Skip to content

Commit

Permalink
Add guides for common OIDC providers
Browse files Browse the repository at this point in the history
This is a first revision of this guide and likely subject to
extension/improvement going forward but it'll definitely help setting
up Weave GitOps as an OIDC client properly.

Signed-off-by: Max Jonas Werner <[email protected]>
  • Loading branch information
Max Jonas Werner committed Nov 20, 2023
1 parent b9493a8 commit cf7cc2b
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,8 @@ You may decide to give your engineering teams access to the WGE dashboard so the

OIDC extends the OAuth2 authorization protocol by including an additional field (ID Token) that contains information (claims) about a user's identity. After a user successfully authenticates with the OIDC provider, Weave GitOps Enterprise uses this information to impersonate the user in any calls to the Kubernetes API. This allows cluster administrators to use RBAC rules to control access to the cluster and the dashboard.

For more specific examples of how to setup OIDC with Weave GitOps, see [this guide](../../../guides/oidc/).

<Tabs groupId="infrastructure" default>
<TabItem value="Login via an OIDC provider" label="Login via an OIDC provider">

Expand Down
75 changes: 75 additions & 0 deletions website/docs/guides/oidc.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
title: Common OIDC provider configurations
---

This page provides guides for configuring Weave GitOps with the most common OIDC providers.

## Google

Google's identity provider does not support the groups scope which Weave GitOps requests by default. That's why in
this example the `customScopes` field is set to only request the `openid` and `email` scopes.

1. Obtain the client ID and secret by following the [official guide](https://developers.google.com/identity/openid-connect/openid-connect)
from Google.
1. Configure Weave GitOps:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: oidc-auth
namespace: WEAVE_GITOPS_NAMESPACE
stringData:
clientID: CLIENT_ID_FROM_STEP_1
clientSecret: CLIENT_SECRET_FROM_STEP_1
issuerURL: https://accounts.google.com
redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback
customScopes: openid,email
```
## Azure AD
1. Obtain the client ID and secret by following the [official guide](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
from Microsoft.
1. [optional] Configure group claims by following this [official guide](https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles).
1. Configure Weave GitOps:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: oidc-auth
namespace: WEAVE_GITOPS_NAMESPACE
stringData:
clientID: CLIENT_ID_FROM_STEP_1
clientSecret: CLIENT_SECRET_FROM_STEP_1
issuerURL: https://login.microsoftonline.com/TENANT_ID/v2.0
redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback
customScopes: openid
claimUsername: sub
```
## Keycloak
Keycloak is highly customizable so the steps to obtain client ID and secret will vary depending on your setup. The
general steps are very similar and the following steps point to the appropriate pages in the official Keycloak
documentation:
1. Log in to the Keycloak admin console and [create a realm](https://www.keycloak.org/docs/latest/server_admin/#configuring-realms).
1. [Create a client application](https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_server_create_client)
and choose "OpenID Connect" as the client type.
1. Make sure to set the "Client Authenticator" on the "Credentials" tab to "Client Id and Secret" and generate a secret.
1. Configure Weave GitOps:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: oidc-auth
namespace: WEAVE_GITOPS_NAMESPACE
stringData:
clientID: CLIENT_ID_FROM_STEP_2
clientSecret: CLIENT_SECRET_FROM_STEP_3
issuerURL: https://KEYCLOAK_DOMAIN/realms/KEYCLOAK_REALM
redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback
```
1 change: 1 addition & 0 deletions website/sidebars.js
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@
type: 'category',
label: 'Guides',
items: [
'guides/oidc',
'guides/displaying-custom-metadata',
'guides/fluxga-upgrade',
],
Expand Down

0 comments on commit cf7cc2b

Please sign in to comment.