OIDC setup for K8s apiserver

[xcorbel]

Hello,

Is anyone have already experience in setup an OIDC provider such as Keycloak.
i find many exemples on how to proceed with kubeadmin or kops such as :
https://medium.com/elmo-software/kubernetes-authenticating-to-your-cluster-using-keycloak-eba81710f49b

how to inject the apiserver flags using talosctl ?

Xavier

[smira]

In Talos, this is configured according to the docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

API server configuration in Talos, you're looking for extraArgs: https://www.talos.dev/v1.3/reference/configuration/#apiserverconfig

Changes can be applied on the fly to the running node, or you can include them as config patches (for controlplane nodes) while generating the machine config.

Something like:

cluster:
  apiServer:
    extraArgs:
      oidc-issuer-url: https://some.url/
      ...

Talos configuration patches: https://www.talos.dev/v1.3/talos-guides/configuration/patching/

[xcorbel]

Hello,
I have aaply the following :

cluster:
  apiServer:
    extraArgs:
      oidcClientID: talos
      oidcGroupsClaim: groups
      oidcGroupsPrefix: 'keycloak:'
      oidcIssuerURL: https://authstaging.pricinghub.net/auth/realms/pricinghub
      oidcUsernameClaim: email

i have applied using :
talosctl patch mc -e 10.xx.xx.xxx -n 10.xx.xx.xxx --patch @../Common/OIDC-Keycloak.yaml
since the apiserver is not working anymore any ideas how to debug it ?

I have rollback the changes using :

talosctl apply-config -f controlplane.yaml -n 10.xx.xx.xxx
talosctl reboot -n 10.xx.xx.xxx

i have realize the args have changed so i give a try with this :

cluster:
  apiServer:
    extraArgs:
      oidc-client-id: talos
      oidc-groups-claim: groups
      oidc-groups-prefix: 'keycloak:'
      oidc-issuer-url: https://authstaging.pricinghub.net/auth/realms/pricinghub
      oidc-username-claim: email

[smira]

you should use the argument names, like oidc-client-id. No need to reboot Talos, changes are applied on the fly.

if the kube-apiserver doesn't start, use talosctl containers -k and talosctl logs -k to check the logs

[skillpoint-dev]

New path of documentation for the discussed API configuration section as of the current version (1.8):

https://www.talos.dev/v1.8/reference/configuration/v1alpha1/config/#Config.cluster.apiServer