[kubernetes/kubernetes-backend plugins] generic OIDC auth provider

[jamieklassen]

Feature Suggestion

Let's generalize the google auth provider to work with any OIDC server!

Possible Implementation

Values-file structure

What I can imagine is an app-config a bit like

auth:
  providers:
    gitlab:
      # ... gitlab config
kubernetes:
  clusterLocatorMethods:
  - type: config
    clusters:
      - name: <cluster name>
        url: <apiserver URL>
        authProvider: gitlab

here I'd like the clusters entry could be smart enough to allow any of the existing OIDC-compatible providers (like auth0, gitlab, etc) to be specified.

Overlap with google (i.e. GKE) implementation today

Unfortunately this will collide with the existing google auth provider, which is really intended for GKE only and uses an access token instead of an ID token. If you were to configure your k8s apiserver to treat accounts.google.com as an issuer, the cluster would actually validate your identity based on your ID token, not your access token.

I can see two options at this point:

• create a special case for "google as a generic OIDC issuer independent of GKE", like google-oidc
• rename the google auth provider to something arguably more descriptive, like gke.

User Experience

When you open the kubernetes tab for a service, you get the login popup; you click the log in button for the configured auth provider, finish up the OAuth2 authorization flow (just like with the existing Google auth provider), and then you see your k8s objects (or not if you're not authorized)!

Context

The kubernetes apiserver generally supports authenticating users via an OIDC token; for a specific example, try an AWS EKS cluster with an associated OIDC identity provider. It would be useful if, on demand, Backstage would negotiate credentials with an OIDC server on the user's behalf, and use those credentials to fetch kubernetes objects with the user's own identity.