9fa54fe44e
Change-Id: I1cfdc44fb72907e9e34294194084c59e29d8d80a Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
8.7 KiB
Configure OIDC/LDAP Authentication for Kubernetes User Authentication
After installing , you should configure / authentication for kubernetes access user authentication.
/ authentication can be supported by 's local server and/or up to three remote servers (for example, Windows Active Directory).
In this example, / authentication is setup for local .
- You must have the credentials for the 'sysadmin' local Linux user account used for installation.
Login to the active controller as the 'sysadmin' user.
Use either a local console or .
Setup 'sysadmin' credentials.
$ source /etc/platform/openrcConfigure Kubernetes for token validation.
Use the default nodePort for the
oidc-auth-appssystem application of 30556.$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') $ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app $ system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups $ system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=https://${OAMIP}:30556/dex $ system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email $ system service-parameter-apply kubernetesConfigure and apply the
oidc-auth-appssystem application.Create the certificate to be used by both the client and the identity provider.
$ mkdir /home/sysadmin/oidc $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') $ cat <<EOF > /home/sysadmin/oidc/oidc-auth-apps-certificate.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: oidc-auth-apps-certificate namespace: kube-system spec: secretName: oidc-auth-apps-certificate duration: 2160h # 90 days renewBefore: 360h # 15 days issuerRef: name: system-local-ca kind: ClusterIssuer commonName: ${OAMIP} subject: organizations: - ABC-Company organizationalUnits: - StarlingX-system-oidc-auth-apps ipAddresses: - ${OAMIP} EOF $ kubectl apply -f/home/sysadmin/oidc/oidc-auth-apps-certificate.yamlConfigure the -client with the client certificate and identity server certificate (created in the
Create the certificate to be used by both the OIDC client and the OIDC identity providerstep) and the Trusted that you used to sign these certificates (i.e., the system-local-ca).$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/oidc/dex-ca-cert.crt $ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/oidc/dex-ca-cert.crt -n kube-system $ cat <<EOF > /home/sysadmin/oidc/oidc-client-overrides.yaml tlsName: oidc-auth-apps-certificate config: # The |OIDC|-client container mounts the dex-ca-cert secret at /home, therefore # issuer_root_ca: /home/<filename-only-of-generic-secret> issuer_root_ca: /home/dex-ca-cert.crt issuer_root_ca_secret: dex-ca-cert # secret for accessing dex client_secret: stx-oidc-client-p@ssw0rd EOF $ system helm-override-update oidc-auth-apps oidc-client kube-system --values /home/sysadmin/oidc/oidc-client-overrides.yamlConfigure the secret observer to track renewals of certificates.
$ cat <<EOF > /home/sysadmin/oidc/secret-observer-overrides.yaml cronSchedule: "*/15 * * * *" observedSecrets: - secretName: "dex-ca-cert" filename: "dex-ca-cert.crt" deploymentToRestart: "stx-oidc-client" - secretName: "oidc-auth-apps-certificate" filename: "tls.crt" deploymentToRestart: "stx-oidc-client" - secretName: "oidc-auth-apps-certificate" filename: "tls.crt" deploymentToRestart: "oidc-dex" EOF $ system helm-override-update oidc-auth-apps secret-observer kube-system --values /home/sysadmin/oidc/secret-observer-overrides.yamlCreate a secret with the certificate of the that signed the certificate of local , i.e.,
system-local-ca, to be used in theSpecify the configuration for connecting to Local LDAP in the user overrides for the oidc-auth-apps applicationstep.$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.\ `data.ca <http://data.ca>`__\\.crt}' | base64 --decode > /home/sysadmin/oidc/local-ldap-ca-cert.crt $ kubectl create secret generic local-ldap-ca-cert --from-file=/home/sysadmin/oidc/local-ldap-ca-cert.crt -n kube-systemSpecify the configuration for connecting to local in the user overrides for the
oidc-auth-appsapplication.$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') $ MGMTIP=$(system addrpool-list --nowrap | fgrep management | awk '{print $14}') $ BINDPW=$(keyring get ldap ldapadmin) $ cat <<EOF > /home/sysadmin/oidc/dex-overrides.yaml config: staticClients: - id: stx-oidc-client-app name: STX OIDC Client app redirectURIs: ['https://${OAMIP}:30555/callback'] secret: stx-oidc-client-p@ssw0rd expiry: idTokens: "10h" connectors: - type: ldap name: LocalLDAP id: localldap-1 config: host: ${MGMTIP}:636 rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt insecureNoSSL: false insecureSkipVerify: false bindDN: CN=ldapadmin,DC=cgcs,DC=local bindPW: ${BINDPW} usernamePrompt: Username userSearch: baseDN: ou=People,dc=cgcs,dc=local filter: "(objectClass=posixAccount)" username: uid idAttr: DN emailAttr: uid nameAttr: gecos groupSearch: baseDN: ou=Group,dc=cgcs,dc=local filter: "(objectClass=posixGroup)" userMatchers: - userAttr: uid groupAttr: memberUid nameAttr: cn volumeMounts: - mountPath: /etc/ssl/certs/adcert name: certdir - mountPath: /etc/dex/tls name: https-tls volumes: - name: certdir secret: secretName: local-ldap-ca-cert - name: https-tls secret: defaultMode: 420 secretName: oidc-auth-apps-certificate EOF $ system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/oidc/dex-overrides.yamlApply the
oidc-auth-appssystem application.$ system application-apply oidc-auth-appsWait for the
oidc-auth-appssystem application to reach the 'applied' status.$ system application-list
See create-first-system-administrator-1775e1b20941.