starlingx
/
docs
Code Issues Proposed changes

Merge "OIDC system-local-ca CA certificate data retrieval incorrectly references ca.crt rather than tls.crt. (dsr8)"

This commit is contained in:
Zuul 2024-02-27 14:59:56 +00:00 committed by Gerrit Code Review
parent d558b58a48 f72770e9fd
commit 2ab554024f
2 changed files with 79 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/source/_includes/configure-oidc-auth-applications.rest Normal file
View File

@ -0,0 +1,13 @@
.. start-after: configure-oidc-begin
.. end-before: configure-oidc-end
.. start-after: configure-oidc-tls1-begin
.. end-before: configure-oidc-tls1-end
.. start-after: configure-oidc-tls2-begin
.. end-before: configure-oidc-tls2-end
.. start-after: configure-oidc-tls3-begin
.. end-before: configure-oidc-tls3-end

39
doc/source/security/kubernetes/configure-oidc-auth-applications.rst
View File

@ -113,10 +113,20 @@ Configure OIDC Auth Applications
Server Certificate and the |OIDC| Client and Identity Trusted |CA|
certificate.
Create a secret with the certificate of the root |CA| that signed the
|OIDC| client and identity provider's server certificate. In this
example, it will be the ``ca.crt`` of the ``system-local-ca``
ClusterIssuer).
.. only:: starlingx
Create a secret with the certificate of the root |CA| that signed
the |OIDC| client and identity provider's server certificate. In
this example, it will be the ``ca.crt`` of the ``system-local-ca``
(ClusterIssuer).
.. only:: partner
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-begin
:end-before: configure-oidc-end
.. only:: starlingx
.. code-block:: none
@ -136,6 +146,11 @@ Configure OIDC Auth Applications
~(keystone_admin)]$ system helm-override-update oidc-auth-apps oidc-client kube-system --values stx-oidc-client.yaml
.. only:: partner
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-tls1-begin
:end-before: configure-oidc-tls1-end
#. Create a secret with the certificate of the |CA| that signed the
certificate of the Identity Providers (IdPs) that you will be using.
@ -148,6 +163,8 @@ Configure OIDC Auth Applications
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
.. only:: starlingx
If you will use the Local |LDAP| server, create the secret
``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
Local |LDAP|'s certificate using the command below. This |CA|'s
@ -158,6 +175,12 @@ Configure OIDC Auth Applications
-o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
local-ldap-ca-cert.crt`.
.. only:: partner
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-tls2-begin
:end-before: configure-oidc-tls2-end
.. code-block:: none
~(keystone_admin)]$ kubectl create secret generic local-ldap-ca-cert --from-file=local-ldap-ca-cert.crt -n kube-system
@ -289,6 +312,8 @@ Configure OIDC Auth Applications
~(keystone_admin)]$ kubectl create secret generic wad-ca-cert --from-file=wad-ca-cert.crt -n kube-system
.. only:: starlingx
If you will use the Local |LDAP| server, create the secret
``local-ldap-ca-cert`` with the |CA|'s certificate that signed the
Local |LDAP|'s certificate using the command below. This |CA|'s
@ -299,6 +324,12 @@ Configure OIDC Auth Applications
-o=jsonpath=\'{.data.ca\\.crt}\' | base64 \-\-decode >
local-ldap-ca-cert.crt`.
.. only:: partner
.. include:: /_includes/configure-oidc-auth-applications.rest
:start-after: configure-oidc-tls3-begin
:end-before: configure-oidc-tls3-end
.. code-block:: none
~(keystone_admin)]$ kubectl create secret generic local-ldap-ca-cert --from-file=local-ldap-ca-cert.crt -n kube-system