From f72770e9fdf2e5a4bbb70cb2a528188e7ec2a65a Mon Sep 17 00:00:00 2001 From: Dinesh Neelapu Date: Tue, 23 Jan 2024 07:22:00 +0000 Subject: [PATCH] OIDC system-local-ca CA certificate data retrieval incorrectly references ca.crt rather than tls.crt. (dsr8) Since we used conditional texting, the stx docs remain unchanged. Replaced ca.crt with tls.crt in one place. Change-Id: I1bdb03e25744bf520111eaae20373170a8c1a59c Signed-off-by: Dinesh Neelapu Signed-off-by: Ngairangbam Mili --- .../configure-oidc-auth-applications.rest | 13 +++ .../configure-oidc-auth-applications.rst | 101 ++++++++++++------ 2 files changed, 79 insertions(+), 35 deletions(-) create mode 100644 doc/source/_includes/configure-oidc-auth-applications.rest diff --git a/doc/source/_includes/configure-oidc-auth-applications.rest b/doc/source/_includes/configure-oidc-auth-applications.rest new file mode 100644 index 000000000..6eff6cace --- /dev/null +++ b/doc/source/_includes/configure-oidc-auth-applications.rest @@ -0,0 +1,13 @@ + + +.. start-after: configure-oidc-begin +.. end-before: configure-oidc-end + +.. start-after: configure-oidc-tls1-begin +.. end-before: configure-oidc-tls1-end + +.. start-after: configure-oidc-tls2-begin +.. end-before: configure-oidc-tls2-end + +.. start-after: configure-oidc-tls3-begin +.. end-before: configure-oidc-tls3-end diff --git a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst index cf1128cc0..cc0fe6714 100644 --- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst +++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst @@ -113,29 +113,44 @@ Configure OIDC Auth Applications Server Certificate and the |OIDC| Client and Identity Trusted |CA| certificate. - Create a secret with the certificate of the root |CA| that signed the - |OIDC| client and identity provider's server certificate. In this - example, it will be the ``ca.crt`` of the ``system-local-ca`` - ClusterIssuer). + .. only:: starlingx - .. code-block:: none + Create a secret with the certificate of the root |CA| that signed + the |OIDC| client and identity provider's server certificate. In + this example, it will be the ``ca.crt`` of the ``system-local-ca`` + (ClusterIssuer). - ~(keystone_admin)]$ mkdir /home/sysadmin/ssl - ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt + .. only:: partner - ~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system + .. include:: /_includes/configure-oidc-auth-applications.rest + :start-after: configure-oidc-begin + :end-before: configure-oidc-end - ~(keystone_admin)]$ cat < stx-oidc-client.yaml - tlsName: oidc-auth-apps-certificate - config: - # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore - # issuer_root_ca: /home/ - issuer_root_ca: /home/dex-ca-cert.crt - issuer_root_ca_secret: dex-ca-cert - EOF + .. only:: starlingx - ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml + .. code-block:: none + ~(keystone_admin)]$ mkdir /home/sysadmin/ssl + ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/ssl/dex-ca-cert.crt + + ~(keystone_admin)]$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/ssl/dex-ca-cert.crt -n kube-system + + ~(keystone_admin)]$ cat < stx-oidc-client.yaml + tlsName: oidc-auth-apps-certificate + config: + # The OIDC-client container mounts the dex-ca-cert secret at /home, therefore + # issuer_root_ca: /home/ + issuer_root_ca: /home/dex-ca-cert.crt + issuer_root_ca_secret: dex-ca-cert + EOF + + ~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml + + .. only:: partner + + .. include:: /_includes/configure-oidc-auth-applications.rest + :start-after: configure-oidc-tls1-begin + :end-before: configure-oidc-tls1-end #. Create a secret with the certificate of the |CA| that signed the certificate of the Identity Providers (IdPs) that you will be using. @@ -148,15 +163,23 @@ Configure OIDC Auth Applications ~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system - If you will use the Local |LDAP| server, create the secret - ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the - Local |LDAP|'s certificate using the command below. This |CA|'s - certificate, presented below as file ``local-ldap-ca-cert.crt``, can - be extracted from the controller where the Local |LDAP| server is - running (the SystemController in DC environments) using the command - `kubectl get secret system-local-ca -n cert-manager - -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > - local-ldap-ca-cert.crt`. + .. only:: starlingx + + If you will use the Local |LDAP| server, create the secret + ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the + Local |LDAP|'s certificate using the command below. This |CA|'s + certificate, presented below as file ``local-ldap-ca-cert.crt``, can + be extracted from the controller where the Local |LDAP| server is + running (the SystemController in DC environments) using the command + `kubectl get secret system-local-ca -n cert-manager + -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > + local-ldap-ca-cert.crt`. + + .. only:: partner + + .. include:: /_includes/configure-oidc-auth-applications.rest + :start-after: configure-oidc-tls2-begin + :end-before: configure-oidc-tls2-end .. code-block:: none @@ -289,15 +312,23 @@ Configure OIDC Auth Applications ~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system - If you will use the Local |LDAP| server, create the secret - ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the - Local |LDAP|'s certificate using the command below. This |CA|'s - certificate, presented below as file ``local-ldap-ca-cert.crt``, can - be extracted from the controller where the Local |LDAP| server is - running (the SystemController in DC environments) using the command - `kubectl get secret system-local-ca -n cert-manager - -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > - local-ldap-ca-cert.crt`. + .. only:: starlingx + + If you will use the Local |LDAP| server, create the secret + ``local-ldap-ca-cert`` with the |CA|'s certificate that signed the + Local |LDAP|'s certificate using the command below. This |CA|'s + certificate, presented below as file ``local-ldap-ca-cert.crt``, can + be extracted from the controller where the Local |LDAP| server is + running (the SystemController in DC environments) using the command + `kubectl get secret system-local-ca -n cert-manager + -o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode > + local-ldap-ca-cert.crt`. + + .. only:: partner + + .. include:: /_includes/configure-oidc-auth-applications.rest + :start-after: configure-oidc-tls3-begin + :end-before: configure-oidc-tls3-end .. code-block:: none