Jump to: navigation, search

StarlingX/Containers/Applications/app-oidc-auth

Application: oidc-auth-armada-app

Source

Building

From the Debian Build environment: 

build-pkgs -c -p helm,oidc-client-helm,secret-observer-helm,dexidp-helm,build-info,python3-k8sapp-oidc,stx-oidc-auth-helm

The command above produces the package "stx-oidc-auth-helm_<version>_<arch>.deb" that contains the tarball "oidc-auth-apps-<version>.tgz".

Testing

In this guide, the oidc-auth-apps will be referred simply as "OIDC app".

The instructions below show how to configure the OIDC app to authenticate using the local LDAP server. The instructions are divided in 2 parts: the first configures the Kubernetes API server to authenticate OIDC tokens using the OIDC app; the second configures the OIDC app itself.

For AIO-SX, AIO-DX and Standard environments, execute the first and the second parts in the active controller, as the Kubernetes API server, the OIDC app and the local LDAP server are running in the same controller.

For Distributed Cloud environments, the OIDC app can be deployed in a distributed setup, where the app is configured in every active controler (in the System Controller and in every subcloud), or in a centralized setup, where the app only runs in the System Controller. For distributed setups, execute the first and the second parts in every active controller; for centralized setups, execute the first part in every active controller and the second part only in the System Controller.

  • First part: configuration of Kubernetes API server.
# Set the variable OAM_IP to the floating OAM address of the controller where the OIDC app will run.
# It is always the floating OAM address of the controller where you are running these commands, except for DC
# centralized setups, where the OAM_IP should be set to the floating OAM address of the System Controller (the OIDC app
# only runs there).
OAM_IP="10.20.5.3"                           # IPv4 example, remember to replace this value.
#OAM_IP="fd00::a14:803"                      # IPv6 example, remember to replace this value.
ISSUER_URL="https://${OAM_IP}:30556/dex"     # Use this if OAM_IP is an IPv4 address.
#ISSUER_URL="https://[${OAM_IP}]:30556/dex"  # Use this if OAM_IP is an IPv6 address, the "[]" chars are needed.

# Set the "kube_apiserver" service parameters and apply.
source /etc/platform/openrc
system service-parameter-list | grep oidc
system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=$ISSUER_URL
system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app
system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email
system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups
system service-parameter-apply kubernetes

# The service-parameter-apply execution is asynchronous. To verify if it was successful, check the puppet logs at
# "/var/log/puppet/". The parameters "oidc-client-id", "oidc-groups-claim", "oidc-issuer-url" and "oidc-username-claim"
# will be present in the file "/etc/kubernetes/manifests/kube-apiserver.yaml" at kube-apiserver command.
  • Second part: configuration of the OIDC app.
# Set the variable OAM_IP to the floating OAM address of the controller where you are installing the OIDC app.
OAM_IP="10.20.5.3"       # IPv4 example, remember to replace this value.
#OAM_IP="fd00::a14:803"  # IPv6 example, remember to replace this value.

# Create the certificate used in all overrides of this app.
cat <<EOF > oidc-auth-apps-certificate.yaml
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: oidc-auth-apps-certificate
  namespace: kube-system
spec:
  secretName: oidc-auth-apps-certificate
  duration: 2160h # 90 days
  renewBefore: 360h # 15 days
  issuerRef:
    name: system-local-ca
    kind: ClusterIssuer
  commonName: $OAM_IP
  subject:
    organizations:
      - ABC-Company
    organizationalUnits:
      - StarlingX-system-oidc-auth-apps
  ipAddresses:
  - $OAM_IP
EOF
kubectl apply -f oidc-auth-apps-certificate.yaml
kubectl get certificate oidc-auth-apps-certificate -n kube-system

# Create the secret "local-ldap-ca-cert" with the CA's certificate that signed the Local LDAP's certificate.
# In any case, you can just execute the commands below where you are installing the OIDC app, because in DC environments
# the secret "system-local-ca" has the same contents in the System Controller and in all Subclouds.
mkdir /home/sysadmin/ssl
kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/local-ldap-ca-cert.crt
kubectl create secret generic local-ldap-ca-cert --from-file=/home/sysadmin/ssl/local-ldap-ca-cert.crt -n kube-system
kubectl get secrets -n kube-system local-ldap-ca-cert

# Set the OIDC-client helm overrides.
kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt
kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system
cat <<EOF > stx-oidc-client.yaml
tlsName: oidc-auth-apps-certificate
config:
   # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore
   # issuer_root_ca: /home/<filename-only-of-generic-secret>
   issuer_root_ca: /home/dex-ca-cert.crt
   issuer_root_ca_secret: dex-ca-cert
EOF
system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
system helm-override-show oidc-auth-apps oidc-client kube-system

# Set the Dex helm overrides.
# IMPORTANT: there are 2 values that need to be replaced in the configuration below.
# The first is at "config.connectors[0].config.host", where it should be put the floating management address of the
# controller where the LDAP server is running (in DC environments, the LDAP server only runs in the System Controller).
# The second is at "config.connectors[0].config.bindPW", where it should be put the LDAP password. You can get this
# password by executing "keyring get ldap ldapadmin" in the active controller where the LDAP server is running (in DC
# environments, execute this command in the System Controller).
cat <<EOF > dex-overrides.yaml
config:
  expiry:
    idTokens: "24h"
  connectors:
  - type: ldap
    name: ldap-1
    id: ldap-1
    config:
      host: <SET_FLOATING_MGMT_ADDR_HERE>:636
      rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt
      insecureNoSSL: false
      insecureSkipVerify: false
      bindDN: CN=ldapadmin,DC=cgcs,DC=local
      bindPW: <SET_LDAP_PASSWORD_HERE>
      usernamePrompt: Username
      userSearch:
        baseDN: ou=People,dc=cgcs,dc=local
        filter: "(objectClass=posixAccount)"
        username: uid
        idAttr: DN
        emailAttr: uid
        nameAttr: gecos
      groupSearch:
        baseDN: ou=Group,dc=cgcs,dc=local
        filter: "(objectClass=posixGroup)"
        userMatchers:
        - userAttr: uid
          groupAttr: memberUid
        nameAttr: cn
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
  name: certdir
- mountPath: /etc/dex/tls
  name: https-tls
volumes:
- name: certdir
  secret:
    secretName: local-ldap-ca-cert
- name: https-tls
  secret:
    defaultMode: 420
    secretName: oidc-auth-apps-certificate
EOF
system helm-override-update oidc-auth-apps dex kube-system --values dex-overrides.yaml
system helm-override-show oidc-auth-apps dex kube-system

# Set the secret-observer helm overrides.
# */15 refers to "every 15 minutes, starting from the hour"
cat <<EOF > secret-observer-overrides.yaml
cronSchedule: "*/15 * * * *"
observedSecrets:
  - secretName: "dex-ca-cert"
    filename: "dex-ca-cert.crt"
    deploymentToRestart: "stx-oidc-client"
  - secretName: "oidc-auth-apps-certificate"
    filename: "tls.crt"
    deploymentToRestart: "stx-oidc-client"
  - secretName: "oidc-auth-apps-certificate"
    filename: "tls.crt"
    deploymentToRestart: "oidc-dex"
EOF
system helm-override-update oidc-auth-apps secret-observer kube-system --values secret-observer-overrides.yaml
system helm-override-show oidc-auth-apps secret-observer kube-system

# Apply the OIDC app.
system application-apply oidc-auth-apps

Execute the commands below to test the configuration of the OIDC app. 

# Create a composite LDAP account. If it is a DC environment, the commands below should be executed in the
# System Controller.
cat <<EOF > inventory.txt
[all:vars]
ansible_user=sysadmin
ansible_password=Li69nux*
ansible_become_pass=Li69nux*

[systemcontroller]
systemcontroller-0 ansible_host=127.0.0.1
EOF
ansible-playbook --inventory inventory.txt --extra-vars='user_id=user2 mode=create' /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml # Input 'Li69nux*' as user2 password.

# Give permissions for the new user in the Kubernetes cluster.
cat <<EOF > k8s_rolebinding.txt
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: user2-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user2
EOF
kubectl apply -f k8s_rolebinding.txt

# Execute the commands below to test the Kubernetes access of the new user.
ssh user2@localhost
kubeconfig-setup
source ~/.profile
oidc-auth
kubectl get pods -A -v=6  # It should succeed.
exit
Retrieved from "https://wiki.openstack.org/w/index.php?title=StarlingX/Containers/Applications/app-oidc-auth&oldid=184742"