In correlation with the end of life (EOL) for MKE 3.3.x, maintenance of this documentation set was discontinued as of 2022-MAY-27. Click here for the latest MKE 3.x version documentation.

Enable OIDC authentication

Warning

The OIDC authentication feature was part of the MKE 3.4.1 release which is no longer available. The feature will be reintroduced in a future MKE release. This documentation topic remains available for customers who downloaded MKE 3.4.1 prior to its discontinuation.

Mirantis strongly recommends that customers who deployed MKE 3.4.1 upgrade to MKE 3.4.2.

With OpenID Connect (OIDC), clients can (1) authenticate the identity of end users by way of an authorization server, and (2) obtain basic end user profile information.

Access the MKE API

You can use OIDC ID tokens in the “Authorization” header to access the API.

Access Kubernetes

  1. Create a service in eNZi using POST /enzi/v0/accounts/<username>/services/, which results in the creation of the serviceID and serviceSecret service components (client-id and client-secret, according to standard OIDC terminology).

    Note

    In the context of MKE, the client is a service that the user creates.

    Warning

    Be sure to note the client-secret, as it is only revealed at service creation.

  2. Set the OIDC client ID in the Kubernetes configuration to the enzi service ID using the oidc_client_id parameter with the serviceID value in PUT /api/ucp/config-toml.

  3. (Optional) Configure kubectl to use OIDC:

    kubectl config set-credentials <username> \
            --auth-provider=oidc \
            --auth-provider-arg=idp-issuer-url=<url_from_enzi_config> \
            --auth-provider-arg=client-id=<serviceID> \
            --auth-provider-arg=client-secret=<serviceSecret> \
            --auth-provider-arg=refresh-token=<enzi_username_or_userid> \
            --auth-provider-arg=idp-certificate-authority=</path/to/ca.pem>
    

    Note

    • It is not necessary to specify the id-token, as kubectl automatically obtains it from eNZi using the refresh-token.

    • idp-issuer-url is in the eNZi config. It must be the same value as the issueIdentifier (use GET /enzi/v0/config/openid to confirm).

See also

Kubernetes