Change-Id: I1cfdc44fb72907e9e34294194084c59e29d8d80a Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
4.4 KiB
OIDC Client Dex Server Certificates
The oidc-auth-apps application installs a proxy identity provider (dex server) that can be configured to proxy authentication requests to an (s) identity provider, such as Windows Active Directory.
The oidc-auth-apps application also provides an client for accessing the username and password login page for user authentication and retrieval of tokens.
Note
For details on installing, configuring, and using oidc-auth-apps,
refer to User Authentication Using Windows Active Directory
<user-authentication-using-windows-active-directory-security-index>
.
This section is specifically about certificates management.
Oidc-auth-apps needs three certificates to work:
- client and identity provider server certificate (secret
local-dex.tls
) - trusted certificate (secret
dex-client-secret
) - Windows Active Directory certificate (secret wadcert)
OIDC client and identity provider server certificate
client and Identity provider server certificate is used to secure the connection between client and identity provider by HTTPS.
This certificate is stored in Kubernetes TLS secret
local-dex.tls
.
OIDC client and identity provider trusted CA certificate
The trusted certificate is the certificate that signs the client and identity server certificate.
It has to be installed for client to verify identity server's certificate for HTTPS connection.
trusted certificate is stored in Kubernetes secret
dex-client-secret
.
Windows Active Directory CA certificate (WAD CA certificate)
certificate is the certificate that signed the Windows Active Directory that is configured to proxy authentication requests to.
In order for identity provider (as the authentication proxy) to securely connect and authenticate users to the Windows Active Directory by HTTPS, the 's certificate needs to installed and configured for to trust the Windows Active Directory.
Install OIDC certificates
certificates are not auto generated.
They need to be installed as Kubernetes secrets as part of the app configuration.
Refer to Configure OIDC Auth Applications
<configure-oidc-auth-applications>
, on how to install
certificates into Kubernetes secrets.
Update/Renew OIDC certificates
The client and identity provider certificate, if configured via
cert-manager (as described in Configure OIDC Auth Applications
<configure-oidc-auth-applications>
), is auto-renewed.
However, the client and identity provider trusted certificate and the
Windows Active Directory certificate are not auto renewed. They have to
be renewed manually by updating the secrets from the new certificate
files and restarting the oidc-auth
application.
Update/renew client and identity provider server certificate:
Note
This step is only required if you are not using cert-manager for your certificate as described in
configure-oidc-auth-applications
.~(keystone_admin)]$ kubectl create secret tls local-dex.tls --cert=/home/sysadmin/new_ssl/dex-cert.pem --key=/home/sysadmin/new_ssl/dex-key.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -
Update/renew trusted certificate:
~(keystone_admin)]$ kubectl create secret generic dex-client-secret --from-file=/home/sysadmin/new_ssl/dex-ca.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -
Update/renew certificate:
~(keystone_admin)]$ kubectl create secret generic wadcert --from-file=/home/sysadmin/new_ssl/AD_CA.cer –save-config –dry-run=client -n kube-system -o yaml | kubectl apply -f -
Restart client and identity provider proxy (dex-server):
~(keystone_admin)]$ kubectl rollout restart deployment oidc-dex -n kube-system ~(keystone_admin)]$ kubectl rollout restart deployment stx-oidc-client -n kube-system