Deprovision LDAP Server AuthenticationΒΆ

You can remove Windows Active Directory or LDAP authentication from StarlingX.

Procedure

  1. Remove the configuration of kube-apiserver to use oidc-auth-apps for authentication.

    1. Determine the UUIDs of parameters used in the kubernetes kube-apiserver group.

      These include oidc-client-id, oidc-groups-claim, oidc-issuer-url and oidc-username-claim.

      ~(keystone_admin)]$ system service-parameter-list
      
    2. Delete each parameter.

      ~(keystone_admin)]$ system service-parameter-delete <UUID>
      
    3. Apply the changes.

      ~(keystone_admin)]$ system service-parameter-apply kubernetes
      
  2. Uninstall oidc-auth-apps.

    ~(keystone_admin)]$ system application-remove oidc-auth-apps
    
  3. Clear the helm-override configuration.

    ~(keystone_admin)]$ system helm-override-update oidc-auth-apps dex kube-system --reset-values
    ~(keystone_admin)]$ system helm-override-show oidc-auth-apps dex kube-system
    
    ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --reset-values
    ~(keystone_admin)]$ system helm-override-show oidc-auth-apps oidc-client kube-system
    
    ~(keystone_admin)]$ system helm-override-update oidc-auth-apps secret-observer kube-system --reset
    ~(keystone_admin)]$ system helm-override-show oidc-auth-apps secret-observer kube-system
    
  4. Remove secrets that contain certificate data. Depending on your configuration, some secrets listed below may not exist.

    ~(keystone_admin)]$ kubectl delete secret dex-ca-cert -n kube-system
    ~(keystone_admin)]$ kubectl delete secret oidc-auth-apps-certificate -n kube-system
    ~(keystone_admin)]$ kubectl delete secret wad-ca-cert -n kube-system
    ~(keystone_admin)]$ kubectl delete secret local-ldap-ca-cert -n kube-system
    ~(keystone_admin)]$ kubectl delete secret local-dex.tls -n kube-system
    ~(keystone_admin)]$ kubectl delete secret dex-client-secret -n kube-system
    
  5. Remove any RBAC RoleBindings added for OIDC users and/or groups.

    For example:

    $ kubectl delete clusterrolebinding testuser-rolebinding
    $ kubectl delete clusterrolebinding billingdeptgroup-rolebinding