Obtain the Authentication Token Using the oidc-auth Shell Script

You can obtain the authentication token using the oidc-auth shell script.

About this task

You can use the oidc-auth script both locally on the active controller, as well as on a remote workstation where you are running kubectl and helm commands.

The oidc-auth script retrieves the ID token from Windows Active Directory using the OIDC client, and dex, and updates the Kubernetes credential for the user in the kubectl config file.

• On controller-0, oidc-auth is installed as part of the base StarlingX installation, and ready to use.

• On remote hosts, oidc-auth must be installed from a StarlingX mirror.

• On a remote host, when using directly installed kubectl and helm, the following setup is required:

  • Install “Python Mechanize” module using the following command:

    sudo pip2 install mechanize
    

Note

oidc-auth script supports authenticating with a StarlingX oidc-auth-apps configured with single, or multiple ldap connectors.

Procedure

1. Run oidc-auth script in order to authenticate and update user credentials in kubectl config file with the retrieved token.

   • If oidc-auth-apps is deployed with a single backend ldap connector, run the following command:

     ~(keystone_admin)]$ oidc-auth -c <ip> -u <username>
     

     For example,

     ~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser
     Password:
     Login succeeded.
     Updating kubectl config ...
     User testuser set.
     

   • If oidc-auth-apps is deployed with multiple backend ldap connectors, run the following command:

     ~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>
     

   Note

   If you are running oidc-auth within the StarlingX containerized remote CLI, you must use the -p <password> option to run the command non-interactively.