Open NikolayMarusenko opened 11 months ago
I think @ashu8912 did check a few managed k8s systems with OIDC. @ashu8912 , can you help?
Hello @NikolayMarusenko yes headlamp does work with GKE oidc setup so it is completely feasible to explore this integration, also headlamp doesn't use kubelogin for authentication but instead uses plain oidc auth config setup and go-oidc package to do the auth dance. If you need any help in setting up a GKE cluster with oidc config or have any questions on the same , i am more than happy to help
@NikolayMarusenko , We've also added some changes to yesterday's bugfix release (0.19.1) which fix some issues related to OIDC.
I've recently upgraded to the most recent stable version, but unfortunately, I'm still not achieving the desired outcome. Could you kindly furnish me with some sample configurations for Keycloak and the GKE cluster to facilitate integration with Headlamp?
Accesses via kubectl oidc work fully in accordance with the official documentation.
GKE client config:
apiVersion: authentication.gke.io/v2alpha1
kind: ClientConfig
metadata:
name: default
spec:
authentication:
- name: keycloak-oidc
oidc:
clientID: gke
cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
groupsClaim: groups
issuerURI: https://my-keycloak.com/auth/realms/gke
kubectlRedirectURI: http://localhost:10000/callback
userClaim: sub
certificateAuthorityData: >-
<cert>
internalServer: ''
name: <name>
server: https://<ip>:443
Local client config:
apiVersion: authentication.gke.io/v2alpha1
kind: ClientConfig
metadata:
name: default
spec:
certificateAuthorityData: <cert>
internalServer: ""
name: <name>
server: https://<ip>:443
authentication:
- name: keycloak-oidc
oidc:
clientID: gke
clientSecret: <clientSecret>
cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
groupsClaim: groups
issuerURI: https://my-keycloak.com/auth/realms/gke
kubectlRedirectURI: http://localhost:10000/callback
userClaim: sub
On Keycloak side:
Realm:
apiVersion: v1.edp.epam.com/v1
kind: ClusterKeycloakRealm
metadata:
name: main
spec:
clusterKeycloakRef: keycloak
realmName: gke
KeycloakRealmGroup:
apiVersion: v1.edp.epam.com/v1
kind: KeycloakRealmGroup
metadata:
name: oidc-admins
spec:
name: oidc-admins
realm: main
realmRef:
kind: ClusterKeycloakRealm
name: main
KeycloakClientScope
apiVersion: v1.edp.epam.com/v1
kind: KeycloakClientScope
metadata:
name: groups-keycloak-gke
spec:
description: Group Membership
name: groups
protocol: openid-connect
protocolMappers:
- config:
access.token.claim: 'true'
claim.name: groups
full.path: 'false'
id.token.claim: 'true'
userinfo.token.claim: 'true'
name: groups
protocol: openid-connect
protocolMapper: oidc-group-membership-mapper
realm: gke
realmRef:
kind: KeycloakRealm
name: gke
KeycloakClient:
apiVersion: v1.edp.epam.com/v1
kind: KeycloakClient
metadata:
name: gke
spec:
advancedProtocolMappers: true
attributes:
post.logout.redirect.uris: +
clientId: gke
defaultClientScopes:
- groups
directAccess: true
public: false
realmRef:
kind: ClusterKeycloakRealm
name: main
secret: keycloak-client-headlamp-secret
targetRealm: gke
webUrl: 'https://my-headlamp.com'
Similar to integration with AWS EKS using edp-keycloak operator : https://epam.github.io/edp-install/operator-guide/eks-oidc-integration/?h=keycloak#eks-oidc-integration
Hello colleagues,
Could you please clarify, do we have updates regarding my case?
Hello colleagues,
We are currently in the process of setting up GKE along with Headlamp. Upon reviewing the official Google documentation at https://cloud.google.com/kubernetes-engine/docs/how-to/oidc, it appears that there is no mention of support for kubelogin, which is utilized by Headlamp behind the scenes. Is it feasible to explore the integration of OIDC between GKE tools and Headlamp, allowing for seamless GKE+Headlamp configuration?