From 98aa22ce29ee69eca63347930cd3a2e92f2f79ba Mon Sep 17 00:00:00 2001
From: Matt Newman <mnewman@thoughtworks.com>
Date: Mon, 24 Feb 2025 14:05:13 -0600
Subject: [PATCH] Allow configuring karmada-apiserver OIDC via Helm

karmada-io/karmada#6144

Signed-off-by: Matt Newman <mnewman@thoughtworks.com>
---
 .../karmada/templates/karmada-apiserver.yaml  | 29 +++++++++++++++++++
 charts/karmada/values.yaml                    | 11 +++++++
 2 files changed, 40 insertions(+)

diff --git a/charts/karmada/templates/karmada-apiserver.yaml b/charts/karmada/templates/karmada-apiserver.yaml
index 151211770..82c3a69ef 100644
--- a/charts/karmada/templates/karmada-apiserver.yaml
+++ b/charts/karmada/templates/karmada-apiserver.yaml
@@ -73,6 +73,35 @@ spec:
             - --max-requests-inflight={{ .Values.apiServer.maxRequestsInflight }}
             - --max-mutating-requests-inflight={{ .Values.apiServer.maxMutatingRequestsInflight }}
             - --tls-min-version=VersionTLS13
+            {{- with .Values.apiServer.oidc }}
+            {{- if .caFile }}
+            - --oidc-ca-file={{ .caFile }}
+            {{- end }}
+            {{- if .clientId }}
+            - --oidc-client-id={{ .clientId }}
+            {{- end }}
+            {{- if .groupsClaim }}
+            - --oidc-groups-claim={{ .groupsClaim }}
+            {{- end }}
+            {{- if .groupsPrefix }}
+            - --oidc-groups-prefix={{ .groupsPrefix }}
+            {{- end }}
+            {{- if .issuerUrl }}
+            - --oidc-issuer-url={{ .issuerUrl }}
+            {{- end }}
+            {{- if .requiredClaim }}
+            - --oidc-required-claim={{ .requiredClaim }}
+            {{- end }}
+            {{- if .signingAlgs }}
+            - --oidc-signing-algs={{ .signingAlgs }}
+            {{- end }}
+            {{- if .usernameClaim }}
+            - --oidc-username-claim={{ .usernameClaim }}
+            {{- end }}
+            {{- if .usernamePrefix }}
+            - --oidc-username-prefix={{ .usernamePrefix }}
+            {{- end }}
+            {{- end }}
           ports:
             - name: http
               containerPort: 5443
diff --git a/charts/karmada/values.yaml b/charts/karmada/values.yaml
index 810aac68d..891fd9d73 100644
--- a/charts/karmada/values.yaml
+++ b/charts/karmada/values.yaml
@@ -443,6 +443,17 @@ apiServer:
   podDisruptionBudget: *podDisruptionBudget
   ## @param apiServer.priorityClassName the priority class name for the karmada-apiserver
   priorityClassName: "system-node-critical"
+  oidc:
+    caFile: ""
+    clientId: ""
+    groupsClaim: ""
+    groupsPrefix: ""
+    issuerUrl: ""
+    # @param apiServer.oidc.requiredClaim comma separated 'key=value' pairs that describe required claims in the ID token
+    requiredClaim: ""
+    signingAlgs: ""
+    usernameClaim: ""
+    usernamePrefix: ""
 
 ## karmada aggregated apiserver config
 aggregatedApiServer: