Add Windows Active Dir Auth Support for K8s

Completed review feedback. Additional feedback done. Added cengn path. Story: 2006711 Task: 38485 Change-Id: I8a3f6f8583accf3ab2eb5694a41b1750a7938252 Signed-off-by: MCamp859 <maryx.camp@intel.com>
2020-03-10 11:32:30 -04:00 · 2020-03-10 11:32:30 -04:00 · 796bb1a716
commit 796bb1a716
parent 34a7120cdc
4 changed files with 318 additions and 4 deletions
--- a/doc/source/configuration/figures/k8s_auth_login.png
+++ b/doc/source/configuration/figures/k8s_auth_login.png
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@ -25,6 +25,7 @@ Kubernetes Configuration
   :maxdepth: 1
   k8s_persistent_vol
   k8s_auth_winactivedir
 -----------------------
 OpenStack Configuration
--- a/doc/source/configuration/k8s_auth_winactivedir.rst
+++ b/doc/source/configuration/k8s_auth_winactivedir.rst
@ -0,0 +1,317 @@
 ==================================================================
 Authenticate Kubernetes Users with Windows Active Directory Server
 ==================================================================
 This guide describes how to authenticate users of the Kubernetes API via a
 remote Windows Active Directory server, using the oidc-auth-apps application.
 .. contents::
   :local:
   :depth: 1
 ----------------------------
 Configure the kube-apiserver
 ----------------------------
 Configure the Kubernetes cluster with a few extra parameters for the
 kube-apiserver. You can do this during bootstrap or after installation.
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Configure as part of bootstrap
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Add the following items to ``localhost.yml`` during bootstrap:
 ::
    apiserver_oidc:
      client_id: stx-oidc-client-app
      issuer_url: https://<oam-floating-ip>:30556/dex
      username_claim: email
      groups_claim: groups
 The ``username_claim`` and ``groups_claim`` parameter values can vary for
 different user and group configurations within your Windows Active Directory
 server.
 ~~~~~~~~~~~~~~~~~~~~~~
 Configure post-install
 ~~~~~~~~~~~~~~~~~~~~~~
 Execute the following commands to add the OIDC parameters to the kube-apiserver:
 ::
    system service-parameter-add kubernetes kube_apiserver oidc_client_id=value
    system service-parameter-add kubernetes kube_apiserver oidc_groups_claim=value
    system service-parameter-add kubernetes kube_apiserver oidc_issuer_url=value
    system service-parameter-add kubernetes kube_apiserver oidc_username_claim=value
    system service-parameter-apply kubernetes
 ------------------------------------
 Configure oidc-auth-apps application
 ------------------------------------
 The oidc-auth-apps application is a system managed application that is
 packaged in the ISO and uploaded by default. To use the oidc-auth-apps
 application for authentication, you must first configure and deploy the
 oidc-auth-apps application as described below.
 These commands assume the cert and key pem files for creating these secrets
 are in ``/home/sysadmin/ssl/``.
 #.  Create a secret with the certificate and key (``local-dex.tls``) to be used
    by the oidc-auth-apps as well as a secret with the CA that signed this
    certificate (``dex-client-secret``) for the client. The certificate should
    be signed by a CA trusted by the system. If the certificate is signed by a
    CA that is not trusted by default, you can make the system trust the CA
    by specifying it during bootstrap by specifying ssl_ca_cert in
    ``localhost.yml``, or through ``system certificate-install -m ssl_ca ...``
    after bootstrap.
    ::
        kubectl create secret tls local-dex.tls --cert=ssl/dex-cert.pem --key=ssl/dex-key.pem -n kube-system
        kubectl create secret generic dex-client-secret --from-file=/home/sysadmin/ssl/dex-ca.pem  -n kube-system
    Create a Kubernetes secret wadcert with the CA's certificate that signed the
    Active Directory's certificate using the following command:
    ::
        kubectl create secret generic wadcert --from-file=ssl/AD_CA.cer -n kube-system
 #.  Specify user overrides for oidc-auth-apps.
    ::
        system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/dex-overrides.yaml
    The only mandatory section is the "connectors" section, which will vary for
    different Windows Active Directory deployments. Refer to the upstream dex
    documentation for more details:
    https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md
    Here is an example ``dex-overrides.yaml`` file:
    ::
      config:
        expiry:
          idTokens: "10h"
        connectors:
        - type: ldap
          name: OpenLDAP
          id: ldap
          config:
            host: pv-windows-acti.cumulus.wrs.com:636
            rootCA: /etc/ssl/certs/adcert/AD_CA.cer
            insecureNoSSL: false
            insecureSkipVerify: false
            bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com
            bindPW: Li69nux*
            usernamePrompt: Username
            userSearch:
              baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com
              filter: "(objectClass=user)"
              username: sAMAccountName
              idAttr: sAMAccountName
              emailAttr: sAMAccountName
              nameAttr: displayName
            groupSearch:
              baseDN: ou=Users,ou=Titanium,dc=corp,dc=cumulus,dc=wrs,dc=com
              filter: "(objectClass=group)"
              userAttr: DN
              groupAttr: member
              nameAttr: cn
      extraVolumes:
      - name: certdir
        secret:
          secretName: wadcert
      extraVolumeMounts:
      - name: certdir
        mountPath: /etc/ssl/certs/adcert
 #.  Apply oidc-auth-apps:
    ::
        system application-apply oidc-auth-apps
 ---------------------------------------
 Set up users, groups, and authorization
 ---------------------------------------
 These steps assume there is a user called "testuser" who is a member of both a
 billingDeptGroup and a managerGroup set up in the Windows Active Directory
 deployments.
 On StarlingX, bind Kubernetes RBAC role(s) to this user and/or group(s). For
 example, give this user admin privileges by creating the following deployment
 file and deploy it with the ``kubectl apply -f filename`` command.
 ::
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: testuser-rolebinding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: testuser
 Alternatively, you can also bind Kubernetes RBAC role(s) for the group(s) of
 testuser. For example, give all members of the billingDeptGroup admin
 privileges by creating the following deployment file and deploy it with the
 :command:`kubectl apply -f filename` command.
 ::
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: testuser-rolebinding
    roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
    subjects:
    - apiGroup: rbac.authorization.k8s.io
     kind: Group
     name: billingDeptGroup
 Set up kubectl with a Kubernetes user to authenticate through dex. This can be
 done locally on controller-0 or remotely on a workstation.
 ::
    # setup cluster if you haven’t already
    kubectl config set-cluster mystxcluster –server=https://<oam-floating-ip>:6443
    kubectl config set-context testuser@mystxcluster --cluster=mystxcluster --user=testuser
 ---------------------------
 Obtain authentication token
 ---------------------------
 You can get the authentication token using the ``oidc-auth`` CLI or using a
 browser.
 ~~~~~~~~~~~~~~~~~~~~~
 Use ``oidc-auth`` CLI
 ~~~~~~~~~~~~~~~~~~~~~
 The ``oidc-auth`` CLI retrieves the ID token from Windows Active Directory using
 the OIDC client, and dex, and updates the Kubernetes credentials for the user in
 the kubectl config file.
 On controller-0, ``oidc-auth`` is installed as part of the base installation,
 and is ready to use.
 On a remote host with kubectl and helm client installed on the host, perform the
 following required setup:
 #.  Install the Python ``mechanize`` module:
    ::
      sudo pip2 install mechanize
 #.  Get the ``oidc-auth`` script from the public
    `CENGN StarlingX mirror <http://mirror.starlingx.cengn.ca/mirror/starlingx/>`_.
    For example,
    ``http://mirror.starlingx.cengn.ca/mirror/starlingx/master/centos/latest_docker_image_build/outputs/remote-cli/``
 After setup is complete, run the ``oidc-auth`` script to authenticate and update
 user credentials in the kubectl config file with the retrieved token.
 ::
  oidc-auth -c <OAM ip address> -u testuser
  Password:
  Login succeeded.
  Updating kubectl config ...
  User testuser set.
 Switch to the context for this user:
 ::
  kubectl config use-context testuser@mystxcluster
 Run a kubectl command to ensure the token works:
 ::
  kubectl get pods --all-namespaces
 ~~~~~~~~~~~
 Use browser
 ~~~~~~~~~~~
 #.  From a browser, enter the following:
    ::
        https://oam-floating-ip-address:30555
 #.  In the dialog box, enter your username, password and click Login.
    .. figure:: figures/k8s_auth_login.png
       :scale: 100%
       :alt: Login dialog box
    An ID token is displayed as shown below:
    ::
        ID Token:
        eyJhbGciOiJSUzI1NiIsImtpZCI6IjkwYTcyYmIwZTRjNTJhZDhiNGYxMmYxNzc3NTVmNDdmODc5M2ZkYTAifQ.eyJpc3MiOiJodHRwczovLzEwLjEwLjEwLjM6MzA1NTYvZGV4Iiwic3ViIjoiQ2dkbmQyRnBibVZ6RWdSc1pHRnciLCJhdWQiOiJzdHgtb2lkYy1jbGllbnQtYXBwIiwiZXhwIjoxNTgwODQ4NTkzLCJpYXQiOjE1ODA3NjIxOTMsImF0X2hhc2giOiJNU0YtNDBpOWVuM1QyVjdUMWdSZW5RIiwiZW1haWwiOiJnd2FpbmVzIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJHcmVnb3J5IEEuIFdhaW5lcyJ9.oNIabUhd5wx3tFCIuewtzsbYfx1OsrGXtEUEPL0l5Y944WE2c1HP6YUHWxvYTMw1_Ldl-jx-koiYbiE8Eztgy9anfJqclUFa6xlxP666Z7AYxndsULylqzfT0dvySaddIEEYDffx7aH6g7q2PKZjMHFierRyqmCu8WTPRSNy3NymLmQaGGjUmFHqbvpEBgg_ytpsDgbRIpk1EbyP63l79hBNlRvcffTRLi3LYYRaJLgSbx2tha43OX5rKxylF_GrzZHaqxxT6MjIHKHagUrcqa054RwPWUHKyV26ErkMg6gN5uyMm462UtnW7jJucYrWBpbaWaj0U0OTWv_1NnKlJw
        Access Token:
        jwcj46v3vmumpixr54wbyrstf
        Claims:
        {
          "iss": "https://10.10.10.3:30556/dex",
          "sub": "Cgdnd2FpbmVzEgRsZGFw",
          "aud": "stx-oidc-client-app",
          "exp": 1580848593,
          "iat": 1580762193,
          "at_hash": "MSF-40i9en3T2V7T1gRenQ",
          "email": "testuser",
          "email_verified": true,
          "groups": [
            "billingDeptGroup",
            "managerGroup"
            ],
          "name": "testuser"
        }
 #.  Set Kubernetes credentials with the above ID token:
    ::
        ~(keystone_admin)]$ TOKEN=<ID token string>
        ~(keystone_admin)]$ kubectl config setcredentials testuser --token $TOKEN
 #.  Switch to the context for this user:
    ::
        ~(keystone_admin)]$ kubectl config use-context testuser@mystxcluster
 #.  Run the command ``kubectl get pods --all-namespaces``.
 This command should be successful because authentication is complete.
--- a/doc/source/deploy_install_guides/r4_release/ansible_bootstrap_configs.rst
+++ b/doc/source/deploy_install_guides/r4_release/ansible_bootstrap_configs.rst
@ -118,10 +118,6 @@ Install-time-only parameters
 * ``apiserver_oidc``
  * ``client_id``
  * ``issuer_id``
  * ``username_claim``
 ----
 IPv6
 ----