This is a small helper tool that generates a kubeconfig snippet with user credentials to get authenticated via Kubernetes OpenID Connect Tokens using Cloud Foundry UAA as the Identity Provider.
Given a username and password registered at an UAA server, the tool will output the necessary configuration for kubectl that you can add to your ~/.kube/config:
# Add the following to your ~/.kube/config
users:
- name: [email protected]
user:
auth-provider:
name: oidc
config:
idp-issuer-url: https://<UAA URL>
client-id: cf
client-secret: ""
id-token: <REDACTED>
refresh-token: <REDACTED>
Using the standard go install (you must have Go already installed in your local machine):
$ go install github.com/frodenas/uaa-k8s-oidc-helperTo run the helper inside a Docker container, run:
$ docker run --rm frodenas/uaa-k8s-oidc-helper <flags>
$ uaa-k8s-oidc-helper <flags>| Flag | Required | Default | Description |
|---|---|---|---|
uaa.url |
Yes | UAA URL | |
uaa.username |
Yes | UAA Username to generate credentials for | |
uaa.password |
Yes | UAA Password to generate credentials for | |
uaa.client_id |
No | cf |
UAA Client ID (must have an openid scope) |
uaa.client_secret |
No | UAA Client Secret | |
uaa.skip_ssl_verify |
No | false |
Disable UAA SSL Verify |
Some steps are required to configure Kubernetes OpenID Connect to use Cloud Foundry UAA as the Identity Provider:
Add the following flags to kube-apiserver to configure OpenID Connect:
--oidc-issuer-url=https://<UAA URL>/oauth/token \
--oidc-client-id=<Your client ID> \
Remember that <Your client ID> must have an openid scope. If you're using an UAA server deployed as part of a Cloud Foundry deployment you can use the cf client ID.
If the UAA server is using a self-signed certificate, add also the CA that signed the certificates:
--oidc-ca-file=<path to the CA file> \
If you're using an UAA server deployed as part of a Cloud Foundry deployment with self-signed certificates, remember that the certificate must explicitelly include the uaa hostname (ie a certificate for *.example.com does NOT include uaa.system.example.com, but a *.system.example.com is valid).
Also remember to authorize users to be able to make requests to the the API server:
-
If you are using the ABAC authorization method, you can include all
system:authenticatedusers to your authorization policy file:{ "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "*", "group": "system:authenticated", "apiGroup": "*", "namespace": "*", "resource": "*", "nonResourcePath": "*", "readonly": true } } -
If you are using the RBAC authorization method, you must create a
Role(and/orClusterRole) and aRoleBinding(and/orClusterRoleBinding).
Please refer to the Kubernetes authorization documentation for more details.
No special configuration is required for UAA. Only a client-id with an openid scope must be created.
At the moment of writing these instructions, the current UAA v45 release does not conform to the OIDC specification. This helper tool has been tested using UAA v46 (not yet released).
Refer to the contributing guidelines.
Apache License 2.0, see LICENSE.
This tool has heavily inspired by the k8s-oidc-helper.