From 447e060872b6e5302ffa1babe5cc9ec9e55aaee7 Mon Sep 17 00:00:00 2001
From: Daniel Bravo <dbravo@vmware.com>
Date: Wed, 4 May 2022 11:29:25 -0500
Subject: [PATCH] Add changeset and docs for kubernetes oidcTokenProvider
 feature

Signed-off-by: Daniel Bravo <dbravo@vmware.com>
---
 .changeset/fluffy-sloths-deliver.md       | 10 ++++++++
 docs/features/kubernetes/configuration.md | 29 +++++++++++++++++++++++
 plugins/kubernetes-backend/api-report.md  |  1 +
 plugins/kubernetes-common/api-report.md   |  6 ++++-
 plugins/kubernetes/api-report.md          |  9 ++++++-
 5 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/fluffy-sloths-deliver.md

diff --git a/.changeset/fluffy-sloths-deliver.md b/.changeset/fluffy-sloths-deliver.md
new file mode 100644
index 0000000000..ba4e6e4fe5
--- /dev/null
+++ b/.changeset/fluffy-sloths-deliver.md
@@ -0,0 +1,10 @@
+---
+'@backstage/plugin-kubernetes': patch
+'@backstage/plugin-kubernetes-backend': patch
+'@backstage/plugin-kubernetes-common': patch
+---
+
+Add support for 'oidc' as authProvider for kubernetes authentication
+and adds optional 'oidcTokenProvider' config value. This will allow
+users to authenticate to kubernetes cluster using id tokens obtained
+from the configured auth provider in their backstage instance.
diff --git a/docs/features/kubernetes/configuration.md b/docs/features/kubernetes/configuration.md
index 5b60316fd0..3b8fef453a 100644
--- a/docs/features/kubernetes/configuration.md
+++ b/docs/features/kubernetes/configuration.md
@@ -92,6 +92,8 @@ cluster. Valid values are:
 | `aws`                  | This will use AWS credentials to access resources in EKS clusters                                                                                                                                                                 |
 | `googleServiceAccount` | This will use the Google Cloud service account credentials to access resources in clusters                                                                                                                                        |
 | `azure`                | This will use [Azure Identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) to access resources in clusters                                                               |
+| `oidc`                    | This will use [Oidc Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) to authenticate to the Kubernetes API. When this is used the `oidcTokenProvider`                       |
+| field should also be set. |
 
 ##### `clusters.\*.skipTLSVerify`
 
@@ -115,6 +117,33 @@ kubectl -n <NAMESPACE> get secret $(kubectl -n <NAMESPACE> get sa <SERVICE_ACCOU
 | base64 --decode
 ```
 
+##### `clusters.\*.oidcTokenProvider` (optional)
+
+This field is to be used when using the `oidc` auth provider. It will use the id tokens
+from a configured [backstage auth provider](https://backstage.io/docs/auth/) to
+authenticate to the cluster. The selected `oidcTokenProvider` needs to be properly
+configured under `auth` for this to work.
+
+```yaml
+kubernetes:
+  clusterLocatorMethods:
+    - type: 'config'
+      clusters:
+        - name: test-cluster
+          url: http://localhost:8080
+          authProvider: oidc
+          oidcTokenProvider: okta # This value needs to match a config under auth.providers
+auth:
+  providers:
+    okta:
+      development:
+        clientId: ${AUTH_OKTA_CLIENT_ID}
+        clientSecret: ${AUTH_OKTA_CLIENT_SECRET}
+        audience: ${AUTH_OKTA_AUDIENCE}
+```
+
+The following values are supported out-of-the-box by the frontend: `google`, `microsoft`, `okta`, `onelogin`.
+
 ##### `clusters.\*.dashboardUrl` (optional)
 
 Specifies the link to the Kubernetes dashboard managing this cluster.
diff --git a/plugins/kubernetes-backend/api-report.md b/plugins/kubernetes-backend/api-report.md
index 03682807e2..1a24e6e1cc 100644
--- a/plugins/kubernetes-backend/api-report.md
+++ b/plugins/kubernetes-backend/api-report.md
@@ -41,6 +41,7 @@ export interface ClusterDetails {
   dashboardParameters?: JsonObject;
   dashboardUrl?: string;
   name: string;
+  oidcTokenProvider?: string | undefined;
   // (undocumented)
   serviceAccountToken?: string | undefined;
   skipMetricsLookup?: boolean;
diff --git a/plugins/kubernetes-common/api-report.md b/plugins/kubernetes-common/api-report.md
index 639c3f63c2..381d018b08 100644
--- a/plugins/kubernetes-common/api-report.md
+++ b/plugins/kubernetes-common/api-report.md
@@ -194,10 +194,14 @@ export interface KubernetesFetchError {
 export interface KubernetesRequestBody {
   // (undocumented)
   auth?: {
-    google?: string;
+    google: string;
   };
   // (undocumented)
   entity: Entity;
+  // (undocumented)
+  oidc?: {
+    [key: string]: string;
+  };
 }
 
 // Warning: (ae-missing-release-tag) "ObjectsByEntityResponse" is exported by the package, but it is missing a release tag (@alpha, @beta, @public, or @internal)
diff --git a/plugins/kubernetes/api-report.md b/plugins/kubernetes/api-report.md
index e8a3da83a9..99bee06165 100644
--- a/plugins/kubernetes/api-report.md
+++ b/plugins/kubernetes/api-report.md
@@ -17,6 +17,7 @@ import type { JsonObject } from '@backstage/types';
 import { KubernetesRequestBody } from '@backstage/plugin-kubernetes-common';
 import { OAuthApi } from '@backstage/core-plugin-api';
 import { ObjectsByEntityResponse } from '@backstage/plugin-kubernetes-common';
+import { OpenIdConnectApi } from '@backstage/core-plugin-api';
 import { default as React_2 } from 'react';
 import { RouteRef } from '@backstage/core-plugin-api';
 import { V1ConfigMap } from '@kubernetes/client-node';
@@ -225,6 +226,7 @@ export interface KubernetesApi {
     {
       name: string;
       authProvider: string;
+      oidcTokenProvider?: string | undefined;
     }[]
   >;
   // (undocumented)
@@ -242,7 +244,12 @@ export const kubernetesApiRef: ApiRef<KubernetesApi>;
 //
 // @public (undocumented)
 export class KubernetesAuthProviders implements KubernetesAuthProvidersApi {
-  constructor(options: { googleAuthApi: OAuthApi });
+  constructor(options: {
+    googleAuthApi: OAuthApi;
+    oidcProviders?: {
+      [key: string]: OpenIdConnectApi;
+    };
+  });
   // (undocumented)
   decorateRequestBodyForAuth(
     authProvider: string,