Enable OIDC authentication
Warning
The OIDC authentication feature was part of the MKE 3.4.1 release which is no longer available. The feature will be reintroduced in a future MKE release. This documentation topic remains available for customers who downloaded MKE 3.4.1 prior to its discontinuation.
Mirantis strongly recommends that customers who deployed MKE 3.4.1 upgrade to MKE 3.4.2.
With OpenID Connect (OIDC), clients can (1) authenticate the identity of end users by way of an authorization server, and (2) obtain basic end user profile information.
Access the MKE API
You can use OIDC ID tokens in the “Authorization” header to access the API.
Access Kubernetes
Create a service in eNZi using
POST /enzi/v0/accounts/<username>/services/, which results in the creation of theserviceIDandserviceSecretservice components (client-idandclient-secret, according to standard OIDC terminology).Note
In the context of MKE, the client is a service that the user creates.
Warning
Be sure to note the
client-secret, as it is only revealed at service creation.Set the OIDC client ID in the Kubernetes configuration to the enzi service ID using the
oidc_client_idparameter with theserviceIDvalue inPUT /api/ucp/config-toml.(Optional) Configure
kubectlto use OIDC:kubectl config set-credentials <username> \ --auth-provider=oidc \ --auth-provider-arg=idp-issuer-url=<url_from_enzi_config> \ --auth-provider-arg=client-id=<serviceID> \ --auth-provider-arg=client-secret=<serviceSecret> \ --auth-provider-arg=refresh-token=<enzi_username_or_userid> \ --auth-provider-arg=idp-certificate-authority=</path/to/ca.pem>
Note
It is not necessary to specify the
id-token, askubectlautomatically obtains it from eNZi using therefresh-token.idp-issuer-urlis in the eNZi config. It must be the same value as theissueIdentifier(useGET /enzi/v0/config/openidto confirm).
See also