{"id":36975241,"url":"https://github.com/kommodity-io/oidc-discovery-proxy","last_synced_at":"2026-01-13T22:03:54.040Z","repository":{"id":328937892,"uuid":"1116754061","full_name":"kommodity-io/oidc-discovery-proxy","owner":"kommodity-io","description":"Enables Proxy for OpenID discovery of a Kubernetes cluster.","archived":false,"fork":false,"pushed_at":"2025-12-16T13:12:35.000Z","size":33,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-13T19:42:43.681Z","etag":null,"topics":["kubernetes","kubernetes-setup","network","oidc","proxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kommodity-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-15T10:32:28.000Z","updated_at":"2026-01-05T13:42:28.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kommodity-io/oidc-discovery-proxy","commit_stats":null,"previous_names":["kommodity-io/oidc-discovery-proxy"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/kommodity-io/oidc-discovery-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kommodity-io%2Foidc-discovery-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kommodity-io%2Foidc-discovery-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kommodity-io%2Foidc-discovery-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kommodity-io%2Foidc-discovery-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kommodity-io","download_url":"https://codeload.github.com/kommodity-io/oidc-discovery-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kommodity-io%2Foidc-discovery-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28403750,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T21:51:37.118Z","status":"ssl_error","status_checked_at":"2026-01-13T21:45:14.585Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","kubernetes-setup","network","oidc","proxy"],"created_at":"2026-01-13T22:03:53.307Z","updated_at":"2026-01-13T22:03:54.028Z","avatar_url":"https://github.com/kommodity-io.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OIDC Discovery Proxy\n\nA lightweight proxy server that enables external access to Kubernetes cluster's OpenID Connect (OIDC) discovery endpoints. This allows workload identity federation and external service authentication with Kubernetes service accounts.\n\n## Overview\n\nThe OIDC Discovery Proxy exposes two critical OIDC endpoints from your Kubernetes cluster:\n- `/.well-known/openid-configuration` - OpenID Connect discovery document\n- `/openid/v1/jwks` - JSON Web Key Set (JWKS) for token verification\n\nThis enables external systems (such as cloud providers, CI/CD platforms, or other services) to validate Kubernetes service account tokens issued by your cluster.\n\n## Features\n\n- **Lightweight**: Minimal resource footprint with efficient Go implementation\n- **Secure**: Direct proxy to Kubernetes API server endpoints\n- **Flexible Deployment**: Support for both Gateway API and traditional Ingress\n- **Cloud Native**: Packaged as a container and distributed via Helm chart\n- **Multi-Architecture**: Supports `linux/amd64` and `linux/arm64`\n\n## Use Cases\n\n### Workload Identity Federation\n\nConfigure your cloud provider (AWS, GCP, Azure) to trust your cluster's OIDC issuer:\n\n1. Deploy OIDC Discovery Proxy with a public endpoint\n2. Configure your cloud IAM to trust the issuer URL\n3. Service accounts can now authenticate to cloud services\n\n### Cross-Cluster Authentication\n\nEnable service-to-service authentication across multiple clusters.\n\n## Architecture\n\n```\n┌─────────────┐         ┌──────────────────┐         ┌─────────────────┐\n│   Client    │────────\u003e│  OIDC Discovery  │────────\u003e│  Kubernetes API │\n│             │         │      Proxy       │         │     Server      │\n└─────────────┘         └──────────────────┘         └─────────────────┘\n                              │\n                              │ Proxies:\n                              │ - /.well-known/openid-configuration\n                              │ - /openid/v1/jwks\n```\n\nThe proxy runs as a lightweight Go application that forwards requests to the Kubernetes API server's OIDC endpoints.