.. afi1590692698424 .. _centralized-vs-distributed-oidc-auth-setup: ==================================================== Centralized vs Distributed OIDC Authentication Setup ==================================================== In a |prod-dc| configuration, you can configure |OIDC| authentication in a distributed or centralized setup. For other configurations, like |AIO-SX|, |AIO-DX| or Standard Cloud, follow the instructions in the distributed setup documented below. .. _centralized-vs-distributed-oidc-auth-setup-section-ugc-xr5-wlb: ----------------- Distributed Setup ----------------- For a distributed setup, configure the **kube-apiserver** and the **oidc-auth-apps** independently for each cloud, System Controller, and all subclouds. The **oidc-auth-apps** runs on each active controller of the setup and the **kube-apiserver** is configured to point to the local instance of **oidc-auth-apps**. For more information, see: .. _centralized-vs-distributed-oidc-auth-setup-ul-gjs-ds5-wlb: - Configure Kubernetes for |OIDC| Token Validation - :ref:`Configure Kubernetes for OIDC Token Validation while Bootstrapping the System ` **or** - :ref:`Configure Kubernetes for OIDC Token Validation after Bootstrapping the System ` - :ref:`Configure OIDC Auth Applications ` All clouds **oidc-auth-apps** can be configured to communicate to the same or different authentication servers (Windows Active Directory and/or |LDAP|). However, each cloud manages |OIDC| tokens individually. A user must login, authenticate, and get an |OIDC| token for each cloud independently. .. _centralized-vs-distributed-oidc-auth-setup-section-yqz-yr5-wlb: ----------------- Centralized Setup ----------------- For a centralized setup, the **oidc-auth-apps** is configured '**only**' on the System Controller. The **kube-apiserver** must be configured on all clouds, System Controller, and all subclouds, to point to the centralized **oidc-auth-apps** running on the System Controller. In the centralized setup, a user logs in, authenticates, and gets an |OIDC| token from the Central System Controller's |OIDC| identity provider, and uses the |OIDC| token with '**any**' of the subclouds as well as the System Controller cloud. For a centralized |OIDC| authentication setup, use the following procedure: .. rubric:: |proc| #. Configure the **kube-apiserver** parameters on the System Controller and each subcloud either during bootstrapping or by using the **system service-parameter-add kubernetes kube_apiserver** command after bootstrapping the system, using the System Controller's floating OAM IP address as the oidc-issuer-url for all clouds. For example, ``oidc-issuer-url=https://:/dex`` on the subcloud. For more information, see: - :ref:`Configure Kubernetes for OIDC Token Validation while Bootstrapping the System ` **or** - :ref:`Configure Kubernetes for OIDC Token Validation after Bootstrapping the System ` #. Configure the **oidc-auth-apps** only on the System Controller. For more information, see :ref:`Configure OIDC Auth Applications ` .. note:: For IPv6 deployments, ensure that the IPv6 OAM floating address is, ``https://\[\]:30556/dex`` (that is, in lower case, and wrapped in square brackets). .. rubric:: |postreq| For more information on configuring Users, Groups, Authorization, and **kubectl** for the user and retrieving the token on subclouds, see: .. _centralized-vs-distributed-oidc-auth-setup-ul-vf3-jnl-vlb: - :ref:`Configure Users, Groups, and Authorization ` - :ref:`Configure Kubernetes Client Access `