docs/doc/source/security/kubernetes/oidc-client-dex-server-certificates-dc174462d51a.rst
Suzana Fernandes 9fa54fe44e Create Security Guide Reference
Change-Id: I1cfdc44fb72907e9e34294194084c59e29d8d80a
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-11-01 18:01:33 +00:00

117 lines
4.4 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. _oidc-client-dex-server-certificates-dc174462d51a:
===================================
OIDC Client Dex Server Certificates
===================================
The oidc-auth-apps application installs a proxy |OIDC| identity provider (dex
server) that can be configured to proxy authentication requests to an |LDAP|
(s) identity provider, such as Windows Active Directory.
The oidc-auth-apps application also provides an |OIDC| client for accessing the
username and password |OIDC| login page for user authentication and retrieval
of tokens.
.. note::
For details on installing, configuring, and using oidc-auth-apps,
refer to :ref:`User Authentication Using Windows Active Directory
<user-authentication-using-windows-active-directory-security-index>`.
This section is specifically about |OIDC| certificates management.
Oidc-auth-apps needs three certificates to work:
- |OIDC| client and identity provider server certificate (secret
``local-dex.tls``)
- |OIDC| trusted |CA| certificate (secret ``dex-client-secret``)
- Windows Active Directory |CA| certificate (secret wadcert)
**OIDC client and identity provider server certificate**
|OIDC| client and Identity provider server certificate is used to secure the
connection between |OIDC| client and identity provider by HTTPS.
This certificate is stored in Kubernetes TLS secret ``local-dex.tls``.
**OIDC client and identity provider trusted CA certificate**
The |OIDC| trusted |CA| certificate is the |CA| certificate that signs the
|OIDC| client and identity server certificate.
It has to be installed for |OIDC| client to verify identity server's
certificate for HTTPS connection.
|OIDC| trusted |CA| certificate is stored in Kubernetes secret
``dex-client-secret``.
**Windows Active Directory CA certificate (WAD CA certificate)**
|WAD| certificate is the |CA| certificate that signed the Windows Active
Directory that |OIDC| is configured to proxy authentication requests to.
In order for |OIDC| identity provider (as the authentication proxy) to securely
connect and authenticate users to the Windows Active Directory by HTTPS, the
|WAD|'s |CA| certificate needs to installed and configured for |OIDC| to trust
the Windows Active Directory.
-------------------------
Install OIDC certificates
-------------------------
|OIDC| certificates are not auto generated.
They need to be installed as Kubernetes secrets as part of the |OIDC| app
configuration.
Refer to :ref:`Configure OIDC Auth Applications
<configure-oidc-auth-applications>`, on how to install |OIDC| certificates into
Kubernetes secrets.
------------------------------
Update/Renew OIDC certificates
------------------------------
The |OIDC| client and identity provider certificate, if configured via
cert-manager (as described in :ref:`Configure OIDC Auth Applications
<configure-oidc-auth-applications>`), is auto-renewed.
However, the |OIDC| client and identity provider trusted |CA| certificate and
the Windows Active Directory |CA| certificate are not auto renewed. They have
to be renewed manually by updating the secrets from the new certificate files
and restarting the ``oidc-auth`` application.
.. rubric:: |proc|
#. Update/renew |OIDC| client and identity provider server certificate:
.. note::
This step is only required if you are not using cert-manager for your
certificate as described in :ref:`configure-oidc-auth-applications`.
.. code-block:: none
~(keystone_admin)]$ kubectl create secret tls local-dex.tls --cert=/home/sysadmin/new_ssl/dex-cert.pem --key=/home/sysadmin/new_ssl/dex-key.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -
#. Update/renew |OIDC| trusted |CA| certificate:
.. code-block:: none
~(keystone_admin)]$ kubectl create secret generic dex-client-secret --from-file=/home/sysadmin/new_ssl/dex-ca.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -
#. Update/renew |WAD| |CA| certificate:
.. code-block:: none
~(keystone_admin)]$ kubectl create secret generic wadcert --from-file=/home/sysadmin/new_ssl/AD_CA.cer save-config dry-run=client -n kube-system -o yaml | kubectl apply -f -
#. Restart |OIDC| client and identity provider proxy (dex-server):
.. code-block:: none
~(keystone_admin)]$ kubectl rollout restart deployment oidc-dex -n kube-system
~(keystone_admin)]$ kubectl rollout restart deployment stx-oidc-client -n kube-system