docs/doc/source/security/kubernetes/oidc-client-dex-server-certificates-dc174462d51a.rst
Suzana Fernandes 9fa54fe44e Create Security Guide Reference
Change-Id: I1cfdc44fb72907e9e34294194084c59e29d8d80a
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-11-01 18:01:33 +00:00

4.4 KiB
Raw Blame History

OIDC Client Dex Server Certificates

The oidc-auth-apps application installs a proxy identity provider (dex server) that can be configured to proxy authentication requests to an (s) identity provider, such as Windows Active Directory.

The oidc-auth-apps application also provides an client for accessing the username and password login page for user authentication and retrieval of tokens.

Note

For details on installing, configuring, and using oidc-auth-apps, refer to User Authentication Using Windows Active Directory <user-authentication-using-windows-active-directory-security-index>.

This section is specifically about certificates management.

Oidc-auth-apps needs three certificates to work:

  • client and identity provider server certificate (secret local-dex.tls)
  • trusted certificate (secret dex-client-secret)
  • Windows Active Directory certificate (secret wadcert)

OIDC client and identity provider server certificate

client and Identity provider server certificate is used to secure the connection between client and identity provider by HTTPS.

This certificate is stored in Kubernetes TLS secret local-dex.tls.

OIDC client and identity provider trusted CA certificate

The trusted certificate is the certificate that signs the client and identity server certificate.

It has to be installed for client to verify identity server's certificate for HTTPS connection.

trusted certificate is stored in Kubernetes secret dex-client-secret.

Windows Active Directory CA certificate (WAD CA certificate)

certificate is the certificate that signed the Windows Active Directory that is configured to proxy authentication requests to.

In order for identity provider (as the authentication proxy) to securely connect and authenticate users to the Windows Active Directory by HTTPS, the 's certificate needs to installed and configured for to trust the Windows Active Directory.

Install OIDC certificates

certificates are not auto generated.

They need to be installed as Kubernetes secrets as part of the app configuration.

Refer to Configure OIDC Auth Applications <configure-oidc-auth-applications>, on how to install certificates into Kubernetes secrets.

Update/Renew OIDC certificates

The client and identity provider certificate, if configured via cert-manager (as described in Configure OIDC Auth Applications <configure-oidc-auth-applications>), is auto-renewed.

However, the client and identity provider trusted certificate and the Windows Active Directory certificate are not auto renewed. They have to be renewed manually by updating the secrets from the new certificate files and restarting the oidc-auth application.

  1. Update/renew client and identity provider server certificate:

    Note

    This step is only required if you are not using cert-manager for your certificate as described in configure-oidc-auth-applications.

    ~(keystone_admin)]$ kubectl create secret tls local-dex.tls --cert=/home/sysadmin/new_ssl/dex-cert.pem --key=/home/sysadmin/new_ssl/dex-key.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -
  2. Update/renew trusted certificate:

    ~(keystone_admin)]$ kubectl create secret generic dex-client-secret --from-file=/home/sysadmin/new_ssl/dex-ca.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -
  3. Update/renew certificate:

    ~(keystone_admin)]$ kubectl create secret generic wadcert --from-file=/home/sysadmin/new_ssl/AD_CA.cer save-config dry-run=client -n kube-system -o yaml | kubectl apply -f -
  4. Restart client and identity provider proxy (dex-server):

    ~(keystone_admin)]$ kubectl rollout restart deployment oidc-dex -n kube-system
    ~(keystone_admin)]$ kubectl rollout restart deployment stx-oidc-client -n kube-system