\n\n## Security Considerations\n\n- The proxy uses in-cluster authentication to access the Kubernetes API\n- No sensitive data is stored or cached\n- Requests are directly proxied to the API server\n- TLS termination should be handled by your Ingress/Gateway\n- Consider rate limiting at the Ingress/Gateway level\n\n## Installation\n\n### Using Helm\n\nAdd the Helm repository:\n\n```bash\nhelm repo add kommodity https://ghcr.io/kommodity-io/charts\nhelm repo update\n```\n\nInstall the chart:\n\n```bash\nhelm install oidc-discovery-proxy kommodity/oidc-discovery-proxy \\\n  --namespace oidc-discovery-proxy \\\n  --create-namespace \\\n  --set host.domain=example.com\n```\n\n### Using Gateway API\n\n```bash\nhelm install oidc-discovery-proxy kommodity/oidc-discovery-proxy \\\n  --namespace oidc-discovery-proxy \\\n  --create-namespace \\\n  --set gateway.enabled=true \\\n  --set gateway.name=envoy-gateway \\\n  --set gateway.namespace=default \\\n  --set host.domain=example.com \\\n  --set host.prefixes={cluster1,cluster2}\n```\n\nThis will expose the endpoints at:\n- `https://cluster1.example.com/.well-known/openid-configuration`\n- `https://cluster1.example.com/openid/v1/jwks`\n- `https://cluster2.example.com/.well-known/openid-configuration`\n- `https://cluster2.example.com/openid/v1/jwks`\n\n### Using Ingress\n\n```bash\nhelm install oidc-discovery-proxy kommodity/oidc-discovery-proxy \\\n  --namespace oidc-discovery-proxy \\\n  --create-namespace \\\n  --set gateway.enabled=false \\\n  --set ingress.className=nginx \\\n  --set host.domain=example.com \\\n  --set host.exact={oidc.example.com}\n```\n\n## Configuration\n\n### Chart Values\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `gateway.enabled` | Use Gateway API instead of Ingress | `true` |\n| `gateway.name` | Name of the Gateway resource | `envoy-gateway` |\n| `gateway.namespace` | Namespace of the Gateway resource | `default` |\n| `ingress.className` | Ingress class name | `\"\"` |\n| `host.domain` | Base domain for the proxy | `REPLACE_ME.com` |\n| `host.prefixes` | List of subdomain prefixes | `None` |\n| `host.exact` | List of exact hostnames | `None` |\n| `image.repository` | Container image repository | `ghcr.io/kommodity-io/oidc-discovery-proxy` |\n| `image.tag` | Container image tag | `v0.1.0` |\n| `image.pullPolicy` | Image pull policy | `IfNotPresent` |\n| `replicas` | Number of replicas | `2` |\n| `resources.requests.cpu` | CPU request | `50m` |\n| `resources.requests.memory` | Memory request | `32Mi` |\n| `resources.limits.cpu` | CPU limit | `200m` |\n| `resources.limits.memory` | Memory limit | `64Mi` |\n\n### Example: Custom Configuration\n\n```yaml\ngateway:\n  enabled: false\n\ningress:\n  className: nginx\n  annotations:\n    cert-manager.io/cluster-issuer: letsencrypt-prod\n\nhost:\n  domain: k8s.example.com\n  exact:\n    - prod-cluster.example.com\n    - staging-cluster.example.com\n\nresources:\n  requests:\n    cpu: 100m\n    memory: 64Mi\n  limits:\n    cpu: 500m\n    memory: 128Mi\n\nreplicas: 3\n```\n\n## Development\n\n### Building from Source\n\nRequirements:\n- Go 1.25+\n- Make\n- Docker (for container builds)\n- UPX (optional, for binary compression)\n\nBuild the binary:\n\n```bash\nmake build\n```\n\nRun locally:\n\n```bash\nmake run\n```\n\nBuild container image:\n\n```bash\nmake build-image\n```\n\n### Linting\n\n```bash\nmake lint\n```\n\nFix linting issues:\n\n```bash\nmake lint-fix\n```\n\n## License\n\nThis project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.\n\n## Links\n\n- **Container Images**: [ghcr.io/kommodity-io/oidc-discovery-proxy](https://github.com/kommodity-io/oidc-discovery-proxy/pkgs/container/oidc-discovery-proxy)\n- **Helm Charts**: [ghcr.io/kommodity-io/charts](https://github.com/orgs/kommodity-io/packages)\n- **Issues**: [GitHub Issues](https://github.com/kommodity-io/oidc-discovery-proxy/issues)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkommodity-io%2Foidc-discovery-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkommodity-io%2Foidc-discovery-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkommodity-io%2Foidc-discovery-proxy/lists"}