Document how to use OIDC authentication #967
Conversation
docs/user/using-an-OIDC-provider.md
Outdated
| The above is a sample deployment, depending on the configuration of the Identity Provider those flags may vary. For this example we use: | ||
|
|
||
| - `--client-id`, `--client-secret` and `--discovery-url`: Client ID, Secret and IdP URL as stated in the section above. | ||
| - `--skip-openid-provider-tls-verify`, `--secure-cookie=false`: If the `discovery-url` is served through HTTPS with a self-signed certificate (i.e. Keycloak or Dex), those flags are necessary to avoid errors while validating the TLS certificate. |
There was a problem hiding this comment.
I don't think this is important enough for us to mention, we can point to the Keycloak gatekeeper docs for more configuration options.
There was a problem hiding this comment.
Do you mean that you wouldn't show the explanation of these 2 flags or all the flags? I think it's important to mention this since in all the guides I have found for keycloak/dex people use a self-signed certificate (which may be good enough for internal clusters).
Since if you don't use those flags is difficult to debug the problem (I experienced that from first hand) I think is helpful for us to specify it.
It's true that we should not include it by default though so I will move the explanation of these flags to a note.
There was a problem hiding this comment.
Do you mean that you wouldn't show the explanation of these 2 flags or all the flags?
These two flags.
It's true that we should not include it by default though so I will move the explanation of these flags to a note.
That sounds okay, but honestly the less we document the better, it's less work to maintain. We could just as easily point to the keycloak-gateway docs and hopefully someone finds it there.
|
Thanks a lot for this, and +1 for adding the documentation about a hardcoded token! I mostly have some rephrasing suggestions. |
Co-Authored-By: andresmgot <andres.mgotor@gmail.com>
|
I think I have addressed your comments @prydonius, let me know if I missed something |
| - `--resources=uri=/api/kube/*|white-listed=true`: This setting enables WebSockets to work correctly, which Kubeapps relies on to show up-to-date information. Kubeapps handles the injection of the OIDC token into every Kubernetes API request, so it is not necessary for Keycloak Gatekeeper to do it. | ||
| - `listen=0.0.0.0:3000`: Listen in all the interfaces. | ||
|
|
||
| **NOTE**: If the identity provider is deployed with a self-signed certificate (which may be the case for Keycloak or Dex) you will need to disable the TLS and cookie verification. For doing so you can add the flags `--skip-openid-provider-tls-verify` and `--secure-cookie=false` to the deployment above. You can find more options for the `keycloak-gatekeeper` proxy [here](https://www.keycloak.org/docs/latest/securing_apps/index.html#_keycloak_generic_adapter). |
Co-Authored-By: andresmgot <andres.mgotor@gmail.com>
Closes #947
Closes #948