GitLab auth provider gets ID tokens and be used as a k8s oidcTokenProvider

[jamieklassen]

Hey, I just made a Pull Request!

The use case I wanted to support here is viewing http://localhost:3000/catalog/default/component/demo-k8s-service/kubernetes, logging in via gitlab and successfully seeing kube-dns objects.

The setup is extensive, including a kind cluster with config:

apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
kubeadmConfigPatches:
- |-
  kind: ClusterConfiguration
  apiServer:
    extraArgs:
      oidc-issuer-url: https://${GITLAB_HOST}
      oidc-client-id: ${CLIENT_ID}
      oidc-username-claim: email

and app-config

auth:
  environment: development
  providers:
    gitlab:
      development:
        audience: https://${GITLAB_HOST}
        clientId: ${CLIENT_ID}
        clientSecret: ${CLIENT_SECRET}
kubernetes:
  serviceLocatorMethod:
    type: 'multiTenant'
  clusterLocatorMethods:
    - type: 'config'
      clusters:
        - name: kind-kind
          url: $(kubectl config view --raw -o jsonpath='{.clusters[?(@.name=="kind-kind")].cluster.server}')
          authProvider: oidc
          oidcTokenProvider: gitlab
          skipTLSVerify: true
          skipMetricsLookup: true
catalog:
  locations:
    - type: file
      target: ../../kubernetes.yaml
      rules:
        - allow: [User, Component]

where kubernetes.yaml is

---
apiVersion: backstage.io/v1alpha1
kind: User
metadata:
  name: "${GITLAB_USERID}"
spec:
  memberOf: []
---
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: demo-k8s-service
  annotations:
    'backstage.io/kubernetes-label-selector': 'k8s-app=kube-dns'
spec:
  type: service
  lifecycle: stable
  owner: user:${GITLAB_USERID}

where GITLAB_HOST, CLIENT_ID, CLIENT_SECRET and GITLAB_USERID are hopefully self-explanatory!

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes) n/a
• All your commits have a Signed-off-by line in the message. (more info)

[backstage-goalie]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@backstage/core-app-api	packages/core-app-api	minor	v1.5.1-next.1
@backstage/core-plugin-api	packages/core-plugin-api	minor	v1.4.1-next.1
@backstage/plugin-kubernetes	plugins/kubernetes	patch	v0.7.9-next.1

[github-actions]

Uffizzi Preview deployment-16284 was deleted.

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[jamieklassen]

politely pinging @Rugvip for review or referral to somebody else?

[Rugvip]

Thank you! 👍

Makes sense, just a few nits

[jamieklassen]

@Rugvip I believe I've addressed all your open concerns, but did some force pushes so it might not be obvious how things have changed. Do you mind giving another look?

[Rugvip]

Thank you! 👍

I agree the openid scope addition should be fine and maybe even avoids issues in some cases. I'll say that we'll be very quick to revert that change at the first sign of trouble though 😅

Let's

[github-actions]

Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.12.0 release, scheduled for Tue, 14 Mar 2023.