StarlingX/Containers/Applications/app-oidc-auth
Application: oidc-auth-armada-app
Source
Building
From the Debian Build environment:
build-pkgs -c -p helm,oidc-client-helm,secret-observer-helm,dexidp-helm,build-info,python3-k8sapp-oidc,stx-oidc-auth-helm
The command above produces the package "stx-oidc-auth-helm_<version>_<arch>.deb" that contains the tarball "oidc-auth-apps-<version>.tgz".
Testing
!!! WORK IN PROGRESS !!!
In this guide, the oidc-auth-apps will be referred simply as "OIDC app".
The instructions below show how to configure the OIDC app to authenticate using the local LDAP server. The instructions are divided in 2 parts: the first configures the Kubernetes API server to authenticate OIDC tokens using the OIDC app; the second configures the OIDC app itself.
For AIO-SX, AIO-DX and Standard environments, execute the first and the second parts in the active controller, as the Kubernetes API server, the OIDC app and the local LDAP server are running in the same controller.
For Distributed Cloud environments, the OIDC app can be deployed in a distributed setup, where the app is configured in every active controler (in the System Controller and in every subcloud), or in a centralized setup, where the app only runs in the System Controller. For distributed setups, execute the first and the second parts in every active controller; for centralized setups, execute the first part in every active controller and the second part only in the System Controller.
- First part: configuration of Kubernetes API server.
# Set the variable OAM_IP to the floating OAM address of the controller where the OIDC app will run. # It is always the floating OAM address of the controller where you are running these commands, except for DC # centralized setups, where the OAM_IP should be set to the floating OAM address of the System Controller (the OIDC app # only runs there). OAM_IP="10.20.5.3" # IPv4 example, remember to replace this value. #OAM_IP="fd00::a14:803" # IPv6 example, remember to replace this value. ISSUER_URL="https://${OAM_IP}:30556/dex" # Use this if OAM_IP is an IPv4 address. #ISSUER_URL="https://[${OAM_IP}]:30556/dex" # Use this if OAM_IP is an IPv6 address, the "[]" chars are needed. # Set the "kube_apiserver" service parameters and apply. source /etc/platform/openrc system service-parameter-list | grep oidc system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=$ISSUER_URL system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups system service-parameter-apply kubernetes # The service-parameter-apply execution is asynchronous. To verify if it was successful, check the puppet logs at # "/var/log/puppet/". The parameters "oidc-client-id", "oidc-groups-claim", "oidc-issuer-url" and "oidc-username-claim" # will be present in the file "/etc/kubernetes/manifests/kube-apiserver.yaml" at kube-apiserver command.
- Second part: configuration of the OIDC app.
# Set the variable OAM_IP to the floating OAM address of the controller where you are installing the OIDC app. OAM_IP="10.20.5.3" # IPv4 example, remember to replace this value. #OAM_IP="fd00::a14:803" # IPv6 example, remember to replace this value. # Create the certificate used in all overrides of this app. cat <<EOF > oidc-auth-apps-certificate.yaml --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: oidc-auth-apps-certificate namespace: kube-system spec: secretName: oidc-auth-apps-certificate duration: 2160h # 90 days renewBefore: 360h # 15 days issuerRef: name: system-local-ca kind: ClusterIssuer commonName: $OAM_IP subject: organizations: - ABC-Company organizationalUnits: - StarlingX-system-oidc-auth-apps ipAddresses: - $OAM_IP EOF kubectl apply -f oidc-auth-apps-certificate.yaml kubectl get certificate oidc-auth-apps-certificate -n kube-system # Create the secret "local-ldap-ca-cert" with the CA's certificate that signed the Local LDAP's certificate. # In any case, you can just execute the commands below where you are installing the OIDC app, because in DC environments # the secret "system-local-ca" has the same contents in the System Controller and in all Subclouds. kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/local-ldap-ca-cert.crt kubectl create secret generic local-ldap-ca-cert --from-file=/home/sysadmin/ssl/local-ldap-ca-cert.crt -n kube-system kubectl get secrets -n kube-system local-ldap-ca-cert # Set the OIDC-client helm overrides. mkdir /home/sysadmin/ssl kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system cat <<EOF > stx-oidc-client.yaml tlsName: oidc-auth-apps-certificate config: # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore # issuer_root_ca: /home/<filename-only-of-generic-secret> issuer_root_ca: /home/dex-ca-cert.crt issuer_root_ca_secret: dex-ca-cert EOF system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml system helm-override-show oidc-auth-apps oidc-client kube-system # Set the Dex helm overrides. # IMPORTANT: there are 2 values that need to be replaced in the configuration below. # The first is at "config.connectors[0].config.host", where it should be put the floating management addres of the # controller where the LDAP server is running (in DC environments, the LDAP server only runs in the System Controller). # The second is at "config.connectors[0].config.bindPW", where it should be put the LDAP password. You can get this # password by executing "keyring get ldap ldapadmin" in the active controller where the LDAP server is running (in DC # environments, execute this command in the System Controller). cat <<EOF > dex-overrides.yaml config: expiry: idTokens: "24h" connectors: - type: ldap name: ldap-1 id: ldap-1 config: host: <SET_FLOATING_MGMT_ADDR_HERE>:636 rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt insecureNoSSL: false insecureSkipVerify: false bindDN: CN=ldapadmin,DC=cgcs,DC=local bindPW: <SET_LDAP_PASSWORD_HERE> usernamePrompt: Username userSearch: baseDN: ou=People,dc=cgcs,dc=local filter: "(objectClass=posixAccount)" username: uid idAttr: DN emailAttr: uid nameAttr: gecos groupSearch: baseDN: ou=Group,dc=cgcs,dc=local filter: "(objectClass=posixGroup)" userMatchers: - userAttr: uid groupAttr: memberUid nameAttr: cn volumeMounts: - mountPath: /etc/ssl/certs/adcert name: certdir - mountPath: /etc/dex/tls name: https-tls volumes: - name: certdir secret: secretName: local-ldap-ca-cert - name: https-tls secret: defaultMode: 420 secretName: oidc-auth-apps-certificate EOF system helm-override-update oidc-auth-apps dex kube-system --values dex-overrides.yaml system helm-override-show oidc-auth-apps dex kube-system # Set the secret-observer helm overrides. # */15 refers to "every 15 minutes, starting from the hour" cat <<EOF > secret-observer-overrides.yaml cronSchedule: "*/15 * * * *" observedSecrets: - secretName: "dex-ca-cert" filename: "dex-ca-cert.crt" deploymentToRestart: "stx-oidc-client" - secretName: "oidc-auth-apps-certificate" filename: "tls.crt" deploymentToRestart: "stx-oidc-client" - secretName: "oidc-auth-apps-certificate" filename: "tls.crt" deploymentToRestart: "oidc-dex" EOF system helm-override-update oidc-auth-apps secret-observer kube-system --values secret-observer-overrides.yaml system helm-override-show oidc-auth-apps secret-observer kube-system # Apply the OIDC app. system application-apply oidc-auth-apps