diff --git a/content/en/docs/v4.1/04-platform-management/03-platform-settings/04-ks-as-oidc-identity-provider.adoc b/content/en/docs/v4.1/04-platform-management/03-platform-settings/04-ks-as-oidc-identity-provider.adoc new file mode 100644 index 000000000..ba924617d --- /dev/null +++ b/content/en/docs/v4.1/04-platform-management/03-platform-settings/04-ks-as-oidc-identity-provider.adoc @@ -0,0 +1,109 @@ +--- +title: "Configure KubeSphere as an OIDC Identity Provider" +keywords: "Kubernetes, KubeSphere, OIDC, Identity Provider" +description: "Learn how to configure KubeSphere as an OIDC Identity Provider." +weight: 04 +--- + +OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 framework (IETF RFC 6749 and 6750). KubeSphere v4.1.3 implements the link:https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow] of link:https://openid.net/developers/how-connect-works/[OpenID Connect] protocol for extensions to integrate with KubeSphere's account system. This tutorial uses link:https://goharbor.io/[Harbor] as an OIDC client - after configuration, you can use KubeSphere accounts to log in to Harbor. + +== SSO Implementation Flow via OIDC + +image:/images/ks-qkcp/zh/v4.1.3/oidc-flow.png[, 70%] + +1. End user **navigates to a website or web application** via a browser. +2. End user **clicks sign-in** and types their username and password. +3. The RP (Client) **sends a request** to the OpenID Provider (OP). +4. The OP **authenticates the User** and obtains authorization. +5. The OP **responds with an Identity Token** and usually an **Access Token**. +6. The RP can **send a request** with the Access Token to the User device. +7. The UserInfo Endpoint **returns Claims** about the End-User. + +== Deploy KubeSphere 4.1.3 + +[source,bash] +---- +helm upgrade --install -n kubesphere-system --create-namespace ks-core https://charts.kubesphere.io/main/ks-core-1.1.4.tgz --debug --wait \ + --set portal.hostname=172.31.17.16.nip.io \ + --set portal.https.port=30491 \ + --set ingress.enabled=true \ + --set ingress.tls.enabled=true \ + --set ingress.ingressClassName=kubesphere-router-cluster +---- + +[.admon.note,cols="a"] +|=== +|Note + +|Before applying configurations, ks-console must be exposed via HTTPS. This tutorial uses Ingress to expose ks-console. The cluster gateway is created using the KubeSphere Gateway extension, with corresponding IngressClass as `kubesphere-router-cluster`. The exposed HTTPS port is 30491, so `portal.https.port` is set to 30491. +|=== + +[%header,cols="1a,4a"] +|=== +| Parameter | Description + +| `portal.hostname` | Domain or IP for accessing KubeSphere Console (replace with actual node IP) + +| `portal.https.port` +`portal.http.port` +| Ports for accessing KubeSphere Console + +| `ingress.enabled` +`ingress.tls.enabled` | Ingress and TLS configurations + +| `ingress.ingressClassName` | IngressClass for the Ingress (must reference a pre-existing IngressClass) +|=== + +== Create OAuth Client + +[source,bash] +---- +cat << EOF | kubectl apply -f - +apiVersion: v1 +stringData: + configuration.yaml: | + name: harbor + secret: password123 + grantMethod: auto + scopeRestrictions: + - 'openid' + - 'email' + - 'profile' + redirectURIs: + - https://harbor.172.31.19.17.nip.io/c/oidc/callback +kind: Secret +metadata: + name: oauthclient-harbor + namespace: kubesphere-system + labels: + config.kubesphere.io/type: oauthclient +type: config.kubesphere.io/oauthclient +EOF +---- + +[%header,cols="1a,4a"] +|=== +| Parameter | Description + +| `metadata.name` +`stringData.configuration.yaml.name` | OAuth Client ID + +| `stringData.configuration.yaml.secret` | OAuth Client Secret + +| `stringData.configuration.yaml.redirectURIs` | List of callback URLs supported by OAuth Client +|=== + +== OIDC Configuration Reference + +Harbor OIDC Configuration +image:/images/ks-qkcp/zh/v4.1.3/configure-harbor.png[] + +Log in to Harbor via OIDC +image:/images/ks-qkcp/zh/v4.1.3/harbor-login.png[] + +Log in to KubeSphere Console +image:/images/ks-qkcp/zh/v4.1.3/ks-login.png[] + +Associate Harbor account at the first-time login +image:/images/ks-qkcp/zh/v4.1.3/first-login.png[] + diff --git a/content/zh/docs/v4.1/04-platform-management/03-platform-settings/03-external-authentication/01-set-up-external-authentication.adoc b/content/zh/docs/v4.1/04-platform-management/03-platform-settings/03-external-authentication/01-set-up-external-authentication.adoc index ed5eccb46..0361b3ebe 100644 --- a/content/zh/docs/v4.1/04-platform-management/03-platform-settings/03-external-authentication/01-set-up-external-authentication.adoc +++ b/content/zh/docs/v4.1/04-platform-management/03-platform-settings/03-external-authentication/01-set-up-external-authentication.adoc @@ -158,6 +158,6 @@ redirectURL: 'https://ks-console/oauth/redirect/github' 阿里云 IDaaS 身份提供者的配置方法,请参阅link:https://www.alibabacloud.com/help/zh/idaas/[阿里云 IDaaS 文档]。 -使用开源 TOPIAM 集成标准OIDC身份提供商配置方法,请参阅link:https://topiam.cn/docs/use-cases/application/kubesphere-oidc/[TOPIAM 集成 KubeSphere 文档]。 +使用开源 TOPIAM 集成标准 OIDC 身份提供商配置方法,请参阅 link:https://topiam.cn/docs/use-cases/application/kubesphere-oidc/[TOPIAM 集成 KubeSphere 文档]。 -- diff --git a/content/zh/docs/v4.1/04-platform-management/03-platform-settings/04-ks-as-oidc-identity-provider.adoc b/content/zh/docs/v4.1/04-platform-management/03-platform-settings/04-ks-as-oidc-identity-provider.adoc new file mode 100644 index 000000000..71ac3631a --- /dev/null +++ b/content/zh/docs/v4.1/04-platform-management/03-platform-settings/04-ks-as-oidc-identity-provider.adoc @@ -0,0 +1,109 @@ +--- +title: "作为 OIDC 身份提供者" +keywords: "Kubernetes, KubeSphere, OIDC, 身份提供者" +description: "了解如何配置 OIDC 身份提供者。" +weight: 04 +--- + +OpenID Connect 是一种基于 OAuth 2.0 规范框架(IETF RFC 6749 和 6750)的可互操作的身份验证协议。KubeSphere v4.1.3 实现了 link:https://openid.net/developers/how-connect-works/[OpenID Connect] 协议中的授权码认证流程 link:https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow],用于扩展组件向上对接 KubeSphere 的账户系统。本教程使用 link:https://goharbor.io/[Harbor] 作为 OIDC 客户端,配置完成后将使用 KubeSphere 账户登录 Harbor。 + +== 基于 OIDC 实现 SSO 的基本流程 + +image:/images/ks-qkcp/zh/v4.1.3/oidc-flow.png[, 70%] + +. 终端用户通过浏览器访问网站或网络应用。 +. 终端用户点击登录并输入用户名和密码。 +. 依赖方(客户端)向 OpenID 提供商(OP)发送请求。 +. OpenID 提供商验证用户身份并获取授权。 +. OpenID 提供商返回身份令牌(Identity Token),通常会同时返回访问令牌(Access Token)。 +. 依赖方可使用该访问令牌向用户设备发送请求。 +. 用户信息端点(UserInfo Endpoint)将返回终端用户的相关身份声明信息(Claims)。 + +== 部署 KubeSphere 4.1.3 + +[source,bash] +---- +helm upgrade --install -n kubesphere-system --create-namespace ks-core https://charts.kubesphere.io/main/ks-core-1.1.4.tgz --debug --wait \ + --set portal.hostname=172.31.17.16.nip.io \ + --set portal.https.port=30491 \ + --set ingress.enabled=true \ + --set ingress.tls.enabled=true \ + --set ingress.ingressClassName=kubesphere-router-cluster + +---- + +[.admon.note,cols="a"] +|=== +|说明 + +| +应用配置前需要预先将 ks-console 以 https 方式暴露。此教程中,使用 ingress 方式暴露 ks-console。使用 KubeSphere 网关扩展组件创建集群网关,对应的 IngressClass 为 `kubesphere-router-cluster`。暴露 HTTPS 端口为 30491,将 `portal.https.port` 设置为 30491。 +|=== + +[%header,cols="1a,4a"] +|=== +| 参数 | 说明 + +| `portal.hostname` | 用于访问 KubeSphere Console 的域名或 IP(需替换为实际的节点 IP 地址) + +| `portal.https.port` +`portal.http.port` +| 用于访问 KubeSphere Console 的端口 + +| `ingress.enabled` +`ingress.tls.enabled` | Ingress、TLS 配置 + +| `ingress.ingressClassName` | Ingress 对应的 IngressClass(需要使用已有的 IngressClass) +|=== + +== 新建 OAuth Client + +[source,bash] +---- +cat << EOF | kubectl apply -f - +apiVersion: v1 +stringData: + configuration.yaml: | + name: harbor + secret: password123 + grantMethod: auto + scopeRestrictions: + - 'openid' + - 'email' + - 'profile' + redirectURIs: + - https://harbor.172.31.19.17.nip.io/c/oidc/callback +kind: Secret +metadata: + name: oauthclient-harbor + namespace: kubesphere-system + labels: + config.kubesphere.io/type: oauthclient +type: config.kubesphere.io/oauthclient +EOF +---- + +[%header,cols="1a,4a"] +|=== +| 参数 | 说明 + +| `metadata.name` +`stringData.configuration.yaml.name` | OAuth Client 的 ID + +| `stringData.configuration.yaml.secret` | OAuth Client 的 Secret +| `stringData.configuration.yaml.redirectURIs` | OAuth Client 支持的回调 URL 列表 +|=== + +== OIDC 配置参考 + +以 Harbor 对接 OIDC 为例 +image:/images/ks-qkcp/zh/v4.1.3/configure-harbor.png[] + +使用 OIDC 方式登录 Harbor +image:/images/ks-qkcp/zh/v4.1.3/harbor-login.png[] + +登录 KubeSphere Console +image:/images/ks-qkcp/zh/v4.1.3/ks-login.png[] + +首次登录,关联 Harbor 账号 +image:/images/ks-qkcp/zh/v4.1.3/first-login.png[] \ No newline at end of file diff --git a/static/images/ks-qkcp/zh/v4.1.3/configure-harbor.png b/static/images/ks-qkcp/zh/v4.1.3/configure-harbor.png new file mode 100644 index 000000000..e8a16acc8 Binary files /dev/null and b/static/images/ks-qkcp/zh/v4.1.3/configure-harbor.png differ diff --git a/static/images/ks-qkcp/zh/v4.1.3/first-login.png b/static/images/ks-qkcp/zh/v4.1.3/first-login.png new file mode 100644 index 000000000..c2b0b5841 Binary files /dev/null and b/static/images/ks-qkcp/zh/v4.1.3/first-login.png differ diff --git a/static/images/ks-qkcp/zh/v4.1.3/harbor-login.png b/static/images/ks-qkcp/zh/v4.1.3/harbor-login.png new file mode 100644 index 000000000..6991a8b5c Binary files /dev/null and b/static/images/ks-qkcp/zh/v4.1.3/harbor-login.png differ diff --git a/static/images/ks-qkcp/zh/v4.1.3/ks-login.png b/static/images/ks-qkcp/zh/v4.1.3/ks-login.png new file mode 100644 index 000000000..7d2612a4c Binary files /dev/null and b/static/images/ks-qkcp/zh/v4.1.3/ks-login.png differ diff --git a/static/images/ks-qkcp/zh/v4.1.3/oidc-flow.png b/static/images/ks-qkcp/zh/v4.1.3/oidc-flow.png new file mode 100644 index 000000000..cc00f795a Binary files /dev/null and b/static/images/ks-qkcp/zh/v4.1.3/oidc-flow.png differ