starlingx
/
docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/obtain-the-authentication-t...

3.2 KiB
Raw Blame History

Obtain the Authentication Token Using the oidc-auth Shell Script

You can obtain the authentication token using the oidc-auth shell script.

You can use the oidc-auth script both locally on the active controller, as well as on a remote workstation where you are running kubectl and helm commands.

The oidc-auth script retrieves the ID token from Windows Active Directory or server using the client, and dex, and updates the Kubernetes credential for the user in the kubectl config file.

  • On controller-0, oidc-auth is installed as part of the base installation, and ready to use.
  • On remote hosts, oidc-auth must be installed from .
  • On a remote workstation using remote-cli container, oidc-auth is

    installed within the remote-cli container, and ready to use. For more information on configuring remote CLI access, see : Configure Remote CLI Access <configure-remote-cli-access>.

  • On a remote host, when using directly installed kubectl and helm, the following setup is required:

    • Install "Python Mechanize" module using the following command:

      sudo pip2 install mechanize

Note

oidc-auth script supports authenticating with a oidc-auth-apps configured with single, or multiple ldap connectors.

  1. Run oidc-auth script in order to authenticate and update user credentials in kubectl config file with the retrieved token.

    • If oidc-auth-apps is deployed with a single backend ldap connector, run the following command:

      ~(keystone_admin)]$ oidc-auth -c <ip> -u <username>

      For example,

      ~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser
Password:
Login succeeded.
Updating kubectl config ...
User testuser set.

    • If oidc-auth-apps is deployed with multiple backend ldap connectors, run the following command:

      ~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>

    Note

    If you are running oidc-auth within the containerized remote CLI, you must use the -p <password> option to run the command non-interactively.

    When the parameter -c <ip> is ommitted, the hostname oamcontroller is used. This parameter can be ommitted when oidc-auth is executed inside a active controller and the oidc-auth-apps is running in this controller.

    When the parameter -u <username> is ommitted, the Linux username of the current logged in user is used.