search

headlamp-k8s / headlamp

A Kubernetes web UI that is fully-featured, user-friendly and extensible
https://headlamp.dev
Apache License 2.0
1.9k stars 141 forks source link

Add integration with GKE+OIDC #1338

Open NikolayMarusenko opened 11 months ago

NikolayMarusenko commented 11 months ago

Hello colleagues,

We are currently in the process of setting up GKE along with Headlamp. Upon reviewing the official Google documentation at https://cloud.google.com/kubernetes-engine/docs/how-to/oidc, it appears that there is no mention of support for kubelogin, which is utilized by Headlamp behind the scenes. Is it feasible to explore the integration of OIDC between GKE tools and Headlamp, allowing for seamless GKE+Headlamp configuration?

joaquimrocha commented 11 months ago

I think @ashu8912 did check a few managed k8s systems with OIDC. @ashu8912 , can you help?

ashu8912 commented 11 months ago

Hello @NikolayMarusenko yes headlamp does work with GKE oidc setup so it is completely feasible to explore this integration, also headlamp doesn't use kubelogin for authentication but instead uses plain oidc auth config setup and go-oidc package to do the auth dance. If you need any help in setting up a GKE cluster with oidc config or have any questions on the same , i am more than happy to help

joaquimrocha commented 11 months ago

@NikolayMarusenko , We've also added some changes to yesterday's bugfix release (0.19.1) which fix some issues related to OIDC.

NikolayMarusenko commented 11 months ago

I've recently upgraded to the most recent stable version, but unfortunately, I'm still not achieving the desired outcome. Could you kindly furnish me with some sample configurations for Keycloak and the GKE cluster to facilitate integration with Headlamp?

Accesses via kubectl oidc work fully in accordance with the official documentation.

NikolayMarusenko commented 11 months ago

GKE client config:

apiVersion: authentication.gke.io/v2alpha1
kind: ClientConfig
metadata:
  name: default
spec:
  authentication:
    - name: keycloak-oidc
      oidc:
        clientID: gke
        cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
        groupsClaim: groups
        issuerURI: https://my-keycloak.com/auth/realms/gke
        kubectlRedirectURI: http://localhost:10000/callback
        userClaim: sub
  certificateAuthorityData: >-
    <cert>
  internalServer: ''
  name: <name>
  server: https://<ip>:443

Local client config:

apiVersion: authentication.gke.io/v2alpha1
kind: ClientConfig
metadata:
  name: default
spec:
  certificateAuthorityData: <cert>
  internalServer: ""
  name: <name>
  server: https://<ip>:443
  authentication:
    - name: keycloak-oidc
      oidc:
        clientID: gke
        clientSecret: <clientSecret>
        cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
        groupsClaim: groups
        issuerURI: https://my-keycloak.com/auth/realms/gke
        kubectlRedirectURI: http://localhost:10000/callback
        userClaim: sub

On Keycloak side:

Realm:

apiVersion: v1.edp.epam.com/v1
kind: ClusterKeycloakRealm
metadata:
  name: main
spec:
  clusterKeycloakRef: keycloak
  realmName: gke

KeycloakRealmGroup:

apiVersion: v1.edp.epam.com/v1
kind: KeycloakRealmGroup
metadata:
  name: oidc-admins
spec:
  name: oidc-admins
  realm: main
  realmRef:
    kind: ClusterKeycloakRealm
    name: main

KeycloakClientScope

apiVersion: v1.edp.epam.com/v1
kind: KeycloakClientScope
metadata:
  name: groups-keycloak-gke
spec:
  description: Group Membership
  name: groups
  protocol: openid-connect
  protocolMappers:
    - config:
        access.token.claim: 'true'
        claim.name: groups
        full.path: 'false'
        id.token.claim: 'true'
        userinfo.token.claim: 'true'
      name: groups
      protocol: openid-connect
      protocolMapper: oidc-group-membership-mapper
  realm: gke
  realmRef:
    kind: KeycloakRealm
    name: gke

KeycloakClient:

apiVersion: v1.edp.epam.com/v1
kind: KeycloakClient
metadata:
  name: gke
spec:
  advancedProtocolMappers: true
  attributes:
    post.logout.redirect.uris: +
  clientId: gke
  defaultClientScopes:
    - groups
  directAccess: true
  public: false
  realmRef:
    kind: ClusterKeycloakRealm
    name: main
  secret: keycloak-client-headlamp-secret
  targetRealm: gke
  webUrl: 'https://my-headlamp.com'

Similar to integration with AWS EKS using edp-keycloak operator : https://epam.github.io/edp-install/operator-guide/eks-oidc-integration/?h=keycloak#eks-oidc-integration

NikolayMarusenko commented 10 months ago

Hello colleagues,

Could you please clarify, do we have updates regarding my case?