October 19, 2022

OpenShift 4.6 Automation and Integration: Enterprise Authentication

Introduction

$ kinit admin

$ ipa -vv user-show admin
...
"result": {
"dn": "uid=admin,cn=users,cn=accounts,dc=mkk,dc=example,dc=com",
...

$ ipa group-find
...
  Group name: admins
...

$ ipa -vv group-show admins
...
"result": {
"dn": "cn=admins,cn=groups,cn=accounts,dc=mkk,dc=example,dc=com ",
...

Configuring the LDAP Identity Provider

$ oc explain OAuth.spec.identityProviders.ldap
...
FIELDS:
...
   bindPassword	<Object>
     bindPassword is an optional reference to a secret by name containing a
     password to bind with during the search phase. The key "bindPassword" is
     used to locate the data. If specified and the secret or expected key is not
     found, the identity provider is not honored. The namespace for this secret
     is openshift-config.

   ca	<Object>
     ca is an optional reference to a config map by name containing the
     PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS
     certificate presented by the remote server. The key "ca.crt" is used to
     locate the data. If specified and the config map or expected key is not
     found, the identity provider is not honored. If the specified ca data is
     not valid, the identity provider is not honored. If empty, the default
     system roots are used. The namespace for this config map is
     openshift-config.
...

Administration -> Cluster Settings -> Configuration -> OAuth

curl http://idm.mkk.example.com/ipa/config/ca.crt

bindDN: "uid=admin,cn=users,cn=accounts,dc=mkk,dc=example,dc=com"

url: "ldaps://idm.mkk.example.com/cn=users,cn=accounts,dc=mkk,dc=example,dc=com?uid"

Troubleshooting

  • Authentication Operator Logs
  • Oauth Pods status
  • oc get pods -n openshift-authentication

Synchronizing LDAP Groups

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html-single/authentication_and_authorization/index#ldap-auto-syncing_ldap-syncing-groups

ldap-sync-config-map.yaml

kind: LDAPSyncConfig
apiVersion: v1
url: ldaps://idm.mkk.example.com/
insecure: false
bindDN: uid=admin,cn=users,cn=accounts,dc=mkk,dc=example,dc=com
bindPassword: redhat123
ca: /tmp/ca.crt
rfc2307:
  groupsQuery:
    baseDN: "cn=groups,cn=accounts,dc=mkk,dc=example,dc=com"
    scope: sub
    derefAliases: never
    pageSize: 0
    filter: "(objectClass=ipausergroup)"
  groupUIDAttribute: dn
  groupNameAttributes: [ cn ]
  groupMembershipAttributes: [ member ]
  usersQuery:
    baseDN: "cn=users,cn=accounts,dc=mkk,dc=example,dc=com"
    scope: sub
    derefAliases: never
    pageSize: 0
  userUIDAttribute: dn
  userNameAttributes: [ uid ]
  tolerateMemberNotFoundErrors: false
  tolerateMemberOutOfScopeErrors: false

Verify configuration, connectivity, username, password, etc

$ oc adm groups sync --sync-config tmp/ldap-sync.yml

Create new namespace to store everything

$ oc new-project ldap-group-sync


Modify LDAPSyncConfig and save to /tmp/ldap-group-sync.yaml



...
bindPassword:
  file: "/etc/secrets/bindPassword"
ca: /etc/config/ca.crt
...

$ oc create secret generic ldap-secret --from-literal bindPassword=redhat123 -n ldap-group-sync

$ oc create configmap ldap-config --from-file ldap-group-sync.yaml=/tmp/ldap-group-sync.yaml,ca.crt=/tmp/ca.crt -n ldap-group-sync

kind: ServiceAccount
apiVersion: v1
metadata:
  name: ldap-group-sync-sa
  namespace: ldap-group-sync
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ldap-group-sync-cr
rules:
  - apiGroups:
      - ''
      - user.openshift.io
    resources:
      - groups
    verbs:
      - get
      - list
      - create
      - update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ldap-group-sync-crb
subjects:
  - kind: ServiceAccount
    name: ldap-group-sync-sa
    namespace: ldap-group-sync
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ldap-group-sync-cr   
---
kind: CronJob
apiVersion: batch/v1beta1
metadata:
  name: ldap-group-sync-cj
  namespace: ldap-group-sync
spec:
  schedule: "*/30 * * * *"
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      backoffLimit: 0
      template:
        spec:
          containers:
            - name: ldap-group-sync
              image: "registry.redhat.io/openshift4/ose-cli:latest"
              command:
                - "/bin/bash"
                - "-c"
                - "oc adm groups sync --sync-config=/etc/config/ldap-group-sync.yaml --confirm"
              volumeMounts:
                - mountPath: "/etc/config"
                  name: "ldap-sync-volume"
                - mountPath: "/etc/secrets"
                  name: "ldap-bind-password"
          volumes:
            - name: "ldap-sync-volume"
              configMap:
                name: "ldap-config"
            - name: "ldap-bind-password"
              secret:
                secretName: "ldap-secret"
          restartPolicy: "Never"
          terminationGracePeriodSeconds: 30
          activeDeadlineSeconds: 500
          dnsPolicy: "ClusterFirst"
          serviceAccountName: "ldap-group-sync-sa"

$ oc logs pod/ldap-group-sync-...

$ oc get groups

$ oc adm policy add-cluster-role-to-group cluster-admin admins
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)