Configure OIDC/LDAP Authentication for Kubernetes User Authentication¶
After installing StarlingX, you should configure OIDC/LDAP authentication for kubernetes access user authentication.
OIDC/LDAP authentication can be supported by StarlingX’s local LDAP server and/or up to three remote LDAP servers (for example, Windows Active Directory).
In this example, OIDC/LDAP authentication is setup for local LDAP.
Prerequisites
You must have the credentials for the ‘sysadmin’ local Linux user account used for installation.
Procedure
Login to the active controller as the ‘sysadmin’ user.
Use either a local console or SSH.
Setup ‘sysadmin’ credentials.
$ source /etc/platform/openrc
Configure Kubernetes for OIDC token validation.
Use the default nodePort for the
oidc-auth-appssystem application of 30556.$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') $ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app $ system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups $ system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=https://${OAMIP}:30556/dex $ system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email $ system service-parameter-apply kubernetesConfigure and apply the
oidc-auth-appssystem application.Create the certificate to be used by both the OIDC client and the OIDC identity provider.
$ mkdir /home/sysadmin/oidc $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') $ cat <<EOF > /home/sysadmin/oidc/oidc-auth-apps-certificate.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: oidc-auth-apps-certificate namespace: kube-system spec: secretName: oidc-auth-apps-certificate duration: 2160h # 90 days renewBefore: 360h # 15 days issuerRef: name: system-local-ca kind: ClusterIssuer commonName: ${OAMIP} subject: organizations: - ABC-Company organizationalUnits: - StarlingX-system-oidc-auth-apps ipAddresses: - ${OAMIP} EOF $ kubectl apply -f/home/sysadmin/oidc/oidc-auth-apps-certificate.yamlConfigure the OIDC-client with the OIDC client certificate and OIDC identity server certificate (created in the
Create the certificate to be used by both the OIDC client and the OIDC identity providerstep) and the Trusted CA that you used to sign these certificates (i.e., the system-local-ca).$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/oidc/dex-ca-cert.crt $ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/oidc/dex-ca-cert.crt -n kube-system $ cat <<EOF > /home/sysadmin/oidc/oidc-client-overrides.yaml tlsName: oidc-auth-apps-certificate config: # The |OIDC|-client container mounts the dex-ca-cert secret at /home, therefore # issuer_root_ca: /home/<filename-only-of-generic-secret> issuer_root_ca: /home/dex-ca-cert.crt issuer_root_ca_secret: dex-ca-cert # secret for accessing dex client_secret: stx-oidc-client-p@ssw0rd EOF $ system helm-override-update oidc-auth-apps oidc-client kube-system --values /home/sysadmin/oidc/oidc-client-overrides.yamlConfigure the secret observer to track renewals of certificates.
$ cat <<EOF > /home/sysadmin/oidc/secret-observer-overrides.yaml cronSchedule: "*/15 * * * *" observedSecrets: - secretName: "dex-ca-cert" filename: "dex-ca-cert.crt" deploymentToRestart: "stx-oidc-client" - secretName: "oidc-auth-apps-certificate" filename: "tls.crt" deploymentToRestart: "stx-oidc-client" - secretName: "oidc-auth-apps-certificate" filename: "tls.crt" deploymentToRestart: "oidc-dex" EOF $ system helm-override-update oidc-auth-apps secret-observer kube-system --values /home/sysadmin/oidc/secret-observer-overrides.yamlCreate a secret with the certificate of the CA that signed the certificate of local LDAP, i.e.,
system-local-ca, to be used in theSpecify the configuration for connecting to Local LDAP in the user overrides for the oidc-auth-apps applicationstep.$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/oidc/local-ldap-ca-cert.crt $ kubectl create secret generic local-ldap-ca-cert --from-file=/home/sysadmin/oidc/local-ldap-ca-cert.crt -n kube-systemSpecify the configuration for connecting to local LDAP in the user overrides for the
oidc-auth-appsapplication.$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') $ MGMTIP=$(system addrpool-list --nowrap | fgrep management | awk '{print $14}') $ BINDPW=$(keyring get ldap ldapadmin) $ cat <<EOF > /home/sysadmin/oidc/dex-overrides.yaml config: staticClients: - id: stx-oidc-client-app name: STX OIDC Client app redirectURIs: ['https://${OAMIP}:30555/callback'] secret: stx-oidc-client-p@ssw0rd expiry: idTokens: "10h" connectors: - type: ldap name: LocalLDAP id: localldap-1 config: host: ${MGMTIP}:636 rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt insecureNoSSL: false insecureSkipVerify: false bindDN: CN=ldapadmin,DC=cgcs,DC=local bindPW: ${BINDPW} usernamePrompt: Username userSearch: baseDN: ou=People,dc=cgcs,dc=local filter: "(objectClass=posixAccount)" username: uid idAttr: DN emailAttr: uid nameAttr: gecos groupSearch: baseDN: ou=Group,dc=cgcs,dc=local filter: "(objectClass=posixGroup)" userMatchers: - userAttr: uid groupAttr: memberUid nameAttr: cn volumeMounts: - mountPath: /etc/ssl/certs/adcert name: certdir - mountPath: /etc/dex/tls name: https-tls volumes: - name: certdir secret: secretName: local-ldap-ca-cert - name: https-tls secret: defaultMode: 420 secretName: oidc-auth-apps-certificate EOF $ system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/oidc/dex-overrides.yamlApply the
oidc-auth-appssystem application.$ system application-apply oidc-auth-apps
Wait for the
oidc-auth-appssystem application to reach the ‘applied’ status.$ system application-list
Postrequisites
