Attention: Deprecation notice for Bintray, JCenter, GoCenter and ChartCenter. Learn More

stable/kuberos

Chart version: 0.2.3
Api version: v1
App version: 2018-07-03
DEPRECATED - An OIDC authentication helper for Kubernetes
application
Chart Type
DEPRECATED
Status
Unknown
License
2110
Downloads
https://charts.helm.sh/stable
Set me up:
helm repo add center https://repo.chartcenter.io
Install Chart:
helm install kuberos center/stable/kuberos
Versions (0)

⚠️ Repo Archive Notice

As of Nov 13, 2020, charts in this repo will no longer be updated. For more information, see the Helm Charts Deprecation and Archive Notice, and Update.

Kuberos OIDC Helper

This is a config snippet generator for a k8s cluster

DEPRECATION NOTICE

This chart is deprecated and no longer supported.

TL;DR;

Sorry you will need to look at the configuration values below for this one.

$ helm install incubator/kuberos -f custom-values.yaml

Warning

The config snippets that are generated from this chart include OIDC connection details in clear text. These include content that would normally be in secrets.

Introduction

This chart deploys the kuberos code snippet generator for clusters using both * OIDC - OpenID Connect, an authentication layer on top of OAuth 2.0 * RBAC - Role Based Access Controls (in your k8s cluster)

It provides a quick and easy way for an authenticated user to generate and download config for kubectl.

This work is inspired from step 7 of the work @noqcks did using other tooling.

Prerequisites

  • Kubernetes 1.8+ with RBAC enabled
  • An OIDC provider eg G Suite
  • RBAC on your cluster configured to use OIDC

Configuration

The following table lists the configurable parameters of the kuberos chart

Config params which probably need changing

These ones will be site specific and may contain sensitive information

Parameter Description Default
kuberos App Specific config options See below
oidcClientURL URL of OIDC provider endpoint https://accounts.google.com
oidcClientID Your unique client ID REDACTED.apps.googleusercontent.com
oidcSecret The password for the Client ID above. Junk See Provider below
clusters List of clusters to generate config for See below
name The friendly name of the cluster dev-cluster
apiServer The endpoint for kubectl to use 'https://api.dev-cluster.example.com
caCrt The Public CA cert for the cluster See values.yaml
ingress A standard ingress block See below
enabled Enables or Disables the ingress block false
annotations Ingress annotations {}
hosts List of FQDN’s the be browsed to Not Set
tls List of SSL certs to use Empty list
secretName Name of the secret to use Not Set
hosts List of FQDN’s the above secret is associated with Not Set
service A standard service block See below
type Service type ClusterIP
port Service port 80
annotations Service annotations {}

Other Config params can be left alone

In some conditions you might want to set image.tag to latest and then image.pullPolicy to Always this is generally advised against for stability reasons.

In general config params not listed above can be ignored / left alone. The rest of the params are standard enough the google and other charts will be better at explaining them than me

OIDC (Provider) Setup

You will need to obtain the OIDC details of the provider you need to use. This will contain the Issuer URL, Client ID and the Client Secret. In the case of Google (The provider which was used when initially creating this) go to the Developer / Credentials console. You will need to add the ingress url to both * Authorised JavaScript origins - https://kuberos.example.com * Authorised redirect URIs - https://kuberos.example.com/ui

If you used kops the credentials you’re after are

apiVersion: kops/v1alpha2
kind: Cluster
  authorization:
    rbac: {}
  kubeAPIServer:
    authorizationRbacSuperUser: admin
    oidcClientID: UNIQUE_ID_REDACTED.apps.googleusercontent.com
    oidcIssuerURL: https://accounts.google.com
    oidcUsernameClaim: email

For G Suite : The redacted part of a ClientID is about 45 alphanumeric characters long (may also contain a hyphen or two) The client secret will be about 25 alphanumeric chacters (may also contain a hyphen or two)