Make kube-apiserver oidc flags configurable

[jschoone]

/kind feature

Describe the solution you'd like As an SCS consumer I want to be able to use external auth services e.g. to use my existing IAM roles in Kubernetes. Here are the available oidc flags.

Example I tested with this fixed values to auth with GitHub:

apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlaneTemplate
metadata:
  name: {{ .Release.Name }}-{{ .Chart.Version }}-control-plane
spec:
  template:
    spec:
      kubeadmConfigSpec:
        clusterConfiguration:
          apiServer:
            extraArgs:
              cloud-provider: external
              oidc-client-id: kubectl
              oidc-issuer-url: https://dex.k8s.scs.community
              oidc-username-claim: preferred_username
              oidc-groups-claim: groups
              oidc-username-prefix: oidc
              oidc-groups-prefix: oidc

My username in Kubernetes then is oidcjschoone. The example value for --oidc-username-prefix is oidc: but I failed to add the colon and didn't care for the further tests.

The mentioned dex.k8s.scs.community still runs an can be used. It is configured like this:

config:
  issuer: https://dex.k8s.scs.community
  storage:
    type: memory
  connectors:
    - type: github
      id: github
      name: GitHub
      config:
        clientID: <clientID>
        clientSecret: <clientSecret>
        redirectURI: https://dex.k8s.scs.community/callback
        scopes:
          - user
          - read:org
        loadAllGroups: true
        orgs:
        - name: SovereignCloudStack
        teamNameField: slug
        useLoginAsID: true
  staticClients:
    - id: kubectl
      redirectURIs:
        - http://localhost:8000
        - http://localhost:18000
      public: true
      name: rocket