Allow configuring karmada-apiserver OIDC via Helm

karmada-io/karmada#6144 Signed-off-by: Matt Newman <mnewman@thoughtworks.com>
2025-02-24 14:05:13 -06:00 · 2025-02-24 14:05:13 -06:00 · 98aa22ce29
parent 006cf70132
commit 98aa22ce29
2 changed files with 40 additions and 0 deletions
--- a/charts/karmada/templates/karmada-apiserver.yaml
+++ b/charts/karmada/templates/karmada-apiserver.yaml
@ -73,6 +73,35 @@ spec:
            - --max-requests-inflight={{ .Values.apiServer.maxRequestsInflight }}
            - --max-mutating-requests-inflight={{ .Values.apiServer.maxMutatingRequestsInflight }}
            - --tls-min-version=VersionTLS13
+            {{- with .Values.apiServer.oidc }}
+            {{- if .caFile }}
+            - --oidc-ca-file={{ .caFile }}
+            {{- end }}
+            {{- if .clientId }}
+            - --oidc-client-id={{ .clientId }}
+            {{- end }}
+            {{- if .groupsClaim }}
+            - --oidc-groups-claim={{ .groupsClaim }}
+            {{- end }}
+            {{- if .groupsPrefix }}
+            - --oidc-groups-prefix={{ .groupsPrefix }}
+            {{- end }}
+            {{- if .issuerUrl }}
+            - --oidc-issuer-url={{ .issuerUrl }}
+            {{- end }}
+            {{- if .requiredClaim }}
+            - --oidc-required-claim={{ .requiredClaim }}
+            {{- end }}
+            {{- if .signingAlgs }}
+            - --oidc-signing-algs={{ .signingAlgs }}
+            {{- end }}
+            {{- if .usernameClaim }}
+            - --oidc-username-claim={{ .usernameClaim }}
+            {{- end }}
+            {{- if .usernamePrefix }}
+            - --oidc-username-prefix={{ .usernamePrefix }}
+            {{- end }}
+            {{- end }}
          ports:
            - name: http
              containerPort: 5443
--- a/charts/karmada/values.yaml
+++ b/charts/karmada/values.yaml
@ -443,6 +443,17 @@ apiServer:
  podDisruptionBudget: *podDisruptionBudget
  ## @param apiServer.priorityClassName the priority class name for the karmada-apiserver
  priorityClassName: "system-node-critical"
+  oidc:
+    caFile: ""
+    clientId: ""
+    groupsClaim: ""
+    groupsPrefix: ""
+    issuerUrl: ""
+    # @param apiServer.oidc.requiredClaim comma separated 'key=value' pairs that describe required claims in the ID token
+    requiredClaim: ""
+    signingAlgs: ""
+    usernameClaim: ""
+    usernamePrefix: ""

 ## karmada aggregated apiserver config
 aggregatedApiServer: