Configure OIDC/LDAP Authentication for Kubernetes User Authentication

After installing StarlingX, you should configure OIDC/LDAP authentication for kubernetes access user authentication.

OIDC/LDAP authentication can be supported by StarlingX’s local LDAP server and/or up to three remote LDAP servers (for example, Windows Active Directory).

In this example, OIDC/LDAP authentication is setup for local LDAP.

Prerequisites

  • You must have the credentials for the ‘sysadmin’ local Linux user account used for installation.

Procedure

  1. Login to the active controller as the ‘sysadmin’ user.

    Use either a local console or SSH.

  2. Setup ‘sysadmin’ credentials.

    $ source /etc/platform/openrc
    
  3. Configure Kubernetes for OIDC token validation.

    Use the default nodePort for the oidc-auth-apps system application of 30556.

    $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}')
    
    $ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app
    
    $ system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups
    
    $ system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=https://${OAMIP}:30556/dex
    
    $ system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email
    
    $ system service-parameter-apply kubernetes
    
  4. Configure and apply the oidc-auth-apps system application.

    1. Create the certificate to be used by both the OIDC client and the OIDC identity provider.

      $ mkdir /home/sysadmin/oidc
      
      $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" |
      awk '{print $4}')
      
      $ cat <<EOF > /home/sysadmin/oidc/oidc-auth-apps-certificate.yaml
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
         name: oidc-auth-apps-certificate
         namespace: kube-system
      spec:
         secretName: oidc-auth-apps-certificate
         duration: 2160h # 90 days
         renewBefore: 360h # 15 days
         issuerRef:
            name: system-local-ca
            kind: ClusterIssuer
         commonName: ${OAMIP}
         subject:
            organizations:
               - ABC-Company
            organizationalUnits:
               - StarlingX-system-oidc-auth-apps
         ipAddresses:
         - ${OAMIP}
      EOF
      
      $ kubectl apply -f/home/sysadmin/oidc/oidc-auth-apps-certificate.yaml
      
    2. Configure the OIDC-client with the OIDC client certificate and OIDC identity server certificate (created in the Create the certificate to be used by both the OIDC client and the OIDC identity provider step) and the Trusted CA that you used to sign these certificates (i.e., the system-local-ca).

      $ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/oidc/dex-ca-cert.crt
      
      $ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/oidc/dex-ca-cert.crt  -n kube-system
      
      $ cat <<EOF > /home/sysadmin/oidc/oidc-client-overrides.yaml
      tlsName: oidc-auth-apps-certificate
      config:
         # The |OIDC|-client container mounts the dex-ca-cert secret at /home, therefore
         # issuer_root_ca: /home/<filename-only-of-generic-secret>
         issuer_root_ca: /home/dex-ca-cert.crt
         issuer_root_ca_secret: dex-ca-cert
         # secret for accessing dex
         client_secret: stx-oidc-client-p@ssw0rd
      EOF
      
      $ system helm-override-update oidc-auth-apps oidc-client kube-system --values /home/sysadmin/oidc/oidc-client-overrides.yaml
      
    3. Configure the secret observer to track renewals of certificates.

      $ cat <<EOF > /home/sysadmin/oidc/secret-observer-overrides.yaml
      cronSchedule: "*/15 * * * *"
      observedSecrets:
         - secretName: "dex-ca-cert"
         filename: "dex-ca-cert.crt"
         deploymentToRestart: "stx-oidc-client"
         - secretName: "oidc-auth-apps-certificate"
         filename: "tls.crt"
         deploymentToRestart: "stx-oidc-client"
         - secretName: "oidc-auth-apps-certificate"
         filename: "tls.crt"
         deploymentToRestart: "oidc-dex"
      EOF
      
      $ system helm-override-update oidc-auth-apps secret-observer kube-system --values /home/sysadmin/oidc/secret-observer-overrides.yaml
      
    4. Create a secret with the certificate of the CA that signed the certificate of local LDAP, i.e., system-local-ca, to be used in the Specify the configuration for connecting to Local LDAP in the user overrides for the oidc-auth-apps application step.

      $ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/oidc/local-ldap-ca-cert.crt
      
      $ kubectl create secret generic local-ldap-ca-cert --from-file=/home/sysadmin/oidc/local-ldap-ca-cert.crt -n kube-system
      
    5. Specify the configuration for connecting to local LDAP in the user overrides for the oidc-auth-apps application.

      $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}')
      
      $ MGMTIP=$(system addrpool-list --nowrap | fgrep management |  awk '{print $14}')
      
      $ BINDPW=$(keyring get ldap ldapadmin)
      
      $ cat <<EOF > /home/sysadmin/oidc/dex-overrides.yaml
      config:
         staticClients:
         - id: stx-oidc-client-app
            name: STX OIDC Client app
            redirectURIs: ['https://${OAMIP}:30555/callback']
            secret: stx-oidc-client-p@ssw0rd
         expiry:
            idTokens: "10h"
         connectors:
         - type: ldap
            name: LocalLDAP
            id: localldap-1
            config:
               host: ${MGMTIP}:636
               rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt
               insecureNoSSL: false
               insecureSkipVerify: false
               bindDN: CN=ldapadmin,DC=cgcs,DC=local
               bindPW: ${BINDPW}
               usernamePrompt: Username
               userSearch:
                  baseDN: ou=People,dc=cgcs,dc=local
                  filter: "(objectClass=posixAccount)"
                  username: uid
                  idAttr: DN
                  emailAttr: uid
                  nameAttr: gecos
               groupSearch:
                  baseDN: ou=Group,dc=cgcs,dc=local
                  filter: "(objectClass=posixGroup)"
                  userMatchers:
                  - userAttr: uid
                     groupAttr: memberUid
                  nameAttr: cn
      volumeMounts:
      - mountPath: /etc/ssl/certs/adcert
         name: certdir
      - mountPath: /etc/dex/tls
         name: https-tls
      volumes:
      - name: certdir
         secret:
            secretName: local-ldap-ca-cert
      - name: https-tls
         secret:
            defaultMode: 420
            secretName: oidc-auth-apps-certificate
      EOF
      
      $ system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/oidc/dex-overrides.yaml
      
    6. Apply the oidc-auth-apps system application.

      $ system application-apply oidc-auth-apps
      
    7. Wait for the oidc-auth-apps system application to reach the ‘applied’ status.

      $ system application-list
      

Postrequisites

See Create First System Administrator.