kube-oidc/examples/cross-client.md at master · ObjectifLibre/kube-oidc · GitHub

This repository has been archived by the owner on Jul 3, 2023. It is now read-only.

Cross client configuration for k8s

A Kubernetes cluster currently allows to setup only one IdP in the configuration.

You will have to configure cross-client trust for loginapp and keycloack proxy.

Full explaination about cross-client trust can be found here

The configuration begins on Dex:

staticClients:
    - id: cli
      redirectURIs:
      - 'https://logincli.example.org/callback/cli'
      name: 'Login Application'
      secret: SeCrEtKeyCLI
    - id: login
      redirectURIs:
      - 'https://dashboard.example.org/oauth/callback'
      name: 'Dashboard Application'
      secret: SeCrEtKeyDashboard
      trustedPeers:
      - cli

Then you must configure Loginapp to use cross-client:

name: "Kubernetes Auth"
listen: "0.0.0.0:8080"
oidc:
  client:
    id: "cli"
    secret: SeCrEtKeyCLI
    redirect_url: "https://logincli.example.org/callback"
  issuer:
    root_ca: "/etc/ssl/ca.pem"
    url: "https://dex.example.org/dex"
  extra_scopes:
    - groups
  offline_as_scope: true
  cross_clients:
  - login
tls:
  enabled: false
log:
  level: Info
  format: json

cross_client: [login] is the important field.