This manual explains how to configure OIDC providers to use them with Kubermatic Kubernetes Platform (KKP).
By default KKP uses Dex located on the same host, using the following base URL:
<PROTOCOL>//<HOST>/dex/auth
Where:
PROTOCOL is currently used protocolHOST is currently used hostBase URL is followed by following query parameters:
<BASE_URL>?response_type=<RESPONSE_TYPE>&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=<SCOPE>&nonce=<NONCE>
Where:
BASE_URL is the OIDC provider base URLRESPONSE_TYPE is set to id_tokenCLIENT_ID is set to kubermaticREDIRECT_URI is set to <PROTOCOL>//<HOST>/projects which is root view of the applicationSCOPE is set to openid email profile groupsNONCE is randomly generated, 32 character-long stringThe default configuration can be changed as KKP supports other OIDC providers as well.
Configuration can be found in the config.json file, that is part of the application
configuration. Check the Creating the Master Cluster values.yaml
to find out how to specify the config.
In the config it is allowed to specify two optional parameters:
oidc_provider_url that can be used to change the base URL of the OIDC provider (BASE_URL)oidc_provider_scope that can be used to change the scope of the OIDC provider (SCOPE)A configuration of a OIDC provider may look like this:
{
"cleanup_cluster": false,
"custom_links": [],
"default_node_count": 3,
"openstack": {
"wizard_use_default_user": false
},
"share_kubeconfig": false,
"show_demo_info": false,
"show_terms_of_service": false,
"oidc_provider_url": "https://keycloak.kubermatic.test/auth/realms/test/protocol/openid-connect/auth",
"oidc_provider_scope": "openid email profile roles"
}