3.2 KiB
Obtain the Authentication Token Using the oidc-auth Shell Script
You can obtain the authentication token using the oidc-auth shell script.
You can use the oidc-auth script both locally on the active controller, as well as on a remote workstation where you are running kubectl and helm commands.
The oidc-auth script retrieves the ID token from Windows Active Directory or server using the client, and dex, and updates the Kubernetes credential for the user in the kubectl config file.
- On controller-0, oidc-auth is installed as part of the base installation, and ready to use.
- On remote hosts, oidc-auth must be installed from .
- On a remote workstation using remote-cli container, oidc-auth is
installed within the remote-cli container, and ready to use. For more information on configuring remote CLI access, see :
Configure Remote CLI Access <configure-remote-cli-access>
.
- On a remote host, when using directly installed
kubectl and helm, the following setup
is required:
Install "Python Mechanize" module using the following command:
sudo pip2 install mechanize
Note
oidc-auth script supports authenticating with a oidc-auth-apps configured with single, or multiple ldap connectors.
Run oidc-auth script in order to authenticate and update user credentials in kubectl config file with the retrieved token.
If oidc-auth-apps is deployed with a single backend ldap connector, run the following command:
~(keystone_admin)]$ oidc-auth -c <ip> -u <username>
For example,
~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser Password: Login succeeded. Updating kubectl config ... User testuser set.
If oidc-auth-apps is deployed with multiple backend ldap connectors, run the following command:
~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>
Note
If you are running oidc-auth within the containerized remote CLI, you must use the
-p <password>
option to run the command non-interactively.When the parameter
-c <ip>
is ommitted, the hostname oamcontroller is used. This parameter can be ommitted when oidc-auth is executed inside a active controller and the oidc-auth-apps is running in this controller.When the parameter
-u <username>
is ommitted, the Linux username of the current logged in user is used.