-
Notifications
You must be signed in to change notification settings - Fork 153
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add guides for common OIDC providers
This is a first revision of this guide and likely subject to extension/improvement going forward but it'll definitely help setting up Weave GitOps as an OIDC client properly. Signed-off-by: Max Jonas Werner <[email protected]>
- Loading branch information
Max Jonas Werner
committed
Nov 20, 2023
1 parent
b9493a8
commit cf7cc2b
Showing
3 changed files
with
78 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
--- | ||
title: Common OIDC provider configurations | ||
--- | ||
|
||
This page provides guides for configuring Weave GitOps with the most common OIDC providers. | ||
|
||
|
||
Google's identity provider does not support the groups scope which Weave GitOps requests by default. That's why in | ||
this example the `customScopes` field is set to only request the `openid` and `email` scopes. | ||
|
||
1. Obtain the client ID and secret by following the [official guide](https://developers.google.com/identity/openid-connect/openid-connect) | ||
from Google. | ||
1. Configure Weave GitOps: | ||
|
||
```yaml | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: oidc-auth | ||
namespace: WEAVE_GITOPS_NAMESPACE | ||
stringData: | ||
clientID: CLIENT_ID_FROM_STEP_1 | ||
clientSecret: CLIENT_SECRET_FROM_STEP_1 | ||
issuerURL: https://accounts.google.com | ||
redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback | ||
customScopes: openid,email | ||
``` | ||
## Azure AD | ||
1. Obtain the client ID and secret by following the [official guide](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) | ||
from Microsoft. | ||
1. [optional] Configure group claims by following this [official guide](https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles). | ||
1. Configure Weave GitOps: | ||
```yaml | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: oidc-auth | ||
namespace: WEAVE_GITOPS_NAMESPACE | ||
stringData: | ||
clientID: CLIENT_ID_FROM_STEP_1 | ||
clientSecret: CLIENT_SECRET_FROM_STEP_1 | ||
issuerURL: https://login.microsoftonline.com/TENANT_ID/v2.0 | ||
redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback | ||
customScopes: openid | ||
claimUsername: sub | ||
``` | ||
## Keycloak | ||
Keycloak is highly customizable so the steps to obtain client ID and secret will vary depending on your setup. The | ||
general steps are very similar and the following steps point to the appropriate pages in the official Keycloak | ||
documentation: | ||
1. Log in to the Keycloak admin console and [create a realm](https://www.keycloak.org/docs/latest/server_admin/#configuring-realms). | ||
1. [Create a client application](https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_server_create_client) | ||
and choose "OpenID Connect" as the client type. | ||
1. Make sure to set the "Client Authenticator" on the "Credentials" tab to "Client Id and Secret" and generate a secret. | ||
1. Configure Weave GitOps: | ||
```yaml | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: oidc-auth | ||
namespace: WEAVE_GITOPS_NAMESPACE | ||
stringData: | ||
clientID: CLIENT_ID_FROM_STEP_2 | ||
clientSecret: CLIENT_SECRET_FROM_STEP_3 | ||
issuerURL: https://KEYCLOAK_DOMAIN/realms/KEYCLOAK_REALM | ||
redirectURL: BASE_WEAVE_GITOPS_URL/oauth2/callback | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters