{% hint style="info" %} OIDC is only officially supported on Kubecost Enterprise plans. {% endhint %}
- Create a new Keycloak Realm.
- Navigate to Realm Settings > General > Endpoints > OpenID Endpoint Configuration > Clients.
- Select Create to add Kubecost to the list of clients. Define a
clientID. Ensure the Client Protocol is set toopenid-connect. - Select your newly created client, then go to Settings.
- Set Access Type to
confidential. - Set Valid Redirect URIs to
http://YOUR_KUBECOST_ADDRESS/model/oidc/authorize. - Set Base URL to
http://YOUR_KUBECOST_ADDRESS.
- Set Access Type to
The .Values.oidc for Keycloak should be as follows:
{% code overflow="wrap" %}
oidc:
enabled: true
# This should be the same as the `clientID` set in step 3 above
clientID: "YOUR_CLIENT_ID"
# Find this in Keycloak UI by going to your Kubecost client, then clicking on "Credentials".
clientSecret: "YOUR_CLIENT_SECRET"
# The k8s secret where clientSecret will be stored
secretName: "kubecost-oidc-secret"
# The login endpoint for the auth server
authURL: "http://YOUR_KEYCLOAK_ADDRES/realms/YOUR_REALM_ID/protocol/openid-connect/auth?client_id=YOUR_CLIENT_ID&response_type=code"
# Redirect after authentication
loginRedirectURL: "http://YOUR_KUBECOST_ADDRESS/model/oidc/authorize"
# Navigate to "Realm Settings" -> "General" -> "Endpoints" -> "OpenID Endpoint Configuration". Set to the discovery URL shown on this page.
discoveryURL: "YOUR_DISCOVERY_URL"{% endcode %}