OpenID Connect (OIDC) authentication support

[bzub]

Feature Request

Description

We use oidc to map LDAP/Active directory users/groups to RBAC resources for kubernetes auth.
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

Would be nice if we could do the same for Talos API, even if it's not as granular as RBAC (admin only).

[Ulexus]

This should probably plug into dex, rather than building it out ourselves.

[devopstales]

Hi @Ulexus. I think you misunderstand this ticket. The kubernetes api-server has an ability to authenticate users not just wit certificates but wit JWT tokens. This token is generated by an OpenID authentication provider (the authentication provider can be Dax, keycloak .. etc). To do the authentication the kubernetes api-server needs a configuration to know where the authentication provider and how to use it. This ticket is about that configuration, and it is valid because at the moment there is no option in altos to add this kind of configuration, or just not documented.

[Ulexus]

@devopstales Is there something lacking right now? You can pass all of the OIDC configuration options to kube-apiserver via extraArgs: https://www.talos.dev/v1.0/reference/configuration/#apiserverconfig

[kingdonb]

Just to follow up, I think this issue could maybe use some elaboration in the docs, but the standard I needed talos to live up to, it's meeting and exceeding, (extraArgs in the apiServer block are processed and the docs show it is possible)

The link moved here:
https://www.talos.dev/v1.6/reference/configuration/v1alpha1/config/#Config.cluster.apiServer

I was able to bring my Dex install from a config that I brought over from Weave GitOps Enterprise (for Dex, upstream) - hosted outside of the new Talos cluster - and connect Dex as an auth source with the Talos Kubernetes ApiServer, no unexpected issues.

Nb only that this is apiServer.extraArgs which has no stub in the default machine config, not kubelet.extraArgs that does have a stub. IDK if a missing stub in the default machine config is a bug, I wouldn't think so, anyway it is in the docs.

I made this error while I was fumbling through my first talos machine config edit, then the kubelet failed to launch on reboot, but it was recoverable by editing the machine configuration again, and putting extraArgs in the apiServer section where it goes. (Thanks for mentioning it here! I think you're right, this is a fine and supported config, maybe under-documented.)

[github-actions]

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[kingdonb]

I think the original poster was asking to authenticate admin users of the Talos API with OIDC, not Kubernetes API. I arrived here looking for docs about the latter, didn't read the report correctly, anyway those are two separate things - you can configure the Kubernetes API to accept OIDC auth, but is there similar for Talos API? I don't think so. (Could there be?)

Maybe it's already possible to add OIDC to the Omni server, not sure if that would moot the issue or not.

[wrmedford]

I've started implementing this in some other projects (ArgoCD example here which also uses Dex). I'm also work at Pomerium, so I'm looking at if it would make sense to pair us as an extension to Talos similar to how there's one for Tailscale, that way you could offload OIDC for both Talos and Kubernetes to a proxy that would either run on host or externally. Would help with cold start security posture as well, as well as keeping secrets out of disk images, as you can bake in JWKS configs without any of it being secret.

Would be happy to pick up this issue if I could just get a hand getting oriented to the project!