
+                    issuer_root_ca_secret: dex-ca-cert
+                 EOF
+
+                 ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
+
+         .. only:: partner
+
+             .. include:: /_includes/configure-oidc-auth-applications.rest
+                 :start-after: configure-oidc-tls1-begin
+                 :end-before: configure-oidc-tls1-end
 
       #. Create a secret with the certificate of the |CA| that signed the
          certificate of the Identity Providers (IdPs) that you will be using.
@@ -148,15 +163,23 @@ Configure OIDC Auth Applications
 
              ~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
 
-         If you will use the Local |LDAP| server, create the secret
-         ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
-         Local |LDAP|'s certificate using the command below. This |CA|'s
-         certificate, presented below as file ``local-ldap-ca-cert.crt``, can
-         be extracted from the controller where the Local |LDAP| server is
-         running (the SystemController in DC environments) using the command
-         `kubectl get secret system-local-ca -n cert-manager
-         -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
-         local-ldap-ca-cert.crt`.
+         .. only:: starlingx
+
+             If you will use the Local |LDAP| server, create the secret
+             ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
+             Local |LDAP|'s certificate using the command below. This |CA|'s
+             certificate, presented below as file ``local-ldap-ca-cert.crt``, can
+             be extracted from the controller where the Local |LDAP| server is
+             running (the SystemController in DC environments) using the command
+             `kubectl get secret system-local-ca -n cert-manager
+             -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
+             local-ldap-ca-cert.crt`.
+
+         .. only:: partner
+
+             .. include:: /_includes/configure-oidc-auth-applications.rest
+                 :start-after: configure-oidc-tls2-begin
+                 :end-before: configure-oidc-tls2-end
 
          .. code-block:: none
 
@@ -289,15 +312,23 @@ Configure OIDC Auth Applications
 
               ~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
 
-          If you will use the Local |LDAP| server, create the secret
-          ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
-          Local |LDAP|'s certificate using the command below. This |CA|'s
-          certificate, presented below as file ``local-ldap-ca-cert.crt``, can
-          be extracted from the controller where the Local |LDAP| server is
-          running (the SystemController in DC environments) using the command
-          `kubectl get secret system-local-ca -n cert-manager
-          -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
-          local-ldap-ca-cert.crt`.
+          .. only:: starlingx
+
+              If you will use the Local |LDAP| server, create the secret
+              ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
+              Local |LDAP|'s certificate using the command below. This |CA|'s
+              certificate, presented below as file ``local-ldap-ca-cert.crt``, can
+              be extracted from the controller where the Local |LDAP| server is
+              running (the SystemController in DC environments) using the command
+              `kubectl get secret system-local-ca -n cert-manager
+              -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
+              local-ldap-ca-cert.crt`.
+
+          .. only:: partner
+
+              .. include:: /_includes/configure-oidc-auth-applications.rest
+                 :start-after: configure-oidc-tls3-begin
+                 :end-before: configure-oidc-tls3-end
 
           .. code-block:: none