UAA Kubernetes OpenID Connect helper

This is a small helper tool that generates a kubeconfig snippet with user credentials to get authenticated via Kubernetes OpenID Connect Tokens using Cloud Foundry UAA as the Identity Provider.

Given a username and password registered at an UAA server, the tool will output the necessary configuration for kubectl that you can add to your ~/.kube/config:

# Add the following to your ~/.kube/config
users:
- name: [email protected]
  user:
    auth-provider:
      name: oidc
      config:
        idp-issuer-url: https://<UAA URL>
        client-id: cf
        client-secret: ""
        id-token: <REDACTED>
        refresh-token: <REDACTED>

Table of Contents

• Installation
  • From source
  • Docker
• Usage
  • Flags
• OpenID Connect Setup
  • Kubernetes
  • UAA
• Contributing
• License
• Acknowledgements

Installation

From source

Using the standard go install (you must have Go already installed in your local machine):

$ go install github.com/frodenas/uaa-k8s-oidc-helper

Docker

To run the helper inside a Docker container, run:

$ docker run --rm frodenas/uaa-k8s-oidc-helper <flags>

Usage

$ uaa-k8s-oidc-helper <flags>

Flags

Flag	Required	Default	Description
uaa.url	Yes		UAA URL
uaa.username	Yes		UAA Username to generate credentials for
uaa.password	Yes		UAA Password to generate credentials for
uaa.client_id	No	cf	UAA Client ID (must have an openid scope)
uaa.client_secret	No		UAA Client Secret
uaa.skip_ssl_verify	No	false	Disable UAA SSL Verify

OpenID Connect Setup

Some steps are required to configure Kubernetes OpenID Connect to use Cloud Foundry UAA as the Identity Provider:

Kubernetes

Add the following flags to kube-apiserver to configure OpenID Connect:

--oidc-issuer-url=https://<UAA URL>/oauth/token \
--oidc-client-id=<Your client ID> \

Remember that <Your client ID> must have an openid scope. If you're using an UAA server deployed as part of a Cloud Foundry deployment you can use the cf client ID.

If the UAA server is using a self-signed certificate, add also the CA that signed the certificates:

--oidc-ca-file=<path to the CA file> \

If you're using an UAA server deployed as part of a Cloud Foundry deployment with self-signed certificates, remember that the certificate must explicitelly include the uaa hostname (ie a certificate for *.example.com does NOT include uaa.system.example.com, but a *.system.example.com is valid).

Also remember to authorize users to be able to make requests to the the API server:

• If you are using the ABAC authorization method, you can include all system:authenticated users to your authorization policy file:

  {
    "apiVersion": "abac.authorization.kubernetes.io/v1beta1",
    "kind": "Policy",
    "spec": {
      "user": "*",
      "group": "system:authenticated",
      "apiGroup": "*",
      "namespace": "*",
      "resource": "*",
      "nonResourcePath": "*",
      "readonly": true
    }
  }

• If you are using the RBAC authorization method, you must create a Role (and/or ClusterRole) and a RoleBinding (and/or ClusterRoleBinding).

Please refer to the Kubernetes authorization documentation for more details.

UAA

No special configuration is required for UAA. Only a client-id with an openid scope must be created.

At the moment of writing these instructions, the current UAA v45 release does not conform to the OIDC specification. This helper tool has been tested using UAA v46 (not yet released).

Contributing

Refer to the contributing guidelines.

License

Apache License 2.0, see LICENSE.

Acknowledgements

This tool has heavily inspired by the k8s-oidc-helper.