Skip to main content

Using vCluster Platform as OIDC Provider

vCluster Platform can act as an OpenID Connect provider for other services, e.g. a self-hosted container registry using Harbor.

Configuring vCluster Platform as an OIDC Provider​

To tell vCluster Platform to act as OIDC provider, navigate to Admin > Config and add the oidc section to your config:

auth: ...
oidc:
  enabled: true
  clients:
    - name: "Example Client"
      clientId: "loft"
      clientSecret: "MYCLIENTSECRET"
      redirectURIs:
        - http://my-allowed-redirect-uri
# - ADD A 2nd OIDC CLIENT HERE
# - ADD A 3rd OIDC CLIENT HERE

Adding OIDC Clients to vCluster Platform OIDC Using Secrets​

You can add OIDC clients to vCluster Platform using Kubernetes secrets. These secrets should contain the string fields name, clientID, clientSecret, and redirectURIs. Multiple redirect URIs should be delimitted by \n. vCluster Platform will only recognize an OIDC client secret if they posses the labels clientID and component. The value for clientID should match the clientID field's value and the value for component should be oidcServer. Here is an example of a yaml manifest that can be used to manage an OIDC client for vCluster Platform's OIDC provider:

apiVersion: v1
kind: Secret
metadata:
  name: test-oidc-client
  namespace: vcluster-platform # Namespace where vCluster Platform is installed
  labels:
    clientID: loft2
    component: oidcServer
type: Opaque
stringData:
  name: "Example Client"
  clientID: "loft2"
  clientSecret: "MYCLIENTSECRET"
  redirectURIs: http://my-allowed-redirect-uri\nhttp://my-allowed-redirect-uri2 # delimit multiple uris with newlines

Using vCluster OIDC Provider in Other Applications​

To configure vCluster Platform as an OIDC provider somewhere else, you can fill out the following fields with:

  • OIDC Provider Endpoint / Issuer: https://vcluster-platform.mycompany.tld/oidc
  • OIDC Client ID: loft
  • OIDC Client Secret: MYCLIENTSECRET
  • Group Claim Name: groups
  • Available OIDC Scopes: offline_access,openid,groups,email,profile

With this configuration, your vCluster Platform users will be able to authenticate in another application using their vCluster Platform account (which may itself be based on another SSO provider).