Skip to content

project-octal/terraform-kubernetes-api-oidc-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
ingress
ingress
 
 
.gitignore
.gitignore
 
 
.terraform.lock.hcl
.terraform.lock.hcl
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

terraform-kubernetes-api-oidc-auth

Simplifies the configuration of OIDC authentication for the Kubernetes API server.

TODO

  • Create configuration guides for various cloud providers.

Pre-requisites

  • A public OIDC auth application that doesn't require a client secret (otherwise known as a public application).
  • The Kubernetes API Server needs to be configured to use OIDC authentication: More Information
# example kube-api-server arguments
--oidc-issuer-url https://{ISSUER_URL}/
--oidc-client-id {CLIENT_ID}
--oidc-username-claim email
--oidc-groups-claim {GROUP_CLAIM}
--oidc-groups-prefix oidc:

# Homebrew (macOS and Linux)
brew install int128/kubelogin/kubelogin

# Krew (macOS, Linux, Windows and ARM)
kubectl krew install oidc-login

# Chocolatey (Windows)
choco install kubelogin
  • The kubeconfig will need a user configured to leverage the OIDC credentials.
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: kubectl
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://{ISSUER_URL}/
      - --oidc-client-id={CLIENT_ID}
      - --oidc-extra-scope=email
      - --oidc-extra-scope={GROUP_CLAIM}

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages