diff --git a/doc/source/_includes/configure-oidc-auth-applications.rest b/doc/source/_includes/configure-oidc-auth-applications.rest new file mode 100644 index 000000000..6eff6cace --- /dev/null +++ b/doc/source/_includes/configure-oidc-auth-applications.rest @@ -0,0 +1,13 @@ + + +.. start-after: configure-oidc-begin +.. end-before: configure-oidc-end + +.. start-after: configure-oidc-tls1-begin +.. end-before: configure-oidc-tls1-end + +.. start-after: configure-oidc-tls2-begin +.. end-before: configure-oidc-tls2-end + +.. start-after: configure-oidc-tls3-begin +.. end-before: configure-oidc-tls3-end diff --git a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst index cf1128cc0..cc0fe6714 100644 --- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst +++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst @@ -113,29 +113,44 @@ Configure OIDC Auth Applications Server Certificate and the |OIDC| Client and Identity Trusted |CA| certificate. - Create a secret with the certificate of the root |CA| that signed the - |OIDC| client and identity provider's server certificate. In this - example, it will be the ``ca.crt`` of the ``system-local-ca`` - ClusterIssuer). + .. only:: starlingx - .. code-block:: none + Create a secret with the certificate of the root |CA| that signed + the |OIDC| client and identity provider's server certificate. In + this example, it will be the ``ca.crt`` of the ``system-local-ca`` + (ClusterIssuer). - ~(keystone_admin)]$ mkdir /home/sysadmin/ssl - ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt + .. only:: partner - ~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system + .. include:: /_includes/configure-oidc-auth-applications.rest + :start-after: configure-oidc-begin + :end-before: configure-oidc-end - ~(keystone_admin)]$ cat < stx-oidc-client.yaml - tlsName: oidc-auth-apps-certificate - config: - # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore - # issuer_root_ca: /home/ - issuer_root_ca: /home/dex-ca-cert.crt - issuer_root_ca_secret: dex-ca-cert - EOF + .. only:: starlingx - ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml + .. code-block:: none + ~(keystone_admin)]$ mkdir /home/sysadmin/ssl + ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt + + ~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system + + ~(keystone_admin)]$ cat < stx-oidc-client.yaml + tlsName: oidc-auth-apps-certificate + config: + # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore + # issuer_root_ca: /home/ + issuer_root_ca: /home/dex-ca-cert.crt + issuer_root_ca_secret: dex-ca-cert + EOF + + ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml + + .. only:: partner + + .. include:: /_includes/configure-oidc-auth-applications.rest + :start-after: configure-oidc-tls1-begin + :end-before: configure-oidc-tls1-end #. Create a secret with the certificate of the |CA| that signed the certificate of the Identity Providers (IdPs) that you will be using. @@ -148,15 +163,23 @@ Configure OIDC Auth Applications ~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system - If you will use the Local |LDAP| server, create the secret - ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the - Local |LDAP|'s certificate using the command below. This |CA|'s - certificate, presented below as file ``local-ldap-ca-cert.crt``, can - be extracted from the controller where the Local |LDAP| server is - running (the SystemController in DC environments) using the command - `kubectl get secret system-local-ca -n cert-manager - -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > - local-ldap-ca-cert.crt`. + .. only:: starlingx + + If you will use the Local |LDAP| server, create the secret + ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the + Local |LDAP|'s certificate using the command below. This |CA|'s + certificate, presented below as file ``local-ldap-ca-cert.crt``, can + be extracted from the controller where the Local |LDAP| server is + running (the SystemController in DC environments) using the command + `kubectl get secret system-local-ca -n cert-manager + -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > + local-ldap-ca-cert.crt`. + + .. only:: partner + + .. include:: /_includes/configure-oidc-auth-applications.rest + :start-after: configure-oidc-tls2-begin + :end-before: configure-oidc-tls2-end .. code-block:: none @@ -289,15 +312,23 @@ Configure OIDC Auth Applications ~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system - If you will use the Local |LDAP| server, create the secret - ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the - Local |LDAP|'s certificate using the command below. This |CA|'s - certificate, presented below as file ``local-ldap-ca-cert.crt``, can - be extracted from the controller where the Local |LDAP| server is - running (the SystemController in DC environments) using the command - `kubectl get secret system-local-ca -n cert-manager - -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > - local-ldap-ca-cert.crt`. + .. only:: starlingx + + If you will use the Local |LDAP| server, create the secret + ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the + Local |LDAP|'s certificate using the command below. This |CA|'s + certificate, presented below as file ``local-ldap-ca-cert.crt``, can + be extracted from the controller where the Local |LDAP| server is + running (the SystemController in DC environments) using the command + `kubectl get secret system-local-ca -n cert-manager + -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > + local-ldap-ca-cert.crt`. + + .. only:: partner + + .. include:: /_includes/configure-oidc-auth-applications.rest + :start-after: configure-oidc-tls3-begin + :end-before: configure-oidc-tls3-end .. code-block:: none