Skip to content

Instantly share code, notes, and snippets.

@pbertera
Created August 19, 2022 13:07
Show Gist options
  • Save pbertera/1357195eec067795f135207f6c45e489 to your computer and use it in GitHub Desktop.
Save pbertera/1357195eec067795f135207f6c45e489 to your computer and use it in GitHub Desktop.
OpenShift OIDC Federation
apiVersion: v1
kind: ServiceAccount
metadata:
name: oidc-discovery
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: oidc-discovery
namespace: oidc-discovery
rules:
- apiGroups:
- route.openshift.io
resourceNames:
- oidc-discovery
resources:
- routes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: oidc-discovery
namespace: oidc-discovery
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: oidc-discovery
namespace: oidc-discovery
subjects:
- kind: ServiceAccount
name: oidc-discovery
namespace: oidc-discovery
---
apiVersion: v1
kind: ConfigMap
metadata:
name: template
namespace: oidc-discovery
data:
template.json: |
{
"issuer": "https://${ISSUER}",
"jwks_uri": "https://${ISSUER}/openid/v1/jwks",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oidc-discovery
spec:
selector:
matchLabels:
app: oidc-discovery
replicas: 1
template:
metadata:
name: oidc-discovery
namespace: oidc-discovery
labels:
app: oidc-discovery
spec:
serviceAccount: oidc-discovery
initContainers:
- name: oc-cli
image: registry.redhat.io/openshift4/ose-cli
args:
- |
#echo "export ISSUER=$(oc get infrastructures cluster -o template='{{.status.apiServerURL}}')" > /data/env
echo "export ISSUER=$(oc get route oidc-discovery -o template='{{.spec.host}}')" > /data/env
oc get --raw /.well-known/openid-configuration | python -m json.tool > /data/openid-configuration.orig
oc get --raw /openid/v1/jwks > /data/jwks
command:
- /usr/bin/timeout
- "100"
- /bin/bash
- -ex
- -c
volumeMounts:
- name: data
mountPath: "/data"
containers:
- name: main
ports:
- containerPort: 8080
protocol: TCP
image: registry.access.redhat.com/ubi8/nginx-120:1-54
args:
- |
source /data/env
echo "OIDC Issuer is $ISSUER"
echo "Kube API Server Discovery document:"
cat /data/openid-configuration.orig
mkdir ${HOME}/.well-known/
cat /config/template.json | envsubst > ${HOME}/.well-known/openid-configuration
echo "Serving discovery document:"
cat ${HOME}/.well-known/openid-configuration
mkdir -p ${HOME}/openid/v1
cp /data/jwks ${HOME}/openid/v1/jwks
echo "Serving JWKS document:"
cat ${HOME}/openid/v1/jwks
nginx -g "daemon off;"
command:
- /bin/bash
- -ex
- -c
volumeMounts:
- name: www-data
mountPath: "/opt/app-root/src"
- name: data
mountPath: "/data"
- name: config
mountPath: "/config"
volumes:
- name: data
emptyDir: {}
- name: www-data
emptyDir: {}
- name: config
configMap:
name: template
---
apiVersion: v1
kind: Service
metadata:
labels:
app: oidc-discovery
name: oidc-discovery
spec:
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
app: oidc-discovery
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
app: oidc-discovery
name: oidc-discovery
spec:
tls:
termination: edge
port:
targetPort: 8080
to:
kind: ""
name: oidc-discovery
weight: null
---
#### TEST SA
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
---
### TEST POD
apiVersion: v1
kind: Pod
metadata:
name: jump
namespace: oidc-discovery
spec:
containers:
- image: smallstep/step-cli
name: step-cli
command:
- /bin/sh
- -c
- cat /var/run/secrets/tokens/test-token | step crypto jwt inspect --insecure && sleep inf
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: test-token
serviceAccountName: test-sa
volumes:
- name: test-token
projected:
sources:
- serviceAccountToken:
path: test-token
expirationSeconds: 3600
audience: test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment