Platform Application Components updates oidc-dex

Story: 2009838 Task: 45597 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Ia3a0e3e5308221bc8ad1c66cdbb6b1a6046fc32b
2022-06-10 12:36:29 -03:00 · 2022-06-10 12:36:29 -03:00 · b20a6233f2
commit b20a6233f2
parent 72b67d3d14
2 changed files with 192 additions and 31 deletions
--- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
+++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
@ -53,7 +53,7 @@ Configure OIDC Auth Applications
            ~(keystone_admin)]$ cat <<EOF > oidc-auth-apps-certificate.yaml
            ---
-            apiVersion: cert-manager.io/v1alpha2
+            apiVersion: cert-manager.io/v1
            kind: Certificate
            metadata:
              name: oidc-auth-apps-certificate
@ -132,23 +132,19 @@ Configure OIDC Auth Applications
         .. code-block:: none
-             certs:
+             volumeMounts:
-               web:
+             - mountPath: /etc/ssl/certs/adcert
-                 secret:
+               name: certdir
-                   tlsName: oidc-auth-apps-certificate
+             - mountPath: /etc/dex/tls
-                   caName: oidc-auth-apps-certificate
+               name: https-tls
-               grpc:
+             volumes:
                 secret:
                   serverTlsName: oidc-auth-apps-certificate
                   clientTlsName: oidc-auth-apps-certificate
                   caName: oidc-auth-apps-certificate
             extraVolumes:
             - name: certdir
               secret:
                 secretName: wad-ca-cert
-             extraVolumeMounts:
+             - name: https-tls
-             - name: certdir
+               secret:
-               mountPath: /etc/ssl/certs/adcert
+                 defaultMode: 420
                 secretName: oidc-auth-apps-certificate
      #. Apply the overrides configuration.
@ -194,6 +190,24 @@ Configure OIDC Auth Applications
   #. Use certificates generated and signed by an external |CA|.
      Although it is recommended to use cert-manager to manage certificates, as
      described above in item "Create certificates using cert-manager
      (recommended)", one can instead use certificates generated by an external
      |CA|.
      For backwards compatibility reasons, the default helm chart overrides of
      dex, oidc-client and secret-observer in ``oidc-auth-apps`` application
      are set for this example of using externally generated certificates. The
      default override values of helm charts in ``oidc-auth-apps`` application
      include the use of kubernetes secrets named ``local-dex.tls``, and
      ``dex-client-secret`` for declaring the dex server certificate and the
      |CA| which signed it, respectively. These secrets are created in this
      example.
      In addition, one can indicate the |WAD| certificate for an ldap server
      that has https enabled by using the secret ``wad-ca-cert`` as in this
      example.
      .. rubric:: |prereq|
      -   You must have a |CA| signed certificate (``dex-cert.pem`` file), and
@ -268,18 +282,25 @@ Configure OIDC Auth Applications
    The dex-overrides.yaml file contains the desired dex helm chart overrides
    (that is, the |LDAP| connector configuration for the Active Directory
    service, optional token expiry, and so on), and volume mounts for
-    providing access to the ``wadcert`` secret, described in this section.
+    providing access to the ``wad-ca-cert`` secret, described in this section.
    For the complete list of dex helm chart values supported, see `Dex Helm
    Chart Values
-    <https://github.com/helm/charts/blob/92b6289ae93816717a8453cfe62bad51cbdb
+    <https://github.com/dexidp/helm-charts/blob/dex-0.8.2/charts/dex/values.yaml>`__.
-    8ad0/stable/dex/values.yaml>`__. For the complete list of parameters of the
+    For the complete list of parameters of the dex |LDAP| connector
-    dex |LDAP| connector configuration, see `Authentication Through LDAP
+    configuration, see `Authentication Through LDAP
    <https://dexidp.io/docs/connectors/ldap/>`__.
    The overall Dex documentation is available on `dexidp.io
    <https://dexidp.io/docs/>`__.  The configuration of dex server version
    v2.31.1 is described on github
    (https://github.com/dexidp/dex/blob/v2.31.1/config.yaml.dist) with example
    ``config.dev.yaml``
    (https://github.com/dexidp/dex/blob/v2.31.1/config.dev.yaml).
    The example below configures a token expiry of ten hours, a single |LDAP|
    connector to an Active Directory service using HTTPS \(LDAPS\) using the
-    ``wadcert`` secret configured in this section, the required Active
+    ``wad-ca-cert`` secret configured in this section, the required Active
    Directory service login information \(that is, bindDN, and bindPW\), and
    example :command:`userSearch`, and :command:`groupSearch` clauses.
@ -350,13 +371,19 @@ Configure OIDC Auth Applications
                userAttr: DN
                groupAttr: member
                nameAttr: cn
-        extraVolumes:
+        volumeMounts:
        - mountPath: /etc/ssl/certs/adcert
          name: certdir
        - mountPath: /etc/dex/tls
          name: https-tls
        volumes:
        - name: certdir
          secret:
            secretName: wad-ca-cert
-        extraVolumeMounts:
+        - name: https-tls
-        - name: certdir
+          secret:
-          mountPath: /etc/ssl/certs/adcert
+            defaultMode: 420
            secretName: oidc-auth-apps-certificate
    .. end-connector-config
@ -403,3 +430,137 @@ Configure OIDC Auth Applications
    .. code-block:: none
        ~(keystone_admin)]$ system application-apply oidc-auth-apps
 Default helm overrides for oidc-auth-apps application
 =====================================================
 For backwards compatibility reasons, the default helm overrides for dex helm
 are:
 .. note::
    It is NOT recommended to use these; it is recommended to create
    certificates using ``cert-manager`` and explicitly refer to the resulting
    certificate secrets in user-specified helm overrides, as described on the
    procedure above.
 .. code-block:: none
    image:
      repository: ghcr.io/dexidp/dex
      pullPolicy: IfNotPresent
      tag: v2.31.1
    imagePullSecrets:
      - name: default-registry-key
    env:
      name: KUBERNETES_POD_NAMESPACE
      value: kube-system
    config:
      issuer: https://<OAM_IP>:30556/dex
      staticClients:
      - id: stx-oidc-client-app
        name: STX OIDC Client app
        secret: St8rlingX
        redirectURIs:
        - https://<OAM_IP>:30555/callback
      enablePasswordDB: false
      web:
        tlsCert: /etc/dex/tls/tls.crt
        tlsKey: /etc/dex/tls/tls.key
      storage:
        type: kubernetes
        config:
          inCluster: true
      oauth2:
        skipApprovalScreen: true
      logger:
        level: debug
    service:
      type: NodePort
      ports:
        https:
          nodePort: 30556
    https:
      enabled: true
    grpc:
      enabled: false
    nodeSelector:
      node-role.kubernetes.io/master: ""
    volumeMounts:
    - mountPath: /etc/dex/tls/
      name: https-tls
    volumes:
    - name: https-tls
      secret:
        defaultMode: 420
        secretName: local-dex.tls
    tolerations:
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"
    affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
            - key: app
              operator: In
              values:
              - dex
          topologyKey: kubernetes.io/hostname
 The default helm overrides for oidc-client are:
 .. code-block:: none
    config:
      client_id: stx-oidc-client-app
      client_secret: St8rlingX
      issuer: https://<OAM_IP>:30556/dex
      issuer_root_ca: /home/dex-ca.pem
      listen: https://0.0.0.0:5555
      redirect_uri: https://<OAM_IP>:30555/callback
      tlsCert: /etc/dex/tls/https/server/tls.crt
      tlsKey: /etc/dex/tls/https/server/tls.key
    nodeSelector:
      node-role.kubernetes.io/master: ""
    service:
      type: NodePort
      port: 5555
      nodePort: 30555
    replicas: <replicate count>
    tolerations:
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"
    affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
            - key: app
              operator: In
              values:
              - stx-oidc-client
          topologyKey: kubernetes.io/hostname
    helmv3Compatible: true
 The default helm overrides for secret-observer are:
 .. code-block:: none
    namespace: "kube-system"
    observedSecrets:
      - secretName: "dex-client-secret"
        filename: "dex-ca.pem"
        deploymentToRestart: "stx-oidc-client"
      - secretName: "local-dex.tls"
        filename: "tls.crt"
        deploymentToRestart: "stx-oidc-client"
      - secretName: "local-dex.tls"
        filename: "tls.crt"
        deploymentToRestart: "oidc-dex"
    tolerations:
      - key: "node-role.kubernetes.io/master"
        operator: "Exists"
        effect: "NoSchedule"
--- a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst
+++ b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst
@ -43,14 +43,14 @@ certificates.
      ~(keystone_admin)]$ cat <<EOF > cluster-issuer.yaml
      ---
-      apiVersion: cert-manager.io/v1alpha2
+      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: system-selfsigning
      spec:
        selfSigned: {}
      ---
-      apiVersion: cert-manager.io/v1alpha2
+      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: system-local-ca
@ -68,7 +68,7 @@ certificates.
          name: system-selfsigning
          kind: ClusterIssuer
      ---
-      apiVersion: cert-manager.io/v1alpha2
+      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: system-local-ca
@ -78,7 +78,8 @@ certificates.
      EOF
   For more information on supported parameters, see
-   https://cert-manager.io/v0.14-docs/reference/api-docs/#acme.cert-manager.io%2fv1alpha2
+   `https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1
   <https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1>`__.
 #. Apply the configuration.
@ -122,7 +123,7 @@ certificates.
 #. Copy the |PEM| encoded certificate and key from the externally generated
   |CA| to the controller host.
-#. Create a |TLS| secret in ‘cert-manager’ namespace with the certificate/Key
+#. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
   files:
   .. code-block:: none
@ -135,14 +136,13 @@ certificates.
       ~(keystone_admin)]$ cat <<EOF > cluster-issuer.yaml
       ---
-       apiVersion: cert-manager.io/v1alpha2
+       apiVersion: cert-manager.io/v1
       kind: ClusterIssuer
       metadata:
         name: system-local-ca
       spec:
         ca:
           secretName: system-local-ca
       EOF
 #. Apply the configuration.