Allow configuring karmada-apiserver OIDC via Helm

tw-mnewman · tw-mnewman · commit d6492f7f41ac · 2025-02-24T14:00:30.000-06:00
karmada-io#6144 Signed-off-by: Matt Newman <mnewman@thoughtworks.com>
diff --git a/charts/karmada/templates/karmada-apiserver.yaml b/charts/karmada/templates/karmada-apiserver.yaml
@@ -73,6 +73,35 @@ spec:
             - --max-requests-inflight={{ .Values.apiServer.maxRequestsInflight }}
             - --max-mutating-requests-inflight={{ .Values.apiServer.maxMutatingRequestsInflight }}
             - --tls-min-version=VersionTLS13
+            {{- with .Values.apiServer.oidc }}
+            {{- if .caFile }}
+            - --oidc-ca-file={{ .caFile }}
+            {{- end }}
+            {{- if .clientId }}
+            - --oidc-client-id={{ .clientId }}
+            {{- end }}
+            {{- if .groupsClaim }}
+            - --oidc-groups-claim={{ .groupsClaim }}
+            {{- end }}
+            {{- if .groupsPrefix }}
+            - --oidc-groups-prefix={{ .groupsPrefix }}
+            {{- end }}
+            {{- if .issuerUrl }}
+            - --oidc-issuer-url={{ .issuerUrl }}
+            {{- end }}
+            {{- if .requiredClaim }}
+            - --oidc-required-claim={{ .requiredClaim }}
+            {{- end }}
+            {{- if .signingAlgs }}
+            - --oidc-signing-algs={{ .signingAlgs }}
+            {{- end }}
+            {{- if .usernameClaim }}
+            - --oidc-username-claim={{ .usernameClaim }}
+            {{- end }}
+            {{- if .usernamePrefix }}
+            - --oidc-username-prefix={{ .usernamePrefix }}
+            {{- end }}
+            {{- end }}
           ports:
             - name: http
               containerPort: 5443
diff --git a/charts/karmada/values.yaml b/charts/karmada/values.yaml
@@ -443,6 +443,16 @@ apiServer:
   podDisruptionBudget: *podDisruptionBudget
   ## @param apiServer.priorityClassName the priority class name for the karmada-apiserver
   priorityClassName: "system-node-critical"
+  oidc:
+    caFile: ""
+    clientId: ""
+    groupsClaim: ""
+    groupsPrefix: ""
+    issuerUrl: ""
+    requiredClaim: "" # comma separated 'key=value' pairs
+    signingAlgs: ""
+    usernameClaim: ""
+    usernamePrefix: ""
 
 ## karmada aggregated apiserver config
 aggregatedApiServer:
