Data source for GKE OpenID configuration (OIDC)

[riptl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Starting with Kubernetes 1.21, the Service Account Issuer Discovery feature is enabled by default, which allows federating service account JWTs.

This integration requires retrieving the OpenID "well-known" document containing the service account issuer URL and JWKS. Hashicorp's Vault Kubernetes auth backend (via vault-k8s) is a notable example.

Usually, this document can be retrieved by tunneling to the Kubernetes API server.

kubectl proxy &
curl --silent http://127.0.0.1:8001/.well-known/openid-configuration

This approach is not easy to automate / make repeatable.

The Google Kubernetes Engine API also provides an endpoint to get the same information.

Obtaining this information via Terraform would streamline the deployment of Kubernetes resources running on GKE using the Service Account Issuer API. Therefore I propose adding a data source to the GKE functionality of the google provider.

New or Affected Resource(s)

• google_container_openid_config

Potential Terraform Configuration

data "google_container_openid_config" "default" {
    project  = "my-first-project-12345"
    name     = "my-cluster"
    location = "us-east1-a"
}

output "oidc_config" {
    value = data. google_container_openid_config.config
}

References

• OpenID Connect Discovery spec
• Google Kubernetes Engine API reference

[alexsomesan]

In case this is still relevant, your ask can now be accomplished using the kubernetes_resource data source from the Kubernetes provider.

For the default config in a GKE cluster, it looks like this:

data "kubernetes_resource" "oidc" {
  api_version = "authentication.gke.io/v2alpha1"
  kind        = "ClientConfig"

  metadata {
    name      = "default"
    namespace = "kube-public"
  }
}

[EronWright]

I believe that @alexsomesan is referring to the GKE Identity Service as described here: https://cloud.google.com/anthos/identity/setup/per-cluster#configure_clusters

Does the ClientConfig contain the cluster's own OIDC discovery document? I would guess 'no' because ClientConfig seems geared towards using external OIDC providers to authenticate to the GKE cluster.

[rbtcollins]

It can be calculated in terraform though:

"https://container.googleapis.com/v1/projects/${var.project_id}/locations/${var.region}/clusters/${var.cluster_name}/.well-known/openid-configuration"

Not as nice as an attribute on the cluster, but something

[alex-ikse]

To work with the OpenID .well-known document, you can use the wellknownoidc terraform provider. It could be used to read OpenID configurations but also to convert JWKS formatted keys to PEM if needed.