starlingx/docs
Code Issues Proposed changes
df365480a3
docs/doc/source/security/kubernetes/obtain-the-authentication-token-using-the-oidc-auth-shell-script.rst
Ron Stone cf98a7c9ea OIDC script updates 
Per Teresa H. OIDC CLI access script is part of image and does not need to
be downloaded.
Cleaned up explicit references to DS doenloads location and replaced with
placeholder.
Added note that oidc-auth script needs to be downloaded if used from remote
hosts
Patchset2 review updates

Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: I9e713b9c41d8dbe4bad0fe0c2866c913853a79db
2022-01-10 14:05:58 -05:00

2.8 KiB
Raw Blame History

Obtain the Authentication Token Using the oidc-auth Shell Script

You can obtain the authentication token using the oidc-auth shell script.

You can use the oidc-auth script both locally on the active controller, as well as on a remote workstation where you are running kubectl and helm commands.

The oidc-auth script retrieves the ID token from Windows Active Directory using the client, and dex, and updates the Kubernetes credential for the user in the kubectl config file.

  • On controller-0, oidc-auth is installed as part of the base installation, and ready to use.
  • On remote hosts, oidc-auth must be installed from .
  • On a remote workstation using remote-cli container, oidc-auth is

    installed within the remote-cli container, and ready to use. For more information on configuring remote CLI access, see : Configure Remote CLI Access <configure-remote-cli-access>.

  • On a remote host, when using directly installed kubectl and helm, the following setup is required:

    • Install "Python Mechanize" module using the following command:

      sudo pip2 install mechanize

Note

oidc-auth script supports authenticating with a oidc-auth-apps configured with single, or multiple ldap connectors.

  1. Run oidc-auth script in order to authenticate and update user credentials in kubectl config file with the retrieved token.

    • If oidc-auth-apps is deployed with a single backend ldap connector, run the following command:

      ~(keystone_admin)]$ oidc-auth -c <ip> -u <username>

      For example,

      ~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser
Password:
Login succeeded.
Updating kubectl config ...
User testuser set.

    • If oidc-auth-apps is deployed with multiple backend ldap connectors, run the following command:

      ~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>

    Note

    If you are running oidc-auth within the containerized remote CLI, you must use the -p <password> option to run the command non-interactively.