Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace insecure-oidc flag with the manual oidc config #2893

Merged
merged 3 commits into from
May 27, 2021
Merged

Replace insecure-oidc flag with the manual oidc config #2893

merged 3 commits into from
May 27, 2021

Conversation

antgamdia
Copy link
Contributor

Description of the change

For long time, we have been relying on the oidc autodiscovery feature, which is great. However, there are scenarios where it is not possible -the CSP case- . So, this PR is to stop recommending using --insecure-oidc-skip-issuer-verification in favor of a manual configuration, as follows:

   - --skip-oidc-discovery=true
   - --oidc-issuer-url=https://gaz.csp-vidm-prod.com
   - --login-url=https://console.cloud.vmware.com/csp/gateway/discovery
   - --redeem-url=https://console.cloud.vmware.com/csp/gateway/am/api/auth/token
   - --oidc-jwks-url=https://console.cloud.vmware.com/csp/gateway/am/api/auth/token-public-key?format=jwks

Instead of:

    - --insecure-oidc-skip-issuer-verification=true
    - --oidc-issuer-url=hhttps://console.cloud.vmware.com/csp/gateway/am/api

Benefits

No more "insecure" recommendations in our guides.

Possible drawbacks

A bit more lengthy, but it's necessary.

Applicable issues

Additional information

I've also replaced the stating endpoints with the production ones. This way we have consistent docs in case of a user of the step-by-step wants to dig into the rest of the docs.

@antgamdia antgamdia added this to In progress in Kubeapps via automation May 26, 2021
@antgamdia antgamdia moved this from In progress to Waiting For Review in Kubeapps May 26, 2021
@antgamdia antgamdia self-assigned this May 26, 2021
absoludity
absoludity approved these changes May 27, 2021
View reviewed changes
Copy link
Contributor

@absoludity absoludity left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent, thanks Antonio. Couple of small copy-n-paste issues, but otherwise, great improvement (very happy to no longer recommend the ignore-insecure flag).

docs/user/using-an-OIDC-provider.md Outdated Show resolved Hide resolved
docs/user/using-an-OIDC-provider.md Outdated Show resolved Hide resolved
antgamdia and others added 2 commits May 27, 2021 09:42
@antgamdia @absoludity
Update docs/user/using-an-OIDC-provider.md
0d5d65d 
Co-authored-by: Michael Nelson <absoludity@gmail.com>
@antgamdia @absoludity
Update docs/user/using-an-OIDC-provider.md
6de21f5 
Co-authored-by: Michael Nelson <absoludity@gmail.com>
@antgamdia antgamdia merged commit 60670fa into vmware-tanzu:master May 27, 2021
Kubeapps automation moved this from Waiting For Review to Done May 27, 2021
@antgamdia antgamdia deleted the oidc-docs-remove-insecure branch May 27, 2021 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@absoludity absoludity absoludity approved these changes

Assignees

@antgamdia antgamdia

Labels
None yet
Projects
No open projects
Kubeapps
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@antgamdia @absoludity