pbertera/oidc-discovery.yaml

## oidc-discovery.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: oidc-discovery
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: oidc-discovery
  namespace: oidc-discovery
rules:
- apiGroups:
  - route.openshift.io
  resourceNames:
  - oidc-discovery
  resources:
  - routes
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: oidc-discovery
  namespace: oidc-discovery
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: oidc-discovery
  namespace: oidc-discovery
subjects:
- kind: ServiceAccount
  name: oidc-discovery
  namespace: oidc-discovery
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: template
  namespace: oidc-discovery
data:
  template.json: |
    {
      "issuer": "https://${ISSUER}",
      "jwks_uri": "https://${ISSUER}/openid/v1/jwks",
      "response_types_supported": [
          "id_token"
      ],
      "subject_types_supported": [
          "public"
      ],
      "id_token_signing_alg_values_supported": [
          "RS256"
      ]
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oidc-discovery
spec:
  selector:
    matchLabels:
      app: oidc-discovery
  replicas: 1
  template:
    metadata:
      name: oidc-discovery
      namespace: oidc-discovery
      labels:
        app: oidc-discovery
    spec:
      serviceAccount: oidc-discovery
      initContainers:
      - name: oc-cli
        image: registry.redhat.io/openshift4/ose-cli
        args:
        - |
          #echo "export ISSUER=$(oc get infrastructures cluster -o template='{{.status.apiServerURL}}')" > /data/env
          echo "export ISSUER=$(oc get route oidc-discovery -o template='{{.spec.host}}')" > /data/env
          oc get --raw /.well-known/openid-configuration | python -m json.tool > /data/openid-configuration.orig
          oc get --raw /openid/v1/jwks > /data/jwks
        command:
        - /usr/bin/timeout
        - "100"
        - /bin/bash
        - -ex
        - -c
        volumeMounts:
        - name: data
          mountPath: "/data"
      containers:
      - name: main
        ports:
        - containerPort: 8080
          protocol: TCP
        image: registry.access.redhat.com/ubi8/nginx-120:1-54
        args:
        - |
          source /data/env
          echo "OIDC Issuer is $ISSUER"
          echo "Kube API Server Discovery document:"
          cat /data/openid-configuration.orig
          mkdir ${HOME}/.well-known/
          cat /config/template.json | envsubst > ${HOME}/.well-known/openid-configuration
          echo "Serving discovery document:"
          cat ${HOME}/.well-known/openid-configuration
          mkdir -p ${HOME}/openid/v1
          cp /data/jwks ${HOME}/openid/v1/jwks
          echo "Serving JWKS document:"
          cat ${HOME}/openid/v1/jwks
          nginx -g "daemon off;"
        command:
        - /bin/bash
        - -ex
        - -c
        volumeMounts:
        - name: www-data
          mountPath: "/opt/app-root/src"
        - name: data
          mountPath: "/data"
        - name: config
          mountPath: "/config"
      volumes:
      - name: data
        emptyDir: {}
      - name: www-data
        emptyDir: {}
      - name: config
        configMap:
          name: template
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: oidc-discovery
  name: oidc-discovery
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app: oidc-discovery
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  labels:
    app: oidc-discovery
  name: oidc-discovery
spec:
  tls:
    termination: edge
  port:
    targetPort: 8080
  to:
    kind: ""
    name: oidc-discovery
    weight: null
---
#### TEST SA
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
---
### TEST POD
apiVersion: v1
kind: Pod
metadata:
  name: jump
  namespace: oidc-discovery
spec:
  containers:
  - image: smallstep/step-cli
    name: step-cli
    command:
    - /bin/sh
    - -c
    - cat /var/run/secrets/tokens/test-token | step crypto jwt inspect --insecure && sleep inf
