Accessing using OpenID Connect
Headlamp supports OIDC for cluster users to effortlessly log in using a "Sign in" button.
For OIDC to be used, Headlamp needs to know how to configure it, so you have to provide the different OIDC-related arguments to Headlamp from your OIDC provider. Those are:
- the client ID:
-oidc-client-id
or env varHEADLAMP_CONFIG_OIDC_CLIENT_ID
- the client secret:
-oidc-client-secret
or env varHEADLAMP_CONFIG_OIDC_CLIENT_SECRET
- the issuer URL:
-oidc-idp-issuer-url
or env varHEADLAMP_CONFIG_OIDC_IDP_ISSUER_URL
- (optionally) the OpenId scopes:
-oidc-scopes
or env varHEADLAMP_CONFIG_OIDC_SCOPES
and you have to tell the OIDC provider about the callback URL, which in Headlamp it is your URL + the /oidc-callback
path, e.g.:
https://YOUR_URL/oidc-callback
.
Scopes
Besides the mandatory openid scope, Headlamp also requests the optional
profile and email
scopes.
Scopes can be overridden by using the -oidc-scopes
option. Remember to
include the default ones if you need them when using that option.
For example, if you need to keep the default scopes and add Github's repo
,
then add them all to the option:
-oidc-scopes=profile,email,repo
Note: Before Headlamp 0.3.0, a scope groups was also included, as it's used by Dex and other services, but since it's not part of the default spec, it was removed in the mentioned version.
Example: OIDC with Keycloak in Minikube
If you are interested in a comprehensive example of using OIDC and Headlamp, you can check the tutorial on setting up OIDC with Keycloack in Minikube.
Example: OIDC with Dex
If you are using Dex and want to configure Headlamp to use it for OIDC, then you have to:
- Add the callback URL (e.g.
https://YOUR_URL/oidc-callback
) to Dex'sstaticClient.redirectURIs
- Set
-oidc-client-id
as Dex'sstaticClient.id
- Set
-oidc-client-secret
as Dex'sstaticClient.secret
- Set
-oidc-idp-issuer-url
as Dex's URL (same as in--oidc-issuer-url
in the Kubernetes APIServer) - Set
-oidc-scopes
if needed, e.g.-oidc-scopes=profile,email,groups
Note If you already have another static client configured for Kubernetes to be used by the apiserver's OIDC (OpenID Connect) configuration, it is important to ensure that a single static client ID i.e -oidc-client-id
is used for both Dex and Headlamp. Additionally, the redirectURIs need to be specified for each client.