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: test-token
  serviceAccountName: test-sa
  volumes:
  - name: test-token
    projected:
      sources:
      - serviceAccountToken:
          path: test-token
          expirationSeconds: 3600
          audience: test
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: oidc-discovery
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: oidc-discovery
	namespace: oidc-discovery
	rules:
	- apiGroups:
	- route.openshift.io
	resourceNames:
	- oidc-discovery
	resources:
	- routes
	verbs:
	- get
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: oidc-discovery
	namespace: oidc-discovery
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: oidc-discovery
	namespace: oidc-discovery
	subjects:
	- kind: ServiceAccount
	name: oidc-discovery
	namespace: oidc-discovery
	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: template
	namespace: oidc-discovery
	data:
	template.json: \|
	{
	"issuer": "https://${ISSUER}",
	"jwks_uri": "https://${ISSUER}/openid/v1/jwks",
	"response_types_supported": [
	"id_token"
	],
	"subject_types_supported": [
	"public"
	],
	"id_token_signing_alg_values_supported": [
	"RS256"
	]
	}
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: oidc-discovery
	spec:
	selector:
	matchLabels:
	app: oidc-discovery
	replicas: 1
	template:
	metadata:
	name: oidc-discovery
	namespace: oidc-discovery
	labels:
	app: oidc-discovery
	spec:
	serviceAccount: oidc-discovery
	initContainers:
	- name: oc-cli
	image: registry.redhat.io/openshift4/ose-cli
	args:
	- \|
	#echo "export ISSUER=$(oc get infrastructures cluster -o template='{{.status.apiServerURL}}')" > /data/env
	echo "export ISSUER=$(oc get route oidc-discovery -o template='{{.spec.host}}')" > /data/env
	oc get --raw /.well-known/openid-configuration \| python -m json.tool > /data/openid-configuration.orig
	oc get --raw /openid/v1/jwks > /data/jwks
	command:
	- /usr/bin/timeout
	- "100"
	- /bin/bash
	- -ex
	- -c
	volumeMounts:
	- name: data
	mountPath: "/data"
	containers:
	- name: main
	ports:
	- containerPort: 8080
	protocol: TCP
	image: registry.access.redhat.com/ubi8/nginx-120:1-54
	args:
	- \|
	source /data/env
	echo "OIDC Issuer is $ISSUER"
	echo "Kube API Server Discovery document:"
	cat /data/openid-configuration.orig
	mkdir ${HOME}/.well-known/
	cat /config/template.json \| envsubst > ${HOME}/.well-known/openid-configuration
	echo "Serving discovery document:"
	cat ${HOME}/.well-known/openid-configuration
	mkdir -p ${HOME}/openid/v1
	cp /data/jwks ${HOME}/openid/v1/jwks
	echo "Serving JWKS document:"
	cat ${HOME}/openid/v1/jwks
	nginx -g "daemon off;"
	command:
	- /bin/bash
	- -ex
	- -c
	volumeMounts:
	- name: www-data
	mountPath: "/opt/app-root/src"
	- name: data
	mountPath: "/data"
	- name: config
	mountPath: "/config"
	volumes:
	- name: data
	emptyDir: {}
	- name: www-data
	emptyDir: {}
	- name: config
	configMap:
	name: template
	---
	apiVersion: v1
	kind: Service
	metadata:
	labels:
	app: oidc-discovery
	name: oidc-discovery
	spec:
	ports:
	- port: 8080
	protocol: TCP
	targetPort: 8080
	selector:
	app: oidc-discovery
	---
	apiVersion: route.openshift.io/v1
	kind: Route
	metadata:
	labels:
	app: oidc-discovery
	name: oidc-discovery
	spec:
	tls:
	termination: edge
	port:
	targetPort: 8080
	to:
	kind: ""
	name: oidc-discovery
	weight: null
	---
	#### TEST SA
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: test-sa
	---
	### TEST POD
	apiVersion: v1
	kind: Pod
	metadata:
	name: jump
	namespace: oidc-discovery
	spec:
	containers:
	- image: smallstep/step-cli
	name: step-cli
	command:
	- /bin/sh
	- -c
	- cat /var/run/secrets/tokens/test-token \| step crypto jwt inspect --insecure && sleep inf
	volumeMounts:
	- mountPath: /var/run/secrets/tokens
	name: test-token
	serviceAccountName: test-sa
	volumes:
	- name: test-token
	projected:
	sources:
	- serviceAccountToken:
	path: test-token
	expirationSeconds: 3600
	audience